- Privacy International: UK government Covid tracking app: what you need to know! Archived Message
Posted by Sinister Burt
on May 11, 2020, 10:39 am
|
https://privacyinternational.org/long-read/3752/coronavirus-tracking-uk-what-we-know-so-far A"s the UK is about to launch its app to trace potential Coronavirus patients, we look at its technical functionalities. Key findings Our analysis of the NHSX app reveals that there is no mechanism to opt-in or opt-out of third-party trackers which are included with the app It seems that the app would only work when it is operating on the foreground, particularly on iOS devices, making its efficacy questionable The app is incompatible with a range of older Android devices, potentially putting the most vulnerable, such as the elderly or those on low incomes, at risk This week saw the release of a coronavirus tracking app within the United Kingdom, initially to be trialled in the Isle of Wight. Privacy International has been following this closely, along with other ‘track and trace’ apps like those seen in over 30 other countries. The UK’s app is no different. It is a small part of a public health response to this pandemic. As with all the other apps, it is vital that it be integrated with a comprehensive healthcare response, prioritise people, and minimise data. It must empower people so that they know that their data and their devices are secure, and any new functionality must be destroyed at the end of this global pandemic. Our broader look at apps being used to fight COVID19 is available here. PI was fortunate enough to be given early access to the UK NHS COVID19 tracker (Also know as CoLocate or Solar) as it entered its trial period. PI is investigating both the Android and iOS implementations of the app. Although we plan to do a deeper technical investigation soon, here is what we know so far, along with our concerns in the wider security and privacy contexts. What we know We appreciate that this app’s development cycle has been accelerated, and that the current form of the app at time of writing may only be the most minimum of viable products, however it is already being touted by politicians and press in the UK as something that will assist in the easing of current lockdown conditions. To date, PI has only looked at the app functionally, its associated documentation, and run it through our own internal Exodus Privacy instance. Exodus Privacy does basic “static analysis” (programmatically looking at the code for trackers and permissions) on Android installer packages. We will cover this in three parts, what we can learn from the Apple App Store and Google Play Store documentation, what we can learn from the permissions the app requests, and finally how those permissions interact with the functionality. App Store Metadata Both the Apple App Store and Google Play Store link to a Privacy Policy on the https://covid19.nhs.uk website, which is separate from the main NHS privacy statement. The iOS version also includes a link to the software license, which in this case is an open-source MIT License. While we would commend the NHS for distributing this software under such a permissive license (as it makes the legal barriers of doing deeper security and privacy research using techniques such as decompilation considerably less onerous), the use of such a permissive license poses a number of issues, this includes allowing individuals to sell the NHS COVID tracking app if they so wish." Ctd. |
| Message Thread:
|