The NHS Coronavirus contact tracing app is abandoning its centralised approach, and instead opting for the decentralised model pushed by Apple and Google.
The decision is a significant u-turn, but comes after similar decisions from countries such as Germany, Italy and Denmark, which also moved to the tech giants’ model.
The NHS app had been delayed, as it was initially expected in mid May. Earlier this month a government a minister confirmed the app would be in place by the end of June, but new reports suggest it won’t be ready until the winter.
Whenever it arrives, the app will mostly likely be needed in the future, especially if the world has to contend with another global pandemic.
The app was also published to Apple and Google’s app stores, but was effectively hidden from the general public.
The NHS app has been developed by NHSX – the health service’s digital innovation unit – and last month the source code was published to GitHub to allow scrutiny from others.
But within a couple of weeks, Australian cryptographers warned of wide-ranging security flaws with the app, and said the problems pose risks to users’ privacy and could be abused to prevent contagion alerts being sent.
The problems found by the researchers include weaknesses in the registration process that could allow attackers to steal encryption keys. This could prevent users from being notified if a contact tested positive for Covid-19. Or it could result in the creation of a false alert.
Developers of the app had argued that its own centralised model was more effective than the model being proposed by the technology companies.
Under the centralised approach, when someone tests positive for Covid-19, the app will track down whom the patient has been in contact with and isolate them.
The UK’s NHS app uses Bluetooth signals to detect and log other phones with a compatible app in the vicinity.
When a person develops a confirmed case, the app alerts those who have come into contact with the individual.
But the NHS’ “centralised” approach has come under fire for exposing users to privacy risks and, as a result, potentially making people less willing to use the software.
The NHS app processes anonymised data on a central server, allowing the NHS to track trends in the way the virus is spreading and to detect hotspots.
That approach contrasts to the “decentralised” approach adopted by many other countries, where all data processing is carried out on the devices themselves.
Apple and Google are developing a decentralised API that is to be built into iOS and Android devices, and the method has been widely adopted across Europe and elsewhere.
France and Japan are two notable exceptions, by opting to employ centralised servers.
But now according to Sky News, the government this afternoon will announce it is switching to the technology provided by Google and Apple.
Although more privacy-focused, it does potentially mean that epidemiologists will have access to less data.
The decision to switch comes the day after the BBC revealed that a former Apple executive, Simon Thompson, was taking charge of the late-running project.
Do you know all about security? Try our quiz!