A COVID-19 contact-tracing app to be rolled out by the UK’s National Health Service (NHS) has been thrust into the spotlight thanks to sensitive documents being leaked via a public Google Drive link.
Contact tracing has emerged as a top idea for dealing with the coronavirus pandemic and is considered by many to be an important step towards reopening economies worldwide. However, with several initiatives underway to use mobile phone apps to carry it out, privacy concerns have come to the forefront.
The NHS app is no exception, with detractors concerned about how the information it collects could be used. The leaked NHS documents, reported by Wired, show that the officials behind the initiative are also concerned — specifically about how unverified information could be used.
The docs show that roadmap features for the app include the ability for people to upload their health “status” on a self-reporting basis, with options that could include: quarantine, self-isolating, social distancing, shielding and none. Future plans also indicate the integration of granular location data; and, future versions of the app could also “collect self-reported data from the public like post code, demographic information and co-location status to enable more effective resource planning for NHS,” the documents reveal.
Because the information would be self-reported, the data collected by the app could include unverified diagnoses – and could be open to abuse or lead to unjustified “public panic,” according to the documents reviewed by Wired.
“The fundamental issues for me that need to be addressed are transparency and building in privacy to any technology solution or approach from the outset. In other words, privacy by design,” Steve Durbin, managing director of the Information Security Forum, told Threatpost. “The notion of only storing data for as long as you need it and protecting it at all stages of the information life-cycle will strike a chord with information security professionals around the world who for many years have been adopting this mantra to safeguard private data.”
The documents were laid bare thanks to a public link to a Google Drive. The NHS moved to rectify the misconfiguration after being alerted by Wired.