A couple of days since the launch of the NHS test and trace app and it continues to be in the news.

The BBC’s Rory Cellan-Jones has written an article that the abandoned initial app ‘worked on more phones.’ True, perhaps, but there is a balance between accuracy and privacy. Plenty of people don’t want to download the new app that uses the Exposure Notification API. How many would want to download one that collected information centrally as the original one did?

The complaint today is that you can’t acknowledge a test from the NHS or Public Health England (pillar 1 tests), only from the private (‘Nightingale’) testing centres — the pillar 2 tests.

In contrast, on Wednesday people were expecting it to be very easy to enter a false positive test into the app and cause a barrage of unneeded messages to isolate.

To avoid the latter, you need some way to authenticate a test result.

Now, I don’t know what has gone on behind the scenes, but I can easily see why it might be easier to set up a regime at the private labs working under contract than it is for the “on demand” tests being performed in the NHS.

The pillar 2 tests that can be entered into the app account for two-thirds of the testing capacity, so whilst it is essential to get a way of entering the pillar 1 tests into the app (and even the pillar 4 statistical tests), this does not make the app useless.

I’d love to hear what the plans are for getting the pillar 1 and 4 tests into the app, but I can see how we got here, and I’d tend to think it is more likely to be because it hasn’t been possible to get the logistics co-ordinated in time rather than the commercial conspiracy theories that are doing the rounds.

Update (ironically from the correspondent mentioned above):

Department of Health promises fix for issue with entering test results from some labs. pic.twitter.com/NpoqRU6jO2

— Rory Cellan-Jones (@ruskin147) September 26, 2020

Update 2. Storm in a teacup?

https://www.theguardian.com/world/2020/sep/26/nhs-covid-app-does-not-log-test-results-from-hospitals-or-phe-labs-in-england

A couple of weeks ago, I described why I would probably feel safe installing the NHS Test and Trace app which went live today.

Reader, I installed it.

I’ve spent a bit of time today listening to people that have concerns with the app. All of these boil down to “we don’t trust the government.” Trust has been so eroded by the actions of Cummings et al, that people are justifiably distrustful of an NHS/government app.

That’s fine, I don’t trust the government either, but let me try to explain why in this case it doesn’t matter.

It uses the Apple/Google Exposure Notification API, which means that the app must abide by certain rules before it is allowed on the App Stores, and that includes not being able to track your location. If it doesn’t obey those rules, it doesn’t get put on the App Store.

One of the key points to stress is that all the hard work is done on your phone, and not uploaded to NHS servers. The QR codes you scan to ‘check in’ to a venue are only stored on your phone — and mean you don’t have to hand your personal details over to the venue instead.

There is a detailed privacy policy, including a summary and an ‘easy read’ version

• https://www.gov.uk/…/nhs-covid-19-app-privacy-information

The source code is available for all to see (and you can be sure lots of people are looking at it):

• https://github.com/nhsx/covid19-app-system-public
• https://github.com/nhsx/covid-19-app-android-ag-public
• https://github.com/nhsx/covid-19-app-ios-ag-public

There is a method to disclose vulnerabilities:

• https://hackerone.com/nhscovid19app?type=team

Concerns have been raised about the requirement for a relatively new smartphone. This is true, it requires iOS 13.5 or newer, or Android 6 or newer. An iPhone 6 will not support it, even though they were being sold up until September 2018, but the iPhone 6s (which was launched one year later, but discontinued at the same time as the 6) will support it. My Samsung Galaxy S7 released in 2016 (running Android 8) does support it.

The reason for this is not the NHS, it’s the operating systems that support the Exposure Notification API, and the privacy strength of the app comes from using that instead of the original plan for an app developed entirely in-house.

It is perfect? I doubt it. For a start, you need to be in proximity to someone for 15 minutes who later tests positive for it to count as a ‘high risk encounter.’ Is it better than writing your contact details in a book? I think so.

Today the government announced the ‘new’ test and trace (I must not call it track and trace) app will be available on the 24th September.

They also announced that hospitality venues (or, I presume, anywhere where people gather) can download QR codes to ‘check in’ to locations when they arrive.

This latter bit rang alarm bells with me. The new app is using the Apple and Google ‘Exposure Notification’ API, which does not track location, it just tracks random IDs generated by other phones, and when one person gets a positive test, it sends notifications back to those you’ve crossed paths with.

‘Hmm,’ I thought, ‘is checking in with QR codes a way to get around the privacy protections of the Exposure Notification system?’

Apple’s Developer Documentation says:

3.3 A Contact Tracing App may not use location-based APIs, may not use Bluetooth functionality (excluding Bluetooth functionality included in the Exposure Notification APIs) and may not collect any device information to identify the precise location of users. In addition, Contact Tracing Apps are prohibited from using frameworks or APIs in the Apple Software that enable access to personally identifiable information (e.g., Photos, Contacts), unless otherwise agreed by Apple.

https://developer.apple.com/contact/request/download/Exposure_Notification_Addendum.pdf

Checking into places (and probably reporting that back to gov.uk’s servers), which was my initial suspicion, would surely breach that agreement.

It does, but I was very happy to see that the app doesn’t report those check-ins back. They are only stored on your phone, and can be recalled if you do test positive and call the Test and Trace hotline.

There is a detailed privacy notice for the app, which says:

The App has been designed to use as little personal data and information as possible. All the data that could directly identify you is held on your phone and not shared anywhere else.

Fair enough as a high-level aim, but specifically on the venue check-in, it says:

When you set up the App, it will ask you for permission to use the camera on your device in order to check in to venues using QR codes. If you check in to a venue, the information will be stored on your phone for 21 days. It will not be shared with anyone else. The choice of 21 days takes into account the 14-day incubation period, and 7-day infectious period of the virus.

You will be able to see the list of venues where you have checked in on your phone. You can delete the whole list at any time. In future versions of the App you will be able to choose to delete single items from the list. No one else will know where you have checked in unless you choose to tell them, and the data will not be shared by the App.

At the same URL there is also an illustration of the various ‘user journeys’ through the app, which is very helpful. Even better, the app and the server back-end code is available on the NHS GitHub site.

This is so much better than I was expecting, and reassures me I can safely install the app when it is released. It’s also several orders of magnitude better than the original attempt at a home-grown app that had few, if any, of the protections of the Apple/Google Exposure Notification API and wanted to always run in the background.