Category Archives: Tech

The NHS Test and Trace app (part the third)

A couple of days since the launch of the NHS test and trace app and it continues to be in the news.

The BBC’s Rory Cellan-Jones has written an article that the abandoned initial app ‘worked on more phones.’ True, perhaps, but there is a balance between accuracy and privacy. Plenty of people don’t want to download the new app that uses the Exposure Notification API. How many would want to download one that collected information centrally as the original one did?

The complaint today is that you can’t acknowledge a test from the NHS or Public Health England (pillar 1 tests), only from the private (‘Nightingale’) testing centres — the pillar 2 tests.

In contrast, on Wednesday people were expecting it to be very easy to enter a false positive test into the app and cause a barrage of unneeded messages to isolate.

To avoid the latter, you need some way to authenticate a test result.

Now, I don’t know what has gone on behind the scenes, but I can easily see why it might be easier to set up a regime at the private labs working under contract than it is for the “on demand” tests being performed in the NHS.

The pillar 2 tests that can be entered into the app account for two-thirds of the testing capacity, so whilst it is essential to get a way of entering the pillar 1 tests into the app (and even the pillar 4 statistical tests), this does not make the app useless.

I’d love to hear what the plans are for getting the pillar 1 and 4 tests into the app, but I can see how we got here, and I’d tend to think it is more likely to be because it hasn’t been possible to get the logistics co-ordinated in time rather than the commercial conspiracy theories that are doing the rounds.

Update (ironically from the correspondent mentioned above):

Update 2. Storm in a teacup?

https://www.theguardian.com/world/2020/sep/26/nhs-covid-app-does-not-log-test-results-from-hospitals-or-phe-labs-in-england

The NHS Test & Trace App (updated)

A couple of weeks ago, I described why I would probably feel safe installing the NHS Test and Trace app which went live today.

Reader, I installed it.

I’ve spent a bit of time today listening to people that have concerns with the app. All of these boil down to “we don’t trust the government.” Trust has been so eroded by the actions of Cummings et al, that people are justifiably distrustful of an NHS/government app.

That’s fine, I don’t trust the government either, but let me try to explain why in this case it doesn’t matter.

It uses the Apple/Google Exposure Notification API, which means that the app must abide by certain rules before it is allowed on the App Stores, and that includes not being able to track your location. If it doesn’t obey those rules, it doesn’t get put on the App Store.

One of the key points to stress is that all the hard work is done on your phone, and not uploaded to NHS servers. The QR codes you scan to ‘check in’ to a venue are only stored on your phone — and mean you don’t have to hand your personal details over to the venue instead.

There is a detailed privacy policy, including a summary and an ‘easy read’ version

The source code is available for all to see (and you can be sure lots of people are looking at it):

There is a method to disclose vulnerabilities:

Concerns have been raised about the requirement for a relatively new smartphone. This is true, it requires iOS 13.5 or newer, or Android 6 or newer. An iPhone 6 will not support it, even though they were being sold up until September 2018, but the iPhone 6s (which was launched one year later, but discontinued at the same time as the 6) will support it. My Samsung Galaxy S7 released in 2016 (running Android 8) does support it.

The reason for this is not the NHS, it’s the operating systems that support the Exposure Notification API, and the privacy strength of the app comes from using that instead of the original plan for an app developed entirely in-house.

It is perfect? I doubt it. For a start, you need to be in proximity to someone for 15 minutes who later tests positive for it to count as a ‘high risk encounter.’ Is it better than writing your contact details in a book? I think so.

The NHS Test and Trace App

Today the government announced the ‘new’ test and trace (I must not call it track and trace) app will be available on the 24th September.

They also announced that hospitality venues (or, I presume, anywhere where people gather) can download QR codes to ‘check in’ to locations when they arrive.

This latter bit rang alarm bells with me. The new app is using the Apple and Google ‘Exposure Notification’ API, which does not track location, it just tracks random IDs generated by other phones, and when one person gets a positive test, it sends notifications back to those you’ve crossed paths with.

‘Hmm,’ I thought, ‘is checking in with QR codes a way to get around the privacy protections of the Exposure Notification system?’

Apple’s Developer Documentation says:

3.3 A Contact Tracing App may not use location-based APIs, may not use Bluetooth functionality (excluding Bluetooth functionality included in the Exposure Notification APIs) and may not collect any device information to identify the precise location of users. In addition, Contact Tracing Apps are prohibited from using frameworks or APIs in the Apple Software that enable access to personally identifiable information (e.g., Photos, Contacts), unless otherwise agreed by Apple.

https://developer.apple.com/contact/request/download/Exposure_Notification_Addendum.pdf

Checking into places (and probably reporting that back to gov.uk’s servers), which was my initial suspicion, would surely breach that agreement.

It does, but I was very happy to see that the app doesn’t report those check-ins back. They are only stored on your phone, and can be recalled if you do test positive and call the Test and Trace hotline.

There is a detailed privacy notice for the app, which says:

The App has been designed to use as little personal data and information as possible. All the data that could directly identify you is held on your phone and not shared anywhere else.

Fair enough as a high-level aim, but specifically on the venue check-in, it says:

When you set up the App, it will ask you for permission to use the camera on your device in order to check in to venues using QR codes. If you check in to a venue, the information will be stored on your phone for 21 days. It will not be shared with anyone else. The choice of 21 days takes into account the 14-day incubation period, and 7-day infectious period of the virus.

You will be able to see the list of venues where you have checked in on your phone. You can delete the whole list at any time. In future versions of the App you will be able to choose to delete single items from the list. No one else will know where you have checked in unless you choose to tell them, and the data will not be shared by the App.

At the same URL there is also an illustration of the various ‘user journeys’ through the app, which is very helpful. Even better, the app and the server back-end code is available on the NHS GitHub site.

This is so much better than I was expecting, and reassures me I can safely install the app when it is released. It’s also several orders of magnitude better than the original attempt at a home-grown app that had few, if any, of the protections of the Apple/Google Exposure Notification API and wanted to always run in the background.

Free broadband for all

There have probably been a thousand blog posts and LinkedIn posts already about Labour’s proposal for “free broadband for all,” but I’m going to add my tuppence-worth.  Given (one of) my Twitter handle(s) is @internetplumber, I feel it’s almost a duty.  Whilst these are my personal opinions, they’re written as someone that works in a service provider that is already largely publicly funded.

First a bit of background.  BT used to be a monolithic company that owned and operated both the physical infrastructure (fibre and copper in the ground) plus the services on top of it (phone, Internet).  To encourage competition in the services, which require access to the infrastructure, the latter was split into a company called Openreach, which is regulated, and must offer access to the infrastructure equitably to all – whether that’s BT (who also own Plusnet), TalkTalk, Virgin, Sky, or any number of other service providers (including Jisc for the Janet network, and the ISP I use at home – Andrews and Arnold).

Labour’s suggestion that they’ll provide free broadband for all using “full fibre” via a nationalised provider encroaches both on the physical infrastructure (Openreach), and the services (BT et al).

Building Fibre to the Home is expensive.  We do it for Higher and Further education, using a combination of dark fibre provided by commercial companies and products from Openreach, but this is on the scale for resilient connections to about 1,000 customers.

There are about 25,000,000 homes in the UK. A lot of those are in metropolitan areas where small fibre distances can reach many customers, but digging in cities is time-consuming and expensive.  Other homes are out in the country which, whilst perhaps easier to dig, requires a long stretch of fibre to get back to the nearest Exchange.  At £1,000 per house, that’s already £25bn.  This is an expensive investment which would benefit from public money, otherwise it may not happen, or at least it may only happen sporadically.

The Internet access on top of that infrastructure is already a very competitive market, which benefits the consumer in terms of being able to choose the right service provider for them. For example, whilst my wife would like me to use BT so that I could get access to BT Sport to watch the rugby, I have used Andrews and Arnold for a long time because they rolled out IPv6 access before just about any other domestic service provider in the UK. All Internet access is not the same.

Governments are frequently talking about regulating the Internet in one form or another.  Are you happy with only being able to visit government-sanctioned websites?  Or only using government-approved communications methods which they can, presumably, snoop on? Our gas, electricity and water do not come for free – even before deregulation there were electricity bills, gas bills and water rates, is broadband more essential than those other utilities?

Don’t mistake me, I think universal, fast, Internet access is something we all deserve and increasingly require, but are we making the right utility free, and what is the cost of making it free?

There’s a saying in the Internet industry – “if you’re not paying for the product, you are the product.”  Where will the information collected by British Broadband be held?  What will it be used for?

What’s going on with iPad apps?

Yesterday I received an email from American Express to say they were discontinuing their iPad app and recommending I migrate to the iPhone app.

I don’t have an iPhone, and using the iPhone app on the iPad is not a great use of screen real estate, nor does it work in landscape mode, whereas the current iPad app is useful — it shows me my outstanding balance, statements, card offers and all that.

The same day, my British Airways iPad app updated and has lost all useful functionality. Instead of showing upcoming flights, seats, upgrade options, account details, etc., it now just allows you to book flights, though not as flexibly as the previous version (and certainly not the website) which also allowed you to explore cheapest fares.

Neither of the iPhone apps are ‘universal’ apps that resize to use the iPad screen size.

Is this the result of two independent decisions that seem to ignore what a user wants from an app? A lack of development resource? Or due to something being imposed by Apple with the move to iOS 13 / iPadOS? I thought the aim was to have universal apps that would work across iPhone, iPad and Mac…