The British will not be able to ask NHS administrators to remove their COVID 19 tracking data from government servers, Matthew Gould, head of NHSX digital processing, who was admitted to the MEPs this afternoon.
Gould also told the Parliamentary Human Rights Commission that the data collected by the British through the NHSX contact tracing request (COVID-19) is being passed under a pseudonym – and it seems to leave the door open for the data to be sold for investigation.
The Government Contact Search application will be launched in the UK this week. The demonstration the Registry has seen has shown its main consumer-oriented functions. The button is a large green button that the user presses to send the NHS contact data within 28 days.
A screenshot of the NHSX COVID-19 application for contact tracing … Click to enlarge
The UK contact tracing application, written by the Tech-Arm NHSX, breaks the international convention by opting for a centralised data collection model rather than storing data on users’ phones and only locally.
In response to questions from nationalist MP Joanna Cherry this afternoon, Mr Gould told members that the data can be deleted as long as it is on your own device. After downloading, all data will be deleted or made completely anonymous in accordance with legal requirements, so that they can be used for research purposes.
The de-anonymisation of these data was successfully demonstrated in 2015, as we indicated at the time.
Although Gould said that the NHSX application will automatically remove contact information that is not uploaded to government servers, he explained:
The registry assumes that the application has been completed and tested, and the previously announced process on the Isle of Wight will begin in the second half of this week.
Before the same committee, Information Commissioner Elizabeth Denham told Members of the European Parliament that her office had not signed the annex. Although she had been extensively questioned about her reversible claims that decentralized systems should be the starting point for contact tracing, she had said this afternoon that she wanted the ICO to be a critical friend of the NHSX.
Danham added that if enough people complain about the application, NHSX has authorised the Office of the Information Commissioner to carry out a voluntary review of the application and systems – where necessary. She shrugged her shoulders: The functionality of the application depends on the government. It is not for me to decide, but for me to advise on how to mitigate some of these potential risks.
Seems fine, according to GCHQ branch.
The National Cyber Security Center is also closed to protect the NHSX. Technician Ian Levy told the world late at night in a blog post that there was nothing to worry about, because smart people have invested in a watch to make sure it is safe enough.
He explained how aliasing works in an application that starts with the 128-bit unique identifier generated after installation:
Each time your phone accesses another application user’s phone, the date and time, BLE package, signal strength selection and total meeting time are safely stored on your own mobile device. Then you put a big green button to send all this data to the NHS for research.
If you are the victim of COVID-19 and you tell the application that you are sick, the application will upload an anonymous report of your proximity events to the NHS server. From each encrypted block stored on the server, you can retrieve a fixed but anonymous installation ID for each device you were close to.
Due to the large performance differences between the different low-power Bluetooth chipsets of different phones, this data – together with the phone model ID collected by the application – is used to develop a rough proxy over a distance.
Levy completed his very readable blog post (available on the NCSC website) and urged the British to install and use the application. In addition to public health issues, El-Reg suspects that the date of entry into force of the Regulation will be an important moment to see how much public confidence the public currently has in government and the public service. ®
Webcast : Build a new generation of your business in the public cloud.