Bit on the late side? With new Coronavirus infections falling, the NHS contact-tracing app should be in place at the end of June
A government minister has confirmed that the NHS contact tracing app will be in place by the end of June, after its release was delayed due to issues flagged by researchers.
The release date was revealed by business minister Nadhim Zahawi, speaking on the BBC’s Question Time on Thursday.
During the program, Zahawi said: “The app, we are working flat out. We want to make sure it actually does everything it needs to do and will be in place this month.”
Zahawi added that he could not give an exact date of release, and it would be wrong to do so.
“We will make sure [the app] will be running as soon as we think it is robust,” he reportedly said.
Asked to confirm it would be rolled out nationwide this month, he said: “I’d like to think we’d be able to manage by this month, yes.”
The app has also been published to Apple and Google’s app stores, but is effectively hidden from the general public at the moment.
The NHS app has been developed by NHSX – the health service’s digital innovation unit – and last month the source code was published to GitHub to allow scrutiny from others.
But within a couple of weeks, Australian cryptographers warned of wide-ranging security flaws with the app, and said the problems pose risks to users’ privacy and could be abused to prevent contagion alerts being sent.
The problems found by the researchers include weaknesses in the registration process that could allow attackers to steal encryption keys. This could prevent users from being notified if a contact tested positive for Covid-19. Or it could result in the creation of a false alert.
Another problem stems from the fact that the data is stored unencrypted on handsets that could potentially be used by law enforcement to determine when two or more people met.
GCHQ’s National Cyber Security Centre (NCSC) is still in the process of addressing the issues raised.
Test and trace
The UK is pressing ahead without the app at the moment, and last week new test and trace systems were launched in England and Scotland – but without the app.
When someone tests positive for Covid-19, the app will track down whom the patient has been in contact with and isolate them.
The UK’s NHS app for example uses Bluetooth signals to detect and log other phones with a compatible app in the vicinity. When a person develops a confirmed case, the app alerts those who have come into contact with the individual.
But the NHS’ “centralised” approach has come under fire for exposing users to privacy risks and, as a result, potentially making people less willing to use the software.
Matters were not helped for privacy campaigners when it was confirmed that GCHQ had been granted extra powers to obtain security data from NHS systems, in order to better protect it from outside threats.
The NHS app processes anonymised data on a central server, allowing the NHS to track trends in the way the virus is spreading and to detect hotspots.
That approach contrasts to the “decentralised” approach adopted by many other countries, where all data processing is carried out on the devices themselves.
Apple and Google are developing a decentralised API that is to be built into iOS and Android devices, and the method has been widely adopted across Europe and elsewhere.
France and Japan are two notable exceptions (along with the UK), by opting to employ centralised servers.
Do you know all about security? Try our quiz!