Claims that GCHQ-advised coronavirus track and trace app has security and privacy flaws

GCHQ cyber defence
Support us and go ad-free

The NHS has opted for a version of the coronavirus (Covid-19) track and trace app that reportedly has in-built security flaws that could seriously impinge upon personal privacy. It’s also understood that the spy agency GCHQ has a hand in its development.

Centralised model

The BBC has reported that the NHS has rejected the Apple-Google coronavirus track and trace app and instead opted for a different, ‘centralised’ model. According to the BBC, one advantage of this model would mean that the app would work whether or not it is active and on-screen. This model means that the matching process is via a computer server.

However, the BBC reports that Apple and Google argue such a model will enable hackers to “use the computer server logs to track specific individuals and identify their social interactions”.

How it will work

Apple Insider comments:

Unlike the Apple/Google partnership, the NHS’s app will see iPhones and Android phones continually reporting to a central database maintained by the British government.

Apple Insider further explains that the app from NHS digital innovation department NHSX:

will log when any two devices are close enough together for longer than an unspecified amount of time, and relay that information to the central database.

Read on...

Support us and go ad-free

The NHSX app will use bluetooth technology, which according to Business Insider:

normally isn’t permitted to run in the background on iOS. For example, Singapore’s Bluetooth-based TraceTogether app reportedly requires the user to leave their phone unlocked to work properly — a privacy risk and a battery drain.

However, Privacy International argues that while in its view bluetooth technology is “less intrusive”, unless the app is widely used it can be ineffective:

[The Big Data Institute estimates] that over 60 per cent of the UK’s population would have to be using the app for digital contact tracing to reach enough people as they become infected. It is also essential, in their view, that people identified by the contact tracing app be promptly tested. This may require a significantly higher rate of testing that we’ve so far seen in the UK.

Joining the dots

According to Wired, NHSX is working with Faculty, a private company that the Guardian understands is a partner with the controversial US data firm Palantir.

Techcrunch further confirms that Palantir, together with Google and Microsoft, is providing the NHS with “COVID-19 data analysis through the company’s Foundry software”.

Palantir is owned by Peter Thiel and is one of the biggest data intelligence companies in the world. Previously The Canary reported that Palantir:

was awarded contracts to handle vast data sets on UK citizens for British spy agency GCHQ. The company also helped develop an aid for the spyware XKEYSCORE programme. And a 2010 presentation on the joint NSA-GCHQ ‘Mastering the Internet‘ surveillance programme recommended running Palantir software on Android handsets (smartphones and tablets). Palantir was also used as part of a GCHQ project which sought to improve the agency’s ability to collect tweets, blog posts and news articles.

The BBC also reports that the National Cyber Security Centre (NCSC), a division of GCHQ, is advising NHSX in the development of the UK app. In other words, there appears to be a direct connection between GCHQ, the NHSX app project, and the Palantir-led data analysis project.

Other experiences

Palantir was also in talks with the New Zealand government to see how it could assist with its coronavirus technologies, although nothing has happened yet on that front.

In Australia, there are also concerns about security regarding its COVIDsafe app. According to Engadget:

The storage of contact data (including names, phone numbers and postcodes) beyond a device makes it theoretically possible to abuse that info, or for an intruder to access it.

The BBC reports, too, that France has adopted a similar model to the NHS app, provoking criticism from computer security experts.


Privacy International has warned of the need for safeguards:

As with everything we’re seeing in the age of Covid-19, we must be highly aware of the limitations of the choices we are offered. It is also important that technical and legal safeguards around the processing and storage of data — especially when those data can be used for deanonymisation — are not bypassed or ignored in the rush to deploy technology, however well-meaning or indeed vital it may be.

Indeed, to engage the support of the public, governments need to get the technology right and with the right safeguards.

Featured image supplied

Support us and go ad-free

We know everyone is suffering under the Tories - but the Canary is a vital weapon in our fight back, and we need your support

The Canary Workers’ Co-op knows life is hard. The Tories are waging a class war against us we’re all having to fight. But like trade unions and community organising, truly independent working-class media is a vital weapon in our armoury.

The Canary doesn’t have the budget of the corporate media. In fact, our income is over 1,000 times less than the Guardian’s. What we do have is a radical agenda that disrupts power and amplifies marginalised communities. But we can only do this with our readers’ support.

So please, help us continue to spread messages of resistance and hope. Even the smallest donation would mean the world to us.

Support us