Today the government announced the ‘new’ test and trace (I must not call it track and trace) app will be available on the 24th September.
They also announced that hospitality venues (or, I presume, anywhere where people gather) can download QR codes to ‘check in’ to locations when they arrive.
This latter bit rang alarm bells with me. The new app is using the Apple and Google ‘Exposure Notification’ API, which does not track location, it just tracks random IDs generated by other phones, and when one person gets a positive test, it sends notifications back to those you’ve crossed paths with.
‘Hmm,’ I thought, ‘is checking in with QR codes a way to get around the privacy protections of the Exposure Notification system?’
3.3 A Contact Tracing App may not use location-based APIs, may not use Bluetooth functionality (excluding Bluetooth functionality included in the Exposure Notification APIs) and may not collect any device information to identify the precise location of users. In addition, Contact Tracing Apps are prohibited from using frameworks or APIs in the Apple Software that enable access to personally identifiable information (e.g., Photos, Contacts), unless otherwise agreed by Apple.https://developer.apple.com/contact/request/download/Exposure_Notification_Addendum.pdf
Checking into places (and probably reporting that back to gov.uk’s servers), which was my initial suspicion, would surely breach that agreement.
It does, but I was very happy to see that the app doesn’t report those check-ins back. They are only stored on your phone, and can be recalled if you do test positive and call the Test and Trace hotline.
There is a detailed privacy notice for the app, which says:
The App has been designed to use as little personal data and information as possible. All the data that could directly identify you is held on your phone and not shared anywhere else.Fair enough as a high-level aim, but specifically on the venue check-in, it says:
When you set up the App, it will ask you for permission to use the camera on your device in order to check in to venues using QR codes. If you check in to a venue, the information will be stored on your phone for 21 days. It will not be shared with anyone else. The choice of 21 days takes into account the 14-day incubation period, and 7-day infectious period of the virus.
You will be able to see the list of venues where you have checked in on your phone. You can delete the whole list at any time. In future versions of the App you will be able to choose to delete single items from the list. No one else will know where you have checked in unless you choose to tell them, and the data will not be shared by the App.At the same URL there is also an illustration of the various ‘user journeys’ through the app, which is very helpful. Even better, the app and the server back-end code is available on the NHS GitHub site.
This is so much better than I was expecting, and reassures me I can safely install the app when it is released. It’s also several orders of magnitude better than the original attempt at a home-grown app that had few, if any, of the protections of the Apple/Google Exposure Notification API and wanted to always run in the background.