Special Feature
Part of a ZDNet Special Feature: Coronavirus: Business and technology in a pandemic

The UK’s coronavirus tracing app: everything you need to know

The UK government hopes the app will provide some of the necessary data for accurately tracking COVID-19.

Will 5G survive the pandemic?
8:43

The UK government has launched a coronavirus tracing app in the hopes of tracking the spread of COVID-19.

Announced on Monday at the government's daily coronavirus briefing, the "NHS COVID-19 app" has been developed by NHSX, the technology arm of the UK's National Health Service (NHS). 

Here's everything you need to know.

Is the app available across the UK?

The app is now available in a pilot program on the Isle of Wight, an island close to the mainland with roughly 140,000 residents. 

According to the government, the "test, track and trace" app can be downloaded by anyone on the Isle of Wight from 4pm BST on 5 May. The island was picked as there is one NHS trust that covers all NHS services over the area.

Health and Social Care Secretary Matt Hancock said the trial "will pave the way for a nationwide rollout when the time is right."

What does the mobile app do?

The NHS COVID-19 app will attempt to automate contact tracing.

NHSX says the goal is to "reduce the transmission of the virus by alerting people who may have been exposed to the infection so they can take action to protect themselves, the people they care about and the NHS." 

In theory, the app will alert users when they have been in contact with a suspected case of COVID-19, potentially prompting others to self-isolate quickly and reduce the risk of further transmission. Users can also report their own symptoms.

See also: Coronavirus contact-tracing app: Here's how we'll protect your privacy, says NHS

However, it has to be kept in mind that it is not yet known if such apps actually benefit us. There is also the possibility of false positives, such as when people are close -- but separated by walls or PPE -- and the app could give some a false sense of security.

How does the NHS COVID-19 app work?

The app is downloaded on compatible iOS and Android devices. A range of older models have been included.

Once installed, the app assigns the device an installation ID, records the model of your phone, and asks for a set of permissions, the ability to access Bluetooth and to send you push notifications. 

screenshot-2020-05-05-at-10-38-18.png

Users are then asked to input the first section of their postcode.

Devices with the app installed perform a handshake over Bluetooth which exchanges IDs, time, and an encrypted blob that is randomized on a daily basis. The app also records proximity, which the developers have chosen to base on signal strength. 

If nothing else happens, this information is deleted after 28 days. 

If you experience symptoms, you are asked to input them into the app, as well as the time they started. These include a high temperature and the existence of a new, continuous cough. This data is then relayed to an NHS server. 

screenshot-2020-05-05-at-10-41-54.png

Then, the below steps are taken, as per the UK's National Cyber Security Centre (NCSC): 

  • You get a clinical test and test negative. In this case, your contacts are told that it was a false notification.
  • You get a clinical test and test positive. In this case, your contacts are asked to isolate for 14 days, and get them into the clinical testing path.
  • You don't get a test, but too few of your contacts report symptoms to statistically suggest that you were probably infectious. Your contacts are told they don't need to continue to isolate.
  • You don't get a test, but enough of your contacts report symptoms to statistically suggest that you were probably infectious. Your contacts are told they need to continue to isolate.

The app uses Bluetooth to trace your contacts and location and, therefore, Bluetooth must always be on for the app to operate effectively. With the app running in the background there will likely be an additional battery drain. 

The NHS COVID-19 app and its associated data can be deleted at any time. 

Do I have to download it?

Downloading the app is voluntary, at least, for now. Only Isle of Wight residents have access to the application at present, although it is likely the UK government will want to roll out the system nationwide at the earliest opportunity. 

What about the elderly and others more likely to be without a mobile phone? 

This is a challenge that is yet to be tackled. At present, groups without access to digital tools will likely have to rely on traditional virology and swab testing. If a vulnerable person is cared for, however, by someone who does have a mobile device and has been alerted to possible contact with a coronavirus case, the message could be passed on via more traditional methods. 

Where does the data go? How will my privacy be protected?

The app uses Bluetooth Low Energy (BLE) technology to register other smartphones -- also with the software enabled -- that the device has come into proximity with over the last few days. 

The application logs these encounters and information is stored on the user's device. If a user registers themselves as symptomatic, an alert is blasted out to smartphones registered in the contact log -- as well as to the NHS central system.

According to the NCSC:

"The server can recover the fixed but anonymous installation ID for each device you were near. The system then takes that the contact events were 'authentic' and then takes the transmit power and received signal strengths that each proximity event produced (these are broadly representative of physical distance), and runs those through a sophisticated risk model to work out the encounters that are high risk from a virus transmission point of view."

NHSX insists that security and privacy were prioritized at every stage of development. However, this is where the argument between centralized and decentralized data collection models come in. 

Decentralized models keep any Bluetooth-based tracing information or logs privately stored on a user's device. Data is not given to authorities, such as government departments or health services. Centralized models can transfer information off a device, which is stored elsewhere. 

CNET: Can coronavirus live on your clothes and shoes? Here's what we know

In the case of the NHS COVID-19 app, the NCSC says that a centralized model has been adopted, in which user reports of symptoms will be given to the NHS, alongside "anonymous contacts," as well as duration and proximity of contact. 

The agency says this model is required for valid risk modeling and to trace infections, including those known as 'super spreaders.' In addition, information is anonymized, but as proven before, anonymity is not a cast-iron guarantee that users cannot be unmasked

Exact GPS locations are not collected. However, the agency has been careful about wording when it comes to explaining the privacy and security ramifications of the app, saying "the design makes sure that it's hard to use the app to track you by being physically close to you -- although there are balances to be struck."

"The back end is built to be as secure as is practical, but remember it holds only anonymous data and communicates out to other NHS systems through privacy-preserving gateways, so data in the app data can't be linked to other data the NHS holds," the NCSC added. 

This is not the approach every government has taken. Germany, for example, has ditched the idea of a homebrew coronavirus tracing app for a decentralized alternative working through Apple and Google's approaches. 

The NCSC says that "the app has to meet those medical needs first, and any technical, security and privacy issues must be balanced against these primary medical needs."

In other words, tracing first, security second. 

Given the rush to deploy the app, it could be argued security has fallen by the wayside. Reports suggest that the software is not secure enough to be included in the NHS app library, as it has failed "cybersecurity, performance, and clinical safety" tests. 

It is, therefore, up to users to decide whether the potential tradeoff, security and individual privacy, is an important enough factor to feature in the decision of whether or not to install NHS COVID-19. 

Joshua Berry, Associate Principal Security Consultant at Synopsys, commented:

"If someone does not feel comfortable with a positive diagnosis being known publicly, they should understand that these applications could expose some details about when and where they have been in the recent past with other users of the system. Even if a contact tracing application does not collect and share GPS location data, this data could be shared with other people as part of the contact tracing process. If governments would like for people to opt into such applications, they should address these concerns."

Is a mobile tracing system enough to fight COVID-19?

No single intervention or mobile solution is anywhere near enough. 

The app has to work in tandem with traditional methods of tracing, of which the UK government has been roundly criticized for weeks for not reaching the same daily testing methods as other countries, such as Germany. 

While an official testing capacity of 100,000 was achieved -- at least briefly -- tests that had been posted but not performed were included in this figure. 

TechRepublic: Coronavirus: What business pros need to know

"We managed to hit 100,000 with some help from postage," said Labour leader Keir Starmer on This Morning on Tuesday. "What we now need is more testing for anyone with symptoms and anyone who has come into contact with them."

Physical, traditional swab testing must be linked to the app's usage, or the ability to track the virus and its movement throughout the population will be based on incomplete and inaccurate data. While users could self-report symptoms, not everyone is symptomatic, and signs of illness may not be caused by COVID-19. 

The UK government has promised the recruitment of 18,000 additional contact tracers to support the Isle of Wight pilot.

The app's success also relies on a substantial portion of the population downloading the software. There is no guarantee of high adoption rates in the UK and other countries have demonstrated that mobile contact tracing can fail.

In Singapore, for example, only 20% of the population downloaded a local tracing app, which equates to roughly 4% of contact being traced across the entire population. 

Previous and related coverage


Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0