Go back

Cybersecurity researchers raise concerns over Covid-19 app

More than 170 academics sign a statement warning of security risk of the application

Cybersecurity researchers have raised concerns over plans for a contract-tracing mobile-phone application to help track Covid-19 infections in the UK.

The controversial app is expected to be ready for partial deployment within a couple of weeks, before a wider national roll out, according to its developer, NHSX.

But in a joint statement more than 170 UK scientists and researchers in the fields of information security and privacy urged specialists—from all relevant academic disciplines—to analyse the health benefits of the app and find out if it is “of value to justify the dangers involved”.

According to the academics the risks for privacy and medical confidentiality cannot be completely mitigated.

“We believe that any such application will only be used in the necessary numbers if it gives reason to be trusted by those being asked to install it,” they said.

In particular, the researchers raise concerns about reports that NHSX is discussing an approach that centrally records the de-anonymised identities of those infected with the virus as well as those they have been in contact with, which they describe as a “form of surveillance”.

They also highlighted the security risk that hackers could use the information to “spy on citizens’ real-world activities”.

Their concerns come after MPs on the House of Commons Science and Technology committee pressed for more privacy and security information on the app before it is released to the public.

Speaking during the hearing, Matthew Gould, the chief executive office of NHSX, committed to publish the data protection impact assessment (DPIA) for the application.

While welcoming Gould’s commitment to transparency, the academics called on NHSX to publish the DPIA “immediately, rather than just before deployment, to enable public debate about its implications and public scrutiny of the security and privacy safeguards put in place”.

“We are also asking NHSX to, at a minimum, publicly commit that there will not be a database or databases—regardless of what controls are put in place—that would allow de-anonymization of users of its system,” the letter said.

Finally, academics urged NHSX to clarify how it plans to phase out the application after the pandemic.