BCS, The Chartered Institute for IT has called for a cautious approach to any expansion of functions on the newly released NHS Covid-19 tracing app for England and Wales.
It has responded to indications from one of the companies involved in the development that a personalised risk score for users was being worked, based on how many Bluetooth hits their device received from others with the app.
The app has been released for use around England and Wales with a call from the Government for as many people as possible to download it onto their smartphones.
Wolfgang Emmerich, chief executive, of Zuhlke Engineering, said this could help people to “get a feel for how risky a life they lead”.
BCS has highlighted comments from Adam Smith, chair of its Software Testing Group, expressing alarm.
He said that, while the app is safe to use in its present form, the use of algorithms for risk scoring could be inaccurate and have unintended side effects, and that it raises fresh concerns around data security.
“Some data is being stored unencrypted locally. This isn't of great concern as it appears to be just system configuration data, with the sensitive data being stored by Google and Apple.
“However, as the functionality is expanded to include things like personal risk scores, this needs to be encrypted, and I'm keen to see this isn't passed to the developer's servers to establish a centralised tracking system by the backdoor.
“There are security issues with using Bluetooth in this way, it remains possible for attackers to manipulate the behaviour of the system to given incorrect information to users, however this has been made more challenging through various means.”
Code in public
He continued: “The developers, along with Google/Apple have done a pretty good job in that the application hangs together and has no immediately apparent high risk flaws. I'm pleased to see the code in the public domain, so experts can study it and identify issues, as BCS recommended.
“The QR code functionality would have been a great way to provide exposure notification functionality for users of older phones. It is not clear why people need to have the latest iOS release in order to take pictures of QR codes.”
Smith added: “Given the significant personal effect of a false positive or negative, the developers should publish their test results, including the false positive and negative rates at different distances.”
BCS has called for a campaign to increase public confidence in IT, supported by open and ethical data governance, to encourage widespread take-up of the app.
The National Cyber Security Centre has updated its guidance on the core functionality of the app, provided technical details on GitHub, and asked anyone detecting a security issue to report it.
Image from NSC, Open Government Licence v3.0
