Security experts warn: Don't let contact-tracing app lead to surveillance

Joint letter by over 170 of the UK's top researchers and scientists voices privacy and security concerns over 'mission creep' on government plans for using smartphones to trace and combat coronavirus.
Written by Danny Palmer, Senior Writer

More than 170 UK researchers and scientists working in information security and privacy have signed a joint statement about their concerns over NHS plans to use a contact-tracing app to help contain the coronavirus outbreak, warning that the government must not create a tool that could be used for the purposes of surveillance.

The letter, signed by some of the top academics in cybersecurity at some of the most prestigious universities in the country, urges that any digital solution for helping the fight against COVID-19 should be analysed by security and privacy specialists.

It comes after the NHS and the government rejected a joint approach put forward by Apple and Google to help trace the spread of the virus, instead choosing to develop a separate tool for the UK.

SEE: Cybersecurity in an IoT and mobile world (ZDNet special report) | Download the report as a PDF (TechRepublic)

However, the centralised approach to building an application to monitor contact tracing with the aid of Bluetooth technology has been met with concerns over privacy and medical confidentiality.

Some of the key concerns are around potential de-anonymised information about people diagnosed with coronavirus – as well as anyone they've come into contact with - being stored in a central database and the potential ability, via mission creep, to turn it into a form of surveillance.

"It is vital that, when we come out of the current crisis, we have not created a tool that enables data collection on the population, or on targeted sections of society, for surveillance," the letter said.

The statement points to concerns that the data could be used to trace the people someone has been in contact with – something which, in the wrong hands, could be highly detrimental to privacy.

"Such invasive information can include the 'social graph' of who someone has physically met over a period of time. With access to the social graph, a bad actor (state, private sector, or hacker) could spy on citizens' real-world activities," said the letter, adding: "We are particularly unnerved by a declaration that such a social graph is indeed aimed for by NHSX."

The government has said all of the data analysed and stored in the fight against coronavirus will be deleted when it's no longer required.

"Users of the app will remain anonymous up to the point where they volunteer their own details, and there will be no database that allows the de-anonymisation of users," an NHSX spokesperson told ZDNet.

"We will publish the data protection agreements in due course, and we will close down the app once the threat from the pandemic has passed, with any data users have chosen to share deleted at that point and some retained for research purposes, subject to legal and ethical considerations, to better understand the virus."

And while the 170 academics understand the idea of a contact-tracing app is to help get people through the coronavirus crisis, they urge that it has to be done with data protection in mind by collecting the minimum amount of data necessary to achieve the objective of the app.

SEE: Coronavirus contact-tracing apps: What are the privacy concerns?

The joint statement calls for NHSX to, as a minimum, publicly commit "there will not be a database or databases, regardless of what controls are put in place, that would allow de-anonymization of users of its system, other than those self reporting as infected" to avoid it being built into social graphs or a surveillance tool.

"Finally, we are asking NHSX how it plans to phase out the application after the pandemic has passed to prevent mission creep," it said.


Editorial standards