An iPhone and Android app called NHS COVID-19 is the official iPhone and Android coronavirus contact tracing software for the vast majority of the population of Great Britain.
(England and Wales have standardised on NHS COVID-19, but Scotland has gone down a different path with an app of its own.)
Today also marks the first day of slightly more liberal lockdown rules in England, with non-essential shops allowed to open for the first time this year, and outdoor alcohol and food service permitted at pubs and eateries.
Indeed, much of England is so excited about this newfound demi-freedom that some hairdressers and barbers took bookings from one minute past midnight this morning, just to give regular customers the chance of being first in.
Apparently, the government was keen to have an updated version of the NHS COVID-19 app ready in time, with added (though optional) location tracking features that would allow users to share their location logs with the health service.
We’re guessing that the government thought that a voluntary feed of location data might help with planning for reducing the risk of a new wave of coronavirus infections as the current British lockdown eases.
According to the BBC, however, this new version was blocked by both Apple and Google, and won’t be available either in the App Store or through Google Play.
(To be clear, the old version remains online for download and will keep working fine if you have it installed – the app itself hasn’t been banned or thrown out.)
The NHS COVID-19 app relies on a feature added to both iOS and Android known as Exposure Notifications, jointly created by Apple and Google:
On April 10, 2020 Google and Apple announced a joint effort to enable the use of Bluetooth technology to help governments and health agencies reduce the spread of COVID-19 through contact tracing, with user privacy and security core to the design.
Whether you love or hate Apple or Google (or feel a bit of both emotions for both companies), their combined goal in building this application programming interface (API) was laudable, given that it was neeeded quickly and globally, and given that privacy should always be coded in right from the start, even, perhaps especially, if you’re in a hurry.
On the principle that the best way to avoid losing data is not to acquire it in the first place, the API was specifically designed to avoid collecting or sharing personal data about contacts, infections and location.
As Apple’s and Google’s joint FAQ explains:
- The Exposure Notifications System does not share location data from the user’s device with the Public Health Authority, Apple, or Google.
- Random Bluetooth identifiers rotate every 10-20 minutes, to help prevent tracking.
- Exposure notifications are only done on the user’s device.
- In addition people who test positive are not identified by the system to other users, or to Apple or Google.
- The system is only used to assist contact tracing efforts by public health authorities.
As a simple and easily-enforced additional requirement,the mobile phone juggernauts also cleary stated (our emphasis) that “[t]here will be restrictions on the data that apps can collect when using the API, including not being able to request access to location services, and restrictions on how data can be used.”
We assume that this is a sensible precaution to stop what’s known as feature creep taking hold in health authority apps.
In other words, you’re not allowed to have location-aware features of any sort in apps that use the Exposure Notifications API, no matter that your location collection is soft opt-in (e.g. collects data by default but requests permission before reading any of it back in for use) or even hard opt-in (e.g. doesn’t collect data at all until you ask it to start doing so).
This, is seems, is what has kept the new NHS COVID-19 app out of Apple’s and Google’s online stores.
An app that contains code that tries to use both the Location permission and the Exposure Notification permission is not only clearly non-compliant but also easy for Apple’s and Google’s app verification systems to detect automatically.
What to do?
This is more of a “what did they expect?” moment for the developers of the NHS COVID-19 app than a reason to start panicing about your pandemic privacy.
But it is a fantastic reminder to review what permissions you have already granted, perhaps without even realising it, to apps that you have already decided to install on your phone.
After all, there’s not much point in worrying about a government app that might ask you if you want to share personal tracking data with your health service…
…if you are going to let other apps read your location in detail whenever they like, including apps with names such as Totally Not Free Fleeceware Compass App That Is Inferior To The Builtin One Yet Costs $149.99 After Three Days Even If You Uninstall It After Just Three Minutes In Frustration At How Useless It Is.
Fleeceware, by the way, is the name we use to describe apps that that you almost certainly want to stay away from because they are designed to seduce you, often with exaggerated claims and hundreds or thousands of fake 5-star reviews, into signing up for a short “free” trial that automatically rolls over into a paid subscription after as little as 48 hours if you aren’t careful.
So, please take this opportunity to read our 5 top mobile privacy tips:
And watch our Naked Security Live video: