There's a gaping flaw with the UK's COVID-19 contact-tracing app — many security experts seem unsure that it will actually work


NHS contact tracing app 1

  • The UK has begun trialling its contact-tracing app, which it says will help monitor the COVID-19 outbreak and potentially ease the nation out of lockdown.
  • Controversially, the app does not currently use a dedicated contact-tracing API created by Apple and Google — and that raises questions about its privacy, security, and functionality.
  • A key concern is that the app won’t work properly.
  • The app relies on Bluetooth signals that trigger “proximity events”, and experts say it probably won’t work on newer iPhones and Android devices.
  • The confusion is compounded by the fact that the NHS, the government, and other players have not been fully transparent about the app.
  • Visit Business Insider’s homepage for more stories.

The UK is set to roll out a contact-tracing app that the government claims will help monitor the COVID-19 outbreak and potentially ease the nation out of lockdown.

But experts have identified a glaring error — the app may not work.

Their concerns round out a month-long saga about how exactly the UK has gone about building its contact-tracing app versus other countries.

This week the UK government announced it was launching the long-awaited trial of its COVID-19 contact-tracing app on the Isle of Wight. It’s the first time the public will see the app functioning in the wild, and the idea is it’ll roll out more widely after the trial.

This is how the app will work.

If you download the NHS app, your phone will be assigned a numerical ID, a kind of persistent pseudonym. The app will ask for the first half of your postcode, and will record what phone model you have.

The app will then generate a random ID on a daily basis, which will ping out via Bluetooth to nearby phones which also have the app installed. As you walk around, the NHS app will constantly ping out this ID and listen out for similar IDs from other phones that have the app. This is a method of preserving your identity from other people. When your app perceives that someone else with the app is nearby, this is recorded as a “proximity event.”

In other words, you were close to someone who also uses the NHS app.

NHS app

If you develop coronavirus-like symptoms or test positive, you can then report it in the app. The app will scan through your log of proximity events, alert the NHS, and the NHS will then analyse the information and ping out notifications to anyone who was close to you over the last 14 days and deemed to be at risk.

At that point the data of the uploader and everyone who received a notification gets uploaded to an NHS server.

The app relies on Bluetooth and there are lots of issues and restrictions

Using these Bluetooth signals to generate proximity data, rather than using something like GPS to monitor a person’s location, is one way of negating the potential for de-anonymization or surveillance of users.

However, the way the NHS has decided to build its app may mean the Bluetooth signals don’t work as intended.

The UK has decided to reject the specialized contact-tracing API put out by Apple and Google as the basis for its app, and instead decided to pursue its own course. It wants to use a “centralized” model, rather than a “decentralized” one. A centralized model, which is less privacy-friendly, is incompatible with the approach dictated by the tech giants.

The UK opted for its own approach so it could study the app data more closely on a centralized server. It doesn’t mean the UK is spying on people, but officials have suggested they want to use the app data for different purposes beyond pure contact-tracing.

That locks it out of the Apple-Google system.

woman wears mask central london coronavirus

Without using Apple and Google’s API, the NHS has to contend with the fact that on iPhones and newer Android phones, it is usually impossible to build an app that would constantly ping out Bluetooth signals while it is not running on your screen and is just in the background.

For apps that run on the Apple-Google API, the tech giants are making an exception.

Here’s what the UK’s stance probably means in practice.

Person A owns an iPhone, and downloads the app. Person A goes outside but keeps their phone in their pocket and the app closed. They have a socially-distant chat with person B, who also has the app installed on their iPhone but not actually open on their screen. Because the NHS app cannot emit Bluetooth signals while it is running in the background — ie not actually displaying on the screen — it doesn’t detect that this contact has happened. If person B subsequently reports coronavirus symptoms, person A might never know.

This somewhat undermines the purposes of the app.

iPhone apps do continue to receive Bluetooth signals while running in the background, so it could still spot a nearby Android phone if it’s an older model. But it’s still a problem in the UK, where most smartphone owners use iPhones.

As cybersecurity expert Michael Veale tweeted: “The takeaway: Two people who have their iPhones locked in their pockets will not register as contacts with each other. A room of people with iPhones locked in their pockets will not register with each other unless someone with an Android is in the room.”

Veale says the NHS could have avoided this headache if it used a decentralized system, and hadn’t decided it might want people’s information for research purposes beyond contact-tracing.

“This is not a problem in a decentralized system, which uses access to Apple’s background Bluetooth that only needs functionality for local matching, not for uploading contacts to a centralized server for later analysis and potential re-use,” Veale said in an email to Business Insider.

The NHS says its app does work but no one understands how

Matt Hancock

The NHS has said it has figured out a way to make the app wake up “sufficiently well” when running in the background, but exactly how it has cobbled together this functionality remains a mystery. While the NHS has released technical documentation, it hasn’t explained its workaround.

The Register pointed to technical documentation from Apple and Google that clearly indicates that it couldn’t work.

Whatever the UK has managed to do is probably some kind of workaround, according to professor Alan Woodward, a cybersecurity expert at the University of Surrey.

“It’s probably possible to use some sort of wakeup mechanism to ensure the app isn’t always in the foreground but is still listening,” he told Business Insider. “I wouldn’t say UK have hacked the Bluetooth in any way, but are probably using it in ways that it wasn’t originally intended to be used but they have found ways to do it … I guess a bigger question is if the UK are reliant on these ways of using Bluetooth, when Apple and Google see what they have done, will they make changes that might prevent it.”

A source closed to the NCSC, the UK’s cybersecurity agency which advised on the app, told Business Insider that the Isle of Wight app trial was partly about testing whether the app would work at scale, including its Bluetooth workaround. If necessary, the person added, the app may be altered.

The person added that the NCSC would likely publish a more detailed explanation, as well as the app’s source code, this week.

The read here is that officials are giving themselves space to change tack, and maybe even rebuild the app from scratch, if it doesn’t work properly.

Apart from whether the app actually works, experts are worried about its privacy and efficacy

NHS contact tracing app 2

Even if the NHS’s contact-tracing app resolves these issues, questions over its security and efficacy persist. A group of 177 cybersecurity experts wrote an open letter to the government last week warning that the system used by the NHS could risk users being de-anonymized, or even being used for mass surveillance once the coronavirus pandemic has subsided.

The other issue is around getting enough people to actually download the app for it to be effective in helping the government curb the spread of the virus. Experts have reportedly advised the NHS that the app would need to be downloaded by roughly 56% of the population, equating to 80% of smartphone users.

During a hearing with the UK’s Human Rights Committee, NHSX CEO Matthew Gould said that a download rate of between 40% and 50% will mean the app can make a “big difference.”

Alan Woodward also thinks the problems with using Bluetooth could be much broader, saying Bluetooth is a “notoriously poor proxy for distance.”

“Perversely I think the UK may understand the Bluetooth issues more than many others. It will require a large amount of testing to gather the required calibration data,” he said.

The government’s trial run on the Isle of Wight will have a lot to answer for.

SEE ALSO: 170 cybersecurity experts warn that British government’s contact tracing app could be used to surveil people even after coronavirus has gone

Join the conversation about this story »

NOW WATCH: Why Pikes Peak is the most dangerous racetrack in America