Tag: COVID-19

A couple of days since the launch of the NHS test and trace app and it continues to be in the news.

The BBC’s Rory Cellan-Jones has written an article that the abandoned initial app ‘worked on more phones.’ True, perhaps, but there is a balance between accuracy and privacy. Plenty of people don’t want to download the new app that uses the Exposure Notification API. How many would want to download one that collected information centrally as the original one did?

The complaint today is that you can’t acknowledge a test from the NHS or Public Health England (pillar 1 tests), only from the private (‘Nightingale’) testing centres — the pillar 2 tests.

In contrast, on Wednesday people were expecting it to be very easy to enter a false positive test into the app and cause a barrage of unneeded messages to isolate.

To avoid the latter, you need some way to authenticate a test result.

Now, I don’t know what has gone on behind the scenes, but I can easily see why it might be easier to set up a regime at the private labs working under contract than it is for the “on demand” tests being performed in the NHS.

The pillar 2 tests that can be entered into the app account for two-thirds of the testing capacity, so whilst it is essential to get a way of entering the pillar 1 tests into the app (and even the pillar 4 statistical tests), this does not make the app useless.

I’d love to hear what the plans are for getting the pillar 1 and 4 tests into the app, but I can see how we got here, and I’d tend to think it is more likely to be because it hasn’t been possible to get the logistics co-ordinated in time rather than the commercial conspiracy theories that are doing the rounds.

Update (ironically from the correspondent mentioned above):

Department of Health promises fix for issue with entering test results from some labs. pic.twitter.com/NpoqRU6jO2

— Rory Cellan-Jones (@ruskin147) September 26, 2020

A couple of weeks ago, I described why I would probably feel safe installing the NHS Test and Trace app which went live today.

Reader, I installed it.

I’ve spent a bit of time today listening to people that have concerns with the app. All of these boil down to “we don’t trust the government.” Trust has been so eroded by the actions of Cummings et al, that people are justifiably distrustful of an NHS/government app.

That’s fine, I don’t trust the government either, but let me try to explain why in this case it doesn’t matter.

It uses the Apple/Google Exposure Notification API, which means that the app must abide by certain rules before it is allowed on the App Stores, and that includes not being able to track your location. If it doesn’t obey those rules, it doesn’t get put on the App Store.

One of the key points to stress is that all the hard work is done on your phone, and not uploaded to NHS servers. The QR codes you scan to ‘check in’ to a venue are only stored on your phone — and mean you don’t have to hand your personal details over to the venue instead.

There is a detailed privacy policy, including a summary and an ‘easy read’ version

• https://www.gov.uk/…/nhs-covid-19-app-privacy-information

The source code is available for all to see (and you can be sure lots of people are looking at it):

• https://github.com/nhsx/covid19-app-system-public
• https://github.com/nhsx/covid-19-app-android-ag-public
• https://github.com/nhsx/covid-19-app-ios-ag-public

There is a method to disclose vulnerabilities:

• https://hackerone.com/nhscovid19app?type=team

Concerns have been raised about the requirement for a relatively new smartphone. This is true, it requires iOS 13.5 or newer, or Android 6 or newer. An iPhone 6 will not support it, even though they were being sold up until September 2018, but the iPhone 6s (which was launched one year later, but discontinued at the same time as the 6) will support it. My Samsung Galaxy S7 released in 2016 (running Android 8) does support it.

The reason for this is not the NHS, it’s the operating systems that support the Exposure Notification API, and the privacy strength of the app comes from using that instead of the original plan for an app developed entirely in-house.

It is perfect? I doubt it. For a start, you need to be in proximity to someone for 15 minutes who later tests positive for it to count as a ‘high risk encounter.’ Is it better than writing your contact details in a book? I think so.