The UK’s Contact-Tracing App Breaks the UK’s Own Privacy Laws (and Is Just Plain Broken)

Illustration for article titled The UK’s Contact-Tracing App Breaks the UK’s Own Privacy Laws (and Is Just Plain Broken)
Photo: Getty

Whether you love them or hate them (or think they won’t work), authorities around the world have universally embraced the concept of contact-tracing tech in order to curb the coronavirus’s spread. In practice, however, these apps have fallen short of a lot of our expectations, with many turning out to be more invasive than any of us anticipated, if not downright broken.

Advertisement

It’s looking like the UK’s contender in the virus-tracking space—which rolled out roughly one week ago—is no exception. According to local reports from folks that have downloaded the program thus far, not only is the app incompatible with a range of different devices, but it’s also a battery-draining mess that can be confusing to use. Meanwhile, a separate analysis of the app’s source code quickly revealed that the app itself isn’t guilty of poor UX, but of violating the country’s own regulations surrounding digital privacy.

First, let’s talk about what this app isn’t. Unlike the CDC’s open-armed embrace of Apple and Google’s framework for contact-tracing apps, the UK’s National Health Service—or NHS—outright rejected the company’s joint guidelines entirely, ostensibly on the grounds that their decentralized approach to contact tracing wasn’t in line with the health authority’s own plans. In other words, the NHS wanted to put all that data it’s collecting in one place—a practice that flies in the face of good privacy practices.

Advertisement

In their place, NHSX—the NHS’s digital arm—partnered with the Palo Alto-based VMWare Inc and the Swiss-based Zuhlke Engineering for their app, which officially debuted May 5th for the 140,000-ish populace on Britain’s Isle Of Wight as a closed-beta test. As the Isle’s Parliamentary member Bob Seely told Bloomberg in a recent report, the current test has been “throwing up lots of really good information” over the course of its week-long run.

But the Isle’s citizens—and the app’s developers—are painting a different picture. Earlier this week, the NHS’s Chief Data Officer Geraint Lewis told BBC in a radio interview that the only devices capable of supporting the app’s hardware were those running iOS 11 or Android 8. Older models, he explained, are unable to project the low-energy Bluetooth beacons that the app uses to track the distance between the phone on which it’s running and any surrounding devices. Meanwhile, some folks using Huawei devices running the company’s native AppGallery in place of Google’s Play Store might find themselves unable to download the app at all.

According to Lewis, these concerns and others that listeners called in to describe—like the app’s battery-draining tendencies and sometimes confusing permissions—would be handled in time before the upcoming UK-wide release. (There is no wide release date yet, but officials have targeted the coming weeks in their public remarks.) With that in mind, we decided to do the legwork to find some of the other issues that the NHSX probably needs to wrangle before that debut.

Though the app in its current form is unavailable to non-Isle residents snooping through the Google Play or Apple iOS Stores, the NHSX has publicized the app’s source code for both Android and iOS. For the week this code’s been on the air, there have been folks based in the EU and abroad ripping apart every issue they can find within it, with some needing easier fixes than others. Some of the more notable examples include:

  • The Bluetooth connection capabilities of some Android phones running the app are apparently conking out after coming in contact with a few hundred other devices.
  • Apple’s phones are neglecting to pick up on the Bluetooth signals generated by some of those same Android phones.
  • Apple phones are refusing to recognize other Apple devices when they both have the app running in the background—an issue pointed out by more than a few folks in the cybersecurity space.
  • The very real possibility that the NHS’s servers might be mishandling the data that is needed to tie each app download to a particular person.
Advertisement

Aside from those, there’s also the (somewhat ironic) issue that the app violates GDPR, no matter the OS it’s running on. As a handful of techies pointed out a day after the NHS took the code public, some of the links used within the app—say, the link used to open the NHS’s privacy policy—come coupled with tracking tags for Google Analytics that could very easily be used to retarget these app-downloaders and link-clickers with all manner of targeted ads. Because it’s less than likely that these app downloaders are aware of the backend-tech on the app they’ve downloaded, there’s no way for them to meaningfully consent to this sort of tracking. Without consent—probably one of the key concepts at the heart of the GDPR—the UK’s own contact-tracing app runs roughshod over regional regulations and could, hypothetically, lead to a sweeping, NHS-wide-fine in its current state.

Granted, the code in question could easily be tweaked out of the app’s final version. As one NHS staffer pointed out in a blog post about the code, the agency needs to collect base-level data from each downloader’s phone to keep track of crashes and any app-based errors.

Advertisement

“Our closed Beta will collect some volunteers’ data for performance analytics and A/B testing,” he added. “The libraries required for these analytics may still be present—but deactivated—in the public version of the app.”

The thing is, shutting down that line of code on the back end can easily come with the side effect of crippling the app on the front end. According to the staffer, the agency is currently investigating the possible consequences and crashes that might come with deactivating the strings of code that, again, violate the region’s own digital privacy laws, and frankly should have been considered from the outset, rather than after 55,000 downloads and the promise of a wider release just a few short weeks away. The NHSX has proven that it hears these critiques—now it just has to actually act on them.

Advertisement

I cover the business of data for Gizmodo. Send your worst tips to swodinsky@gizmodo.com.

Share This Story

Get our newsletter

DISCUSSION

bkilburn
ArtistAtLarge

No surprise here. The UK gov has had systemic problems with all large scale I.T. projects for decades.

Or I should say, large scale looting of public funds for non-functioning I.T. projects.