NHS Covid-19 app
How it will work, the benefits and potential issues
The NHS COVID-19 app aims to automate key parts of public health contact tracing by offering a proximity cascade system to help slow transmission of the COVID-19 virus .
The mobile application has been developed by the NHSX , the digital transformation unit of the NHS and will shortly be available to download on a voluntarily basis. It will use short range Bluetooth signals to communicate anonymously with other nearby phones and maintain a record of which users were within close proximity for a set period of time. If a user experiences symptoms and suspects they are infected with the virus, or if the user tests positive, they can update the app which will then send an alert to anyone recently within the vicinity of the infected user for a sustained amount of time. The app will then encourage them to self-isolate to limit their potential of spreading the virus further.
The app's back end infrastructure and services are hosted in a commercial public cloud environment, with the NHS in control of the code, deployment, operation and administration of the various infrastructure and services. The NHS state that 'cybersecurity best practice is being adhered to in the architecture of the microservices and back-end infrastructure, the overall development process and in the operational and security management of the infrastructure'.
The application architecture has been built using a centralised platform model where contacts are represented by an identifier and matched on a central computer. A registration service is used to register a particular installation of the app and to exchange installation specific and global parameters. The process is as follows:
- The user downloads the app and initiates registration
- The app contacts the notification transport and requests a registration token, which is generated and returned to the app
- The app contacts the registration service and registers its registration token
- The registration service generates an anonymous random GUID (the InstallationID) symmetric key used for authentication and activation code. These are stored with the token
- Registration service sends an activate message via the notification transport to the app
- Device contacts the registration service with the activation code, which returns the InstallationID and symmetric key.
Proximity information is obtained via Bluetooth, due to the unreliability of this type of connection , signal strength indicators are combined with a risk modelling service which gives each encounter a score based on the risk of the virus being transmitted . This can especially cause difficulties in indoor environments (due to reflection of walls, furniture, equipment and people) and also when the devices are moving in relation to one another: accurate estimate of distancing is impossible with single readings and accuracy only increases if the distance remains the same allowing the readings to be averaged over a period.
When a user indicates that they may be infected they transmit their proximity data to the system through an event log that contains anonymous pseudonyms that their device has collected . For each pseudonym, the system recovers the underlying random and anonymous InstallationID.
Potential issues involving malicious use could include the following:
- Insufficient take-up resulting in an ineffective tracing and alerting service
- False positive alerts (e.g. unnecessary instructions issued for self-isolation due passing unattended phone)
- False negatives (e.g. lack of effective contact from close by a phone whose user later reports symptoms)
- False or mistaken self-reporting of symptoms by users
- Users not keeping their phone on them at all times
- Airwave congestion with large concentrations of Bluetooth devices (possibly leading to false negatives)
- App use depletion of phone charge
- Overloading or downtime of the centralised reporting service
- Tying a phone to a dog and letting it run around the park
- State sponsored attacker uses the app to run denial of service attacks and spread panic
- A malicious user collects (using a Raspberry Pi and antenna) broadcast identities from around a particular area, such as a hospital, and records them. Then registers a malicious device to generate fake contact events to create an arbitrarily large notification cascade.
Currently the only reported mitigation for malicious events is human oversight of unusual or suspicious cascades. Whereas a comprehensive and ongoing cyber-security framework is required to ensure that all of the risks (malicious and accidental) are effectively managed for as long as the app is needed.
The government will need to form a clear message and be transparent in its use of the data collected as many people will be uneasy about an app collecting lots of lightly-anonymised data in a system that is intended to be integrated into a wide ranging government response to the pandemic.
Privacy was discussed in detail at the Common's Science and Technology Committee on 28 April 2020. During this session it was outlined that there will be privacy assessments on a regular basis: "At every stage we will do a data protection impact assessment, at every stage we'll make sure the information commission knows what we're doing and is comfortable with what we're doing so we will proceed carefully and make sure what we do is compliant."
To allay privacy concerns the general population will need to be persuaded of the app's ability to manage the spread of the virus, it's potential to reduce lockdown periods and limit the damage to the economy, how it will be used alongside clinical tests and its integration with the wider public health response strategy.
- Distance Estimation of Smart Device using Bluetooth J Jung, D Kang, C Bae (ISBN: 978-1-61208-305-6).