This Is Why NHS Covid-19 App Privacy Concerns Are Massively Overblown

"It records the minimal amount of personal data and most of the data is only recorded on the phone," says one cyber security expert.

The long-awaited NHS Test and Trace Covid-19 app has finally arrived and although the technology is not a “silver bullet” in the fight against the pandemic, it is at least a positive step to aid contact tracing efforts.

For it to work it will need at least seven million people to download and use it but already it’s clear not everyone is on board.

Social media is currently awash with people voicing concerns and refusing to download the app because they’re concerned about their data and privacy...


Of course the irony of this is, those very same people have signed away for more personal information in order to be able to make those comments in the first place.

If you set up the most minimal anonymous account on Twitter, you still need to provide an email and, if you’re using on a phone, grant access to your mobile data.

Facebook and Instagram typically require far more, not to mention that many users willingly post photos and check in to places, leaving a permanent digital trail of their lives.

Just using Google provides the company with reams of information about your browsing history, shopping preferences and a whole host more and a wearable device like a FitBit regularly tracks your location.

And hacks resulting in data being stolen are all too common.

Eerke Boiten, professor in cyber security at De Montfort University, told HuffPost UK: “It records the minimal amount of personal data and most of the data is only recorded on the phone.

“It compares extremely favourably [to Facebook] but having said that, Facebook is for sharing stuff that you want to share with people you want to share it with.

“On top of that, it does an awful lot of interpreting of what the user does in order to target advertising and satisfy its paying customers, the advertisers.”

In short, if you’re on social media or use a popular internet browser, you’ve probably already sacrificed more personal information to massive tech companies that you ever will to the NHS Covid app.

Let’s take a closer look...

OK, how does it work?

The app uses Bluetooth signals to log when a user is in close contact with another user, generally meaning within two metres for 15 minutes or more.

If someone then tests positive for Covid-19, they can choose to share the result anonymously with their close contacts, who will each receive an alert and will have to isolate for 14 days.

PA Media

How much information am I handing over?

Very little. It doesn’t even ask for your name, just the first half of your postcode which is used to tell you the current coronavirus risk level in the area you live.

This information is only held on your phone, not on a central database.

How does it track the spread of the virus?

This relies on you inputting any symptoms you have or coronavirus test results. If you do have Covid, this will then be registered as a case in the area that matches the postcode you entered.

The app generates a random ID for each user to protect privacy, and matches cases on the device rather than on a central server, as was the case in the first iteration.

It will also enable users to book a Covid-19 test subject to availability, check symptoms, and register at venues using a QR-type bar code displayed by businesses.

But it’s tracking my location, right?

Nope. Downloading and using the app doesn’t require that you grant it permission to track your location.

All it is looking for – via Bluetooth – is other app users, which it then logs if you are within two metres of them for 15 minutes or more.

This doesn’t require knowing exactly where you are, only when you are near another app user.

Won’t it know who I am from my phone?

No, it’s all done using randomly generated codes that are used to identify you and other users.

This code changes every day so that it cannot be associated with you or your phone.

The app also produces another randomly generated code every 15 minutes which is collected by the app installed on other users’ phones when you’re in close contact with them.

What else am I giving it permission to do?

You are granting the app permission to use Bluetooth to look for other app users, the biggest downside to which is it might drain your battery a bit quicker.

It also asks for access to your camera in order to scan QR codes when registering at venues.

How long is this information held?

Firstly, it’s important to stress again that the information is held locally on your phone, not on a database run by the government or a tech company.

The first half of your postcode will be held for as long as you have the app installed.

A history of the places you’ve checked into in the last 14 days, will be held for just those 14 days.

Data about those venues is held for 21 days.

Who can’t use it?

The app is available on iOS and Android operating systems but will not work on older handsets.

On the iPhone, you will need to be running iOS 13.5, meaning the oldest possible iPhone device you can use it on is 2015’s iPhone 6s.

On Android, Marshmallow 6.0 – released in 2015 – and higher is required.

Also, it is only for people over the age of 16.


What's Hot