Contact-tracing app fails to protect privacy and human rights

Reassurances over the security and human rights implications of NHSX’s approach to developing its Covid-19 contact-tracing app are insufficient, says the cross-bench Human Rights Committee

The joint parliamentary Human Rights Committee’s inquiry into the government’s response to Covid-19 human rights implications has concluded that NHSX’s new contact tracing app does not sufficiently safeguard fundamental privacy and human rights.

The committee said the app had not been subject to in-depth parliamentary scrutiny, as was the case when state powers of surveillance and data collection have been extended in the past, and that given its significant and widespread implications, should be re-examined by parliament as soon as possible.

“Assurances from ministers about privacy are not enough,” said committee chair Harriet Harman. “The government has given assurances about protection of privacy so they should have no objection to those assurances being enshrined in law.

“The contact tracing app involves unprecedented data gathering. There must be robust legal protection for individuals about what that data will be used for, who will have access to it and how it will be safeguarded from hacking,” she said.

“Parliament was able quickly to agree to give the government sweeping powers. It is perfectly possible for parliament to do the same for legislation to protect privacy.”

The app is currently in a beta trial phase on the Isle of Wight, where residents are being encouraged to download and use it. It works by logging the distance between devices using Bluetooth Low Energy, and stores a log of proximity information on the device, using a random number linked to it.

Should a user develop Covid-19 symptoms, they can choose to push this information to a centralised server so that other users who have been near to it can be informed. Much of the controversy over the app hinges on a debate over the centralised versus decentralised model. The UK is one of the only jurisdictions in the world to be pursuing a centralised model.

No reassurance

On Monday 4 May, the committee heard evidence from legal experts, NHSX head Matthew Gould, and information commissioner Elizabeth Denham, and Harman said she had not been reassured by their testimony.

In a newly-published report, the committee outlined key actions it would like the government to take to ensure the app respects the human rights of its users, including the right to privacy, non-discrimination, and freedom of movement and association.

It said the app should not be released to the wider community unless such protections are in place, and a number of guarantees are made in several areas;

  • Efficacy and proportionality. The committee report concluded that without these efficacy and benefits of the app, the level of data collected would not be justifiable and would, therefore, contravene data protection and human rights legislation.
  • Primary legislation. It said that any data gathering by the contact-tracing app must be accompanied with guaranteed data and human rights protection through new primary legislation.
  • The committee called for the government to set up an independent body to oversee the use, effectiveness and privacy protections of the app and any data it generates. This group should include a new Digital Contact Tracing Human Rights Commissioner, responsible for oversight and empowered to deal with complaints and report back to parliament.
  • Regular reviews. The committee said the app must be reviewed every 21 days by the health secretary, considering the app’s efficacy, data safety, and how privacy is being protected.#
  • Finally, the government and health authorities must be transparent when it comes to how the app and the data it generates are used.

In its conclusions, the committee stated that the amount of data the app requires cannot be justified unless the app meaningfully contributes to the fight against Covid-19, and the easing of the UK’s lockdown restrictions.

It said that digital contact tracing could only be effective if uptake was reasonably high, and there was no way this would happen unless users could be confident in privacy protections.

It also pointed out that interoperability with the systems used by other countries would also impact its efficacy, particularly in Ireland, which has opted to use the decentralised model favoured by Apple and Google in the design of its app.

Read more about contact tracing

The UK’s divergence from this risks making it impossible for the two different apps to interoperate when moving between Northern Ireland and the Republic, in effect creating a contact tracing hard border.

Tom Chivers, digital privacy advocate at ProPrivacy, urged the government to change course on contact tracing. “While the UK government may have legitimate reasons for wanting to utilise a centralised data model for the NHSX contact-tracing app, I believe they are going to have to compromise on this if they are going to bring the public on-side and get the numbers they need for it to be effective,” he said.

 “An app that tracks your location constantly, being fed into a centralised server for anyone else to see, is a massive privacy violation. The government and Matt Hancock have tried to dispel this by saying this information ‘stays on your phone’ until submitted by a user.

“This might be true, but when a user confirms they have symptoms, everyone they come into contact with is then alerted, the centralised server will know this,” said Chivers. “What then happens if these people continue to go about their day to day lives? Will they get a visit from the police?”

David Warburton, senior threat research evangelist at F5 Networks, an application services supplier, said the UK’s decision to pursue a centralised model put it at high risk of cyber attack by malicious nation state-linked threat actors.

“These databases, accessed via an API, are likely to be prime targets for opportunistic and nation-state threat actors,” said Warburton. “We frequently see data breaches resulting from open databases with weak authentication or vulnerable APIs. With over 30 different contact tracing systems planned around the world, it is probable some of these systems will be accidentally exposed or deliberately breached.

“A key principle of data protection is minimisation. In other words, not using more data than you need, and not keeping it for longer than the task requires. Having said that, the reality is that the collected data is often stored much longer than needed,” he added.

Read more on Privacy and data protection