Claims that GCHQ-advised coronavirus track and trace app has security and privacy flaws

GCHQ cyber defence
Tom Coburg

The NHS has opted for a version of the coronavirus (Covid-19) track and trace app that reportedly has in-built security flaws that could seriously impinge upon personal privacy. It’s also understood that the spy agency GCHQ has a hand in its development.

Centralised model

The BBC has reported that the NHS has rejected the Apple-Google coronavirus track and trace app and instead opted for a different, ‘centralised’ model. According to the BBC, one advantage of this model would mean that the app would work whether or not it is active and on-screen. This model means that the matching process is via a computer server.

However, the BBC reports that Apple and Google argue such a model will enable hackers to “use the computer server logs to track specific individuals and identify their social interactions”.

How it will work

Apple Insider comments:

Unlike the Apple/Google partnership, the NHS’s app will see iPhones and Android phones continually reporting to a central database maintained by the British government.

Apple Insider further explains that the app from NHS digital innovation department NHSX:

will log when any two devices are close enough together for longer than an unspecified amount of time, and relay that information to the central database.

The NHSX app will use bluetooth technology, which according to Business Insider:

normally isn’t permitted to run in the background on iOS. For example, Singapore’s Bluetooth-based TraceTogether app reportedly requires the user to leave their phone unlocked to work properly — a privacy risk and a battery drain.

However, Privacy International argues that while in its view bluetooth technology is “less intrusive”, unless the app is widely used it can be ineffective:

[The Big Data Institute estimates] that over 60 per cent of the UK’s population would have to be using the app for digital contact tracing to reach enough people as they become infected. It is also essential, in their view, that people identified by the contact tracing app be promptly tested. This may require a significantly higher rate of testing that we’ve so far seen in the UK.

Joining the dots

According to Wired, NHSX is working with Faculty, a private company that the Guardian understands is a partner with the controversial US data firm Palantir.

Techcrunch further confirms that Palantir, together with Google and Microsoft, is providing the NHS with “COVID-19 data analysis through the company’s Foundry software”.

Palantir is owned by Peter Thiel and is one of the biggest data intelligence companies in the world. Previously The Canary reported that Palantir:

was awarded contracts to handle vast data sets on UK citizens for British spy agency GCHQ. The company also helped develop an aid for the spyware XKEYSCORE programme. And a 2010 presentation on the joint NSA-GCHQ ‘Mastering the Internet‘ surveillance programme recommended running Palantir software on Android handsets (smartphones and tablets). Palantir was also used as part of a GCHQ project which sought to improve the agency’s ability to collect tweets, blog posts and news articles.

The BBC also reports that the National Cyber Security Centre (NCSC), a division of GCHQ, is advising NHSX in the development of the UK app. In other words, there appears to be a direct connection between GCHQ, the NHSX app project, and the Palantir-led data analysis project.

Other experiences

Palantir was also in talks with the New Zealand government to see how it could assist with its coronavirus technologies, although nothing has happened yet on that front.

In Australia, there are also concerns about security regarding its COVIDsafe app. According to Engadget:

The storage of contact data (including names, phone numbers and postcodes) beyond a device makes it theoretically possible to abuse that info, or for an intruder to access it.

The BBC reports, too, that France has adopted a similar model to the NHS app, provoking criticism from computer security experts.

Safeguards

Privacy International has warned of the need for safeguards:

As with everything we’re seeing in the age of Covid-19, we must be highly aware of the limitations of the choices we are offered. It is also important that technical and legal safeguards around the processing and storage of data — especially when those data can be used for deanonymisation — are not bypassed or ignored in the rush to deploy technology, however well-meaning or indeed vital it may be.

Indeed, to engage the support of the public, governments need to get the technology right and with the right safeguards.

Featured image supplied

We need your help ...

The coronavirus pandemic is changing our world, fast. And we will do all we can to keep bringing you news and analysis throughout. But we are worried about maintaining enough income to pay our staff and minimal overheads.

Now, more than ever, we need a vibrant, independent media that holds the government to account and calls it out when it puts vested economic interests above human lives. We need a media that shows solidarity with the people most affected by the crisis – and one that can help to build a world based on collaboration and compassion.

We have been fighting against an establishment that is trying to shut us down. And like most independent media, we don’t have the deep pockets of investors to call on to bail us out.

Can you help by chipping in a few pounds each month?

The Canary Support us