back to article UK COVID-19 contact-tracing app data may be kept for 'research' after crisis ends, MPs told

Britons will not be able to ask NHS admins to delete their COVID-19 contact-tracking data from government servers, digital arm NHSX's chief exec Matthew Gould admitted to MPs this afternoon. Gould also told Parliament's Human Rights Committee that data harvested from Britons through NHSX's COVID-19 contact tracing app would be …

  1. Cynical Observer

    Dreaming up barriers to adoption...

    It's almost as if they want the uptake with the contact tracing app to fall short of the 60% needed for efficacy.

    Almost as if they are baking in a reason for failure from the beginning.

    Making choices and announcements that work against adoption of the solution....

    1. Yet Another Anonymous coward Silver badge

      Re: Dreaming up barriers to adoption...

      Even better, when they do have a vaccine and all the anti-vaxxers and 5G-causes-BillGates flat-earthers can point to the "totally secure and anonymous" compulsory NHS app and say - see, don't trust the government about covid.

      1. Matthew Taylor

        Re: Dreaming up barriers to adoption...

        Nice bit of sleight of hand there equating suspicion of Bill Gates' motives with thinking the earth is flat.

    2. MrMerrymaker

      Re: Dreaming up barriers to adoption...

      Nah, that would be too competent.

      Never ascribe competence when stupidity will do

      1. Yet Another Anonymous coward Silver badge

        Re: Dreaming up barriers to adoption...

        >Never ascribe competence when stupidity will do

        Trouble is that with a Tory government like this one - malice and stupidity are difficult to separate

        1. Anonymous Coward

          Re: Dreaming up barriers to adoption...

          "Trouble is that with a Tory government like this one"

          Well at least they managed to get elected which surely shows some form of organisation. What would a shower who can't even manage that do?

          1. Yet Another Anonymous coward Silver badge

            Re: Dreaming up barriers to adoption...

            Yep labour should have done a deal with the NF/BNP to run a 'kick out the immigrants' candidate in all safe tory seats and split the vote

          2. heyrick Silver badge

            Re: Dreaming up barriers to adoption...

            "Well at least they managed to get elected"

            Same reason Trump got elected. It's not that they're competent, it's just because the opposition was worse.

        2. HMcG

          Re: Dreaming up barriers to adoption...

          It's not an XOR thing.

        3. LucreLout

          Re: Dreaming up barriers to adoption...

          Trouble is that with a Tory government like this one - malice and stupidity are difficult to separate

          The other choice was literally the worst government possible. Not just the worst choice on the ballot paper, but the single worst government imaginable. Corbynism. Sickening. Labour supporters should be ashamed of their small minded, economically illiterate, antidemocratic, racist little party.

          1. eamonn_gaffey

            Re: Dreaming up barriers to adoption...

            Well, as it turns out we are getting Corbynism by stealth ...and that from the most right wing Tory gov. in my life time - what irony !! Universal Basic Income here we come :-)

            1. Frank Fisher

              Re: Dreaming up barriers to adoption...

              I can't imagine why you think this is a right wing government.

              1. deive

                Re: Dreaming up barriers to adoption...

                One thing they certainly aren't is conservative. What would you describe them as?

                1. Dacarlo

                  Re: Dreaming up barriers to adoption...

                  Trumpist lite.

        4. Matthew Taylor

          Re: Dreaming up barriers to adoption...

          Yeah! Down with Thatcher!

        5. Anonymous Coward
          Anonymous Coward

          Re: Dreaming up barriers to adoption...

          "Trouble is that with a Tory government like this one - malice and stupidity are difficult to separate"

          As those of us who have worked for 'The State', that's the underlying machinery run by and for our unelected bureaucrats not the elected parliamentary members, know only too well the malice aforethought runs deeply within the bureaucratic mind. So I have no doubt the mission creep element was designed in from the very beginning, 1984 was written as a warning but it's become a training manual, tracking the populace has long been the bureaucrats dream, getting the populace to sign up and install such an app voluntarily would be a bureaucrats wet dream...

          As a NCSC computer security research specialist who works as a consultant to GCHQ I know put it "I'll install it on a burner phone, no way on my personal phone, as it's more than likely to have multiple backdoors knowing who wrote it". That's good enough for me.

      2. This post has been deleted by its author

    3. Persona

      Re: Dreaming up barriers to adoption...

      By falling short of the required 60% on the Isle of White the test will shown that "sadly" it needs to be compulsory so we can be hit with "use the app, protect the NHS and save lives". Next comes police powers to fine anyone found outside without the app installed and running. Not having a compatible phone with a charged battery will not be a reasonable excuse. Before you can blink the UK will have rolled out compulsory ID cards that can be inspected remotely.

      1. TallPaul

        Re: Dreaming up barriers to adoption...

        Given the age demographic on the IoW I suspect they couldn't hit 60% even if everyone with a smartphone installed it.

        1. Neiljohnuk

          Re: Dreaming up barriers to adoption...

          Ah yes knowing the corkheads, and I do know quite a few having worked on the island, it's unsurprising.

  2. IGotOut Silver badge

    Well that's great confidence from GCHQ

    'folk have put the hours in to ensure it's reasonably secure."

    Not totally secure, not even very secure, just reasonably secure.

    I.e. so long a no one has a determined effort, it's probably ok.

    1. Ryan 7

      Re: Well that's great confidence from GCHQ

      Anybody who tells you that any security is better than 'reasonable' is stupid and/or lying.

      1. Persona

        Re: Well that's great confidence from GCHQ


        Elon Musks Tesla roadster was launched into space on a Falcon Heavy rocket a bit over 2 years ago. As I write this comment it is 154,417,658 miles away out beyond the orbit of Mars. I would class that as "very" secure, at least from theft.

        1. Sir Runcible Spoon

          Re: Well that's great confidence from GCHQ

          Can you steal something that someone literally threw away?

          Also, very secure from theft *from Earthlings*. AMFM has plans for a free Tesla apparently.

    2. Trollslayer

      Re: Well that's great confidence from GCHQ

      Reasonable by THEIR standard.

      1. imanidiot Silver badge

        Re: Well that's great confidence from GCHQ

        They gave the keys to that nice bloke Tony at the country club and asked him to be "discrete" about it?

    3. The Average Joe Bloggs

      Re: Well that's great confidence from GCHQ

      leaving my door unlocked overnight is reasonably secure, people assume its locked and 99.99% of the time no one is going to randomly try it.

      I still prefer to lock the door though...

    4. LucreLout

      Re: Well that's great confidence from GCHQ

      Not totally secure, not even very secure, just reasonably secure.

      It's NHS IT. What are you really expecting?

      They've learned nothing since getting wrecked by malware last time - I still see lots of XP machines which are routinely left logged in, with their 2FA cards present in the reader, and open to whatever abuse anyone seeks to inflict.

      Nobody ever loses their career over the breaches because like the rest of the public sector, there's no sanction for poor performance and nothing the public can do when other parts of the public sector (The ICO for example) go soft on them.

      Lessons may be learned, but not until after heads have rolled. And they never do.

      1. EnviableOne

        Re: Well that's great confidence from GCHQ

        not NHS IT, this is App Upcock's little un needed and un wanted digital quango "NHS X", what the X satnds for nobody knows.

        the ICO havent signed it off, NHS Digital (the real NHS IT) won't approve it for their app store, not sure i'd approve it for install on our devices, seems not to be secure by design and default.

      2. Anonymous Coward
        Anonymous Coward

        Re: Well that's great confidence from GCHQ

        I have now been working in the public sector for about five years. There is more concern about data breaches than anywhere I ever worked in the private sector. Big organisations grow tolerance for incompetant people. The worst are the outsourced companies. They are immune (unles it hits the bottom line) owing to the religious right - not the ones who below in God but the ones who believe public sector bad, private sector good.

        I guess you are an NHS IT consultant and immune to any chaos you create. Of which I have seen far too much when delaing with the NHS.

      3. NeilPost

        Re: Well that's great confidence from GCHQ

        Even when the ICO have hone in with their **** kicking boots on -British Airway’s and Marriot - they will now get a GDPR free pass due to CV19 belly-aching and appeal to Government leniency.

    5. Matthew Taylor

      Re: Well that's great confidence from GCHQ

      Their usual method of security in such projects seems to consist of deploying machines so slow that they take 20 minutes to open up an application. So even if the terrorists do try to steal your data, they'll only get a few bytes of it before the server crashes from the overload. Phew!

  3. FordPrefect

    No chance

    Not a snowballs chance in hell I'm installing this government sanctioned spyware. I dont trust central government databases just look at the misuse of the police PNC. Look at the misuse of personal data from projects connected to vote leave and Cummings and I believe him and his cohorts have some fingers in this pie as well. You can only trust the security of your data if you trust the people that have access to it. I dont therefore I wont be going anywhere near this.

    1. JakeMS
      Thumb Up

      Re: No chance

      Yup, I'm still not installing this by choice - and there's nothing they can do to change my mind.

      I would still rather die by COVID-19 than install. Absolutely nothing will change my mind on that.

      - Although, I did get a COVID-19 test on Wednesday - My results were "un clear" apparently, that means "I don't know" and come back in 7 days for another test (I called 111 to verify). Yup, that test was helpful.. thanks guv!

      1. Intractable Potsherd

        Re: No chance

        @JakeMS: same here, and if they make it compulsory then I'll stop using smartphones and/or find a way to poison the data. However, there are others making an argument for "... an ethical obligation to use a tracing app during the COVID-19 pandemic, even in the face of privacy concerns"[my emphasis] -

        1. JakeMS
          Thumb Up

          Re: No chance

          Yup, pretty much my thoughts. I'm sorry but I just can't find it within myself to trust an app which collects data from my phone, sends it off to a central db.

          Those of us who stand out and say no to installing the app, will be viewed as risking lives or being selfish.

          The argument being you need to think of others.

          But I am thinking of others. Except my thinking is long term rather than short term. In fact I would probably consider installing this app if it wasn't storing data on some DB owned by GCHQ. If it was done using the Google API, perhaps I would install it.

          But therein lies the problem, this app is not built for the sole purpose of saving lives. It's built to collect as much data as possible and store it on a central DB, if it was built solely for saving lives, then it would use the APIs.

          That's a huge chunk of your privacy and freedoms you are giving away. Once you've given up your freedom and privacy, you can never take it back (without war anyway).

          You only have to look at what the world has done to privacy within the last 40 years to see the consequences of simply saying "Sure, I'll give up that privacy, for a short term to save X". Every single time, the privacy never returns.

          There are methods the government has taken in this pandemic which I do agree with, but this one will never be so.

          People can say I'm endangering lives by not installing this, you can even say I'm being selfish.

          But for me, it's about preserving what freedom we, as a nation have left. And attempting to make it so that the generations which follow won't be buying devices with contact tracing apps as standard to protect the public from <insert anything here, crime, diseases etc>.

          This is a test, a test to see how much privacy you will voluntarily give up. If you allow it once, they will know they can do it whenever they want.

          If enough people refuse to install it, then the test fails.

          If enough people install it, they can make it mandatory and do it again.

          But that's my view anyway, and my decision.

          1. Anonymous Coward
            Anonymous Coward

            Re: No chance

            I am saving lives - wearing mask and gloves, saying at home and keeping away from other people!

            1. eionmac

              Re: No chance

              Staying Home. No mask, but wearing scarf and gloves on shopping "expeditions". Expeditions due to long wait in a queue.

    2. Dan 55 Silver badge
      Big Brother

      Re: No chance

      If I may be permitted to spam a post from another El Reg article earlier today which shows how any semblance of data protection in law has been thrown out the window:


      Vote Leave AI firm wins seven government contracts in 18 months

      Conservative party members sent tests

      So in these two stories, we have:

      - No data separation between the NHS and Tory party membership lists (sign up for the Tory party if you want a test, if you are in the Tory party you are apparently a key worker).

      - No data separation between the government and Faculty, the Vote Leave data mining firm.

      - No data separation between the previous things and Palantir.

      But, please do install the NHS-government-Faculty-Palantir app.

      Icon looks a bit like Cummings with a moustache.

      1. Phage

        Re: No chance

        Second link doesn't work ? Same as the first ?

        1. Dan 55 Silver badge

          Re: No chance

          Oops, sorry, here's the proper link:

          Conservative party members sent tests

          1. Ken Hagan Gold badge

            Re: No chance

            That letter does not say what you allege it says.

            1. Dan 55 Silver badge

              Re: No chance

              It seems to give first preference to Tory party members as the they're the ones receiving the emails. What happens if you're a member of another party or not a party member? You're not going to get a message from Matt Cockup.

              1. Cereberus

                Re: No chance

                Disclaimer: I am a key worker but not a Tory. I am eligible for testing at any time but have not received an email from the Tories telling me this.

                What you have described is typical distortion of the facts for political ends, I would even go as far as it being a good example of Trumpism. From what I can see it is a notification sent out by a political party to it's registered members to inform them that testing availability has been expanded and that they may now qualify.

                It is the same message the government has been reporting through daily briefings, and hence through other source such as the news and news papers.

                There is nothing stopping other political parties, or other interest groups for that matter, doing the same.

                There is no preferential treatment offered or suggested, just information which is very much in the public domain being sent directly to people who have registered to receive information from a particular interest group.

                Alternatively people would complain they received an email like this without having given express permission to be contacted - and how did the government get my email address anyway..........

                Things could be better, they could be worse but comments like yours only come down on one side of the balance.

                1. Dan 55 Silver badge

                  Re: No chance

                  Let's cut to the chase:

                  What is a government department doing sending a mailshot to just one party's members? What do you think that means for data protection? What does that mean for people who aren't paid up members of the ruling party?

                  Would you agree if, say, the US government only informed Republican party members they can get testing?

                  It stinks and you know it does.

                  1. Cereberus

                    Re: No chance

                    What is a government department doing sending a mailshot to just one party's members?

                    Except if you bother to read it, it wasn't sent by a government department. It was sent by Matt Hancock as a member of the Conservative Party, specifically from not H.M. Government

                    Arguably it shouldn't have been sent with the name of a government officials name attached to it, but it doesn't change the fact it was sent by the Tories to their party members not from the government to Tory party members. It could be said his name was used as the person defining the policy on testing - personally I still don't think it should be sent in his name but perhaps cut to the chase and comment on how the Tories should have sent it just from a generic email account.

      2. steviebuk Silver badge

        Re: No chance

        I saw that first article the other day. There will no doubt be something similar in next issue of Private Eye I bet.

      3. LucreLout

        Re: No chance

        sign up for the Tory party if you want a test, if you are in the Tory party you are apparently a key worker

        Tinfoil hatted nonsense and you should be ashamed of yourself. You won't be, of course, because your sort never are.

    3. Anonymous Coward
      Anonymous Coward

      Re: No chance

      I wouldn't install it either, but not just for the reasons you mention. This app is relying on the user being honest or accurate about their symptoms. What's to stop some idiot pressing the "I got Covid" button "for a laugh"? Or if I wasn't feeling well - how do I know if I have Covid or not and generate false positive?

    4. hoola Silver badge

      Re: No chance

      Don't forget that the NHS already has a deal with Google on "Research" data. Whether the Apple/Google solution is genuinely better privacy is difficult to know. The data has to be uploaded at some point so that tracing can take place.

      This will be sold on due to it's value in then combining with other datasets. Before you know it will no longer be anonymous. Can anyone clarify what "pseudo- anonymised" is. Pseudo usually means it is trying to be something it isn't, one assume in this case, anonymised.

  4. LeahroyNake

    It can go

    On my work phone, if I leave the house I will turn on Bluetooth, need it for the car. No way this is touching my personal devices though.

    The biggest problem I see with this app is that younger school children are sensibly not allowed phones in school. My youngsters are all up for wearing PPE but they are still the highest risk of catching it when they go back to school. My partner has been working from home since it hit Spain and I followed a week later. No real reason for either of us to go back to an office environment apart from me visiting customer sites for hardware issues.

    1. vilemeister

      Re: It can go

      Schools usually have methods that have been around for centuries of determining who came into contact with who - its called a register.

      As long as they seperate people in the playground/on breaks etc that should be much better than some app that was cobbled together in a few weeks. And it can't be hacked.

      1. Anon

        Re: It can go

        "who came into contact with who" - and then they go and have siblings in other classes.

        1. $till$kint

          Re: It can go

          When this outbreak was but a babe in arms, a chap stopping off for a skiing holiday in the French Alps happened to bring an unexpected gift back with him from Singapore.

          He was staying with an ex-pat family, their children being pupils at the local school. One 9-year-old member of the British family was infected.

          The response of the French authorities in closing schools and isolating families was swift. It took them 2 months to complete their review of the efficacy of this. In a small and tight-knit community at the top of a closed valley (I'm a frequent visitor to the village and in regular contact with a number of the locals and they *really* took the isolation thing seriously).

          End result, no other children were infected, despite the 9-year-old having attended both the village school and two trips out to other schools in the next town down the mountain.

          Further studies suggest children aren't passing it on, which is..... hard to fathom.

          1. Anon

            Re: It can go


            (I'm a frequent visitor to the village and in regular contact with a number of the locals and they *really* took the isolation thing seriously)

            is not the same as

            (they *really* took the isolation thing seriously)


    2. NeilPost

      Re: It can go

      “My youngsters are all up for wearing PPE but they are still the highest risk of catching it when they go back to school.”

      “The highest risk of catching it”. seriously. Any compelling evidence for this?? ... bearing in mind youngsters suffer the least and will also be the least tested age demographic.

  5. Adair Silver badge

    The app may be well done...

    Here's hoping. It's what happens to the data afterwards, especially after the crisis is over, that matters.

    Will the app be 'repurposed'? Will the data be repurposed?

    To be honest, at this stage I expect the people involved are doing their best, with goodwill. But, history tells us that the govt. and its various agencies will struggle to resist temptation to dip in and find 'necessary' reasons why they should have access, and ongoing access.

    Arrogance and paternalism have a long history in UK govt., and there's little evidence that those habits have died.

    1. Doctor Syntax Silver badge

      Re: The app may be well done...

      I think your expectations are more generous than most here.

  6. mrtickleuk

    Thankyou, Reg, for your continued reporting on this.

  7. TRT Silver badge

    Hm. An incomplete description

    I mean you upload all the blobs to central servers but THEN what happens? No description of the important bit. They what? Decode the installation ids then send a push notification? Or do they send a daily amber and red list of blob signatures that my device might have seen and then the local blobs I have stored are compared to that list?

    So until a FULL description of how it works is published they can go whistle.

    1. batfink

      Re: Hm. An incomplete description

      Agreed. How do they decode that blob into my phone number to send me a notification?

      And of course the ownership details of that number will only ever be kept by my telco and not revealed to anyone - oh hang on...

      1. TRT Silver badge

        Re: Hm. An incomplete description

        Do you actually NEED to decode the phone number to send the notification? I mean, I've not really looked into Push Notifications in anger yet, no need with my work, but surely it just requires some form of unique ID for that device and a hook into the Apple notifications system. Presumably Apple keep some sort of centralised register of "keys" that enables a push notification to be sent to a device. Notifications housed to work on iPod touch, for example, and there's no phone circuitry in one of those - it must be hooked through the iOS somehow.

  8. Anonymous Coward
    Anonymous Coward

    "please install the app, and use it"

    or else we're gonna make you do it. But we'd rather pretend you have a choice, hence this farce.

    1. JakeMS

      Re: "please install the app, and use it"

      Oh damn! Would you look at that, my phone keeps powering off!

      1. bombastic bob Silver badge

        Re: "please install the app, and use it"

        and the battery keeps falling out

    2. Fred Dibnah
      Thumb Down

      Re: "please install the app, and use it"

      It gets worse. Hancock on BBC breakfast this morning: “If you download the app you are doing your duty and you’re helping save lives" (My italics)

      1. Anonymous Coward
        Anonymous Coward

        Re: "please install the app, and use it"

        yeah, I saw that on the beeb today, and yes, it's ramping up the message from "please" to "do your bit". Next stage, presumably, if not enough people install this, we'll start hearing veiled threats that "if not enough people install this life-saving app, a 2nd wave looks much more likely". Hell, there might even come a stage, when installing this app is "advised" by the government, and we've already had people fined for not following government "advice".

        1. Anonymous Coward
          Anonymous Coward

          Re: "please install the app, and use it"

          The Australian PM said something similar this week about if people wanted the lockdown to end then they had to install the app. Expect something to come from our government soon in all ways from soothing to patriotic to threatening. They'll probably try linking it to VE Day for maximum scumminess.

          The utter farce of this is that any tracing app is only as good as the testing regime behind it which can give the all-clear. And let's not forget, the UK still hasn't met Hancock's self-imposed testing target in a sustained manner.

  9. Anonymous Coward
    Anonymous Coward

    data may be kept for 'research' after crisis ends

    Dear Gods, they just can't stop themselves, can they. A bunch of inbred data-fetishists.

    1. bombastic bob Silver badge
      Black Helicopters

      Re: data may be kept for 'research' after crisis ends

      "A bunch of inbred data CONTROL-fetishists."

      Fixed it for ya. but they need the data to get to the "control" part.

      (1984 is a typo)

      There's something _really_ disturbing about using your MEDICAL records for this sort of thing...

      icon, because, black helicopters

  10. Matt_payne666

    Can be sold for 'research' market research?

    Pseudo anonymised?

    No right to delete?

    Reasonably secure?

    The value of movement data for 60-80% of the population? Someone will be making money there!

    I had reservations, now I'm pretty sure I'm not installing, but other than the paranoid and reg-readers (I wonder how big the Venn diagram overlap is on these two demographics?!)

    I can see pretty much Everyone else will be installing it...

    1. Anonymous Coward
      Anonymous Coward

      The database's value for market research is going to be deeply compromised because of the incredible times we are in. All manner of commercial interactions have been disrupted by stay-at-home orders, general fear about getting or spreading infection and the hesitance of others to want to interact with you. I know that I personally am going to a very different mix of stores/restaurants/businesses over the last couple months than would normally be the case.

      If you had this contact-tracing data for the last couple years, or even better for the couple years AFTER coronavirus is cleared up, then it would be economic gold.

      1. Richard Crossley


        Who's to say this app won't be updated to send this information when ever it wants to?

      2. Chris G

        @ Marketing Hack

        Expect to start seeing suggestions for why it may be a good thing to continue using the app after the current pandemic, 'We have your best health interest at heart' etc.

        The Ministry of Love is alive and well.

      3. Peter2 Silver badge

        Yes, it's going to be compromised to some degree for some purposes.

        However, a list of who has what devices, where they live, who they live with and how often they come into contact with their partner and where they shop does have some obvious value.

    2. Jimmy2Cows Silver badge

      Seems like a serious GDPR breach before it's even released. Except it's the government and GDPR gets in the way, so they'll just bypass all that by saying it's "lawful purposes". But they still need to ensure it's secure and protected.

      Be interesting to see if that can be challenged.

  11. Anonymous Coward
    Anonymous Coward

    No. Please refactor the app to not send my data to a central server, and thence to be sold to Google/Palantir/Facebook/Cambridge Analytica/the AI and defense industry contractor de jour.

    1. Len

      They don’t have to sell it to anyone, they already have it.

      It may say “NHS” on the tin but the people behind this app are Ben and Marc Warner. Dominic Cummings had worked with them during the Vote Leave campaign (you know, the Cambridge Analytica / AggregateIQ / SCL Group scandal that was found to have broken multiple laws and led to a long police investigation) and so when there were millions of taxpayers money to throw around for some massive data gathering app, Cummings decided it was best to give it to them.

      The police will never find out. And if they do, it will be too late and your data is in the hands of shady groups.

      1. John Sager

        Ah. The URL says it all. Very low credibility in that department.

        1. Anonymous Coward
          Anonymous Coward

          That's a nice Ad Hominem but which of the points she raises do you dispute?

          That these brothers are behind the app?

          That these people where behind the illegal Cambridge Analytica work?

          That they were given this task and the sack of money without any normal procurement process?

          That the people behind this app are personal connections of Dominic Cummings?

      2. Anonymous Coward
        Anonymous Coward

        >It may say “NHS” on the tin but the people behind this app are Ben and Marc Warner.

        At least one of whom was reputed to be at the SAGE meetings at the start of March with Dominic Cummings, despite neither being medical or biological scientists.

        1. EnviableOne

          but they consider themselves data Scienists

          even though the rest of us consider them less than useless

      3. Anonymous Coward
        Anonymous Coward

        The same Dominic Cummings promoting "Babble on" via Hancock' half hour.

  12. Anonymous Coward
    Big Brother

    Well, if the GCHQ approves, then I am all for this app!!

    It's not as if the GCHQ has a history of screwing over the people (British and otherwise) through various Orwellian machinations. Or that they are completely unaccountable to British citizen, barely accountable to the average MP, or that the courts have given them free pass after free pass from various privacy protection, civil liberties and government accountability lawsuits. And of course the GCHQ would NEVER DREAM of getting a copy of this NHS "pseudonymized" database for the GCHQ's own deeply patriotic and essential purposes.

    And there are all the other government arms that will be looking for a way to grab this data. I'm sure there is no risk down the line that people will be hauled in for questioning because the former NHS database is now in the hands of other agencies, and the local authorities want to know why you were in close contact for 8 minutes with someone who has an ASBO/eleven past-due library books/seventeen outstanding parking tickets, and what did you discuss with this public enemy, who is your ringleader and when and where is the next attack?

  13. Henry Wertz 1 Gold badge

    Good reason not to use it

    Good reason not to use it. Would I use a COVID-19 app? Yes, iff (if and only if) it a) Uses bluetooth beacons not the privacy-ignoring tracking the persons GPS all over the place. AND if and only if b) There's a definite statement that the data will be used ONLY for this purpose, then deleted. I will not have my private contact data analyzed and reanalyzed by whoever until the end of time.

    1. Drew Scriver

      Re: Good reason not to use it

      "There's a definite statement that the data will be used ONLY for this purpose, then deleted."

      I'm laughing so hard it hurts!

  14. John 82

    Corrona App - Whats the rest of the story ?

    Several questions that don't seem to have been covered.

    Bluetooth can have a theoretical range of several tens of meters. V5 up to 1 Km

    How close is close for the app to make a connection ?

    Is it anonymous ? If not, what will 18,000 contact tracers do with their time ?

    What happens if my phone tells me I've been in contact with someone who has reported symptoms ?

    Does it automatically tell me to isolate ?

    For example, I live next door to an NHS worker who may well catch the virus. If I've been sitting in my garden, 10 meters away from them over a sunny afternoon, the other side of a 3m fence, will the Track & Trace brigade tell me to isolate ? Will I get notified of when the 'contact' took place so I can safely disregard it ?

    Politicians have a touching belief in technology which unfortunately I don't share.

    1. Mike 137 Silver badge

      Re: Corrona App - Whats the rest of the story ?

      "Politicians have a touching belief in technology which unfortunately I don't share"

      I would say you're very fortunate not to share that belief. You have a better chance of staying secure than most government agencies.

    2. Peter2 Silver badge

      Re: Corrona App - Whats the rest of the story ?

      Or, you live in an old victorian house, sitting straight onto the front of a road. A car goes past with somebody infected in while I am sitting in the living room. That driver could technically have been within 2 metres. The intervening space contains the structure of the car, a large concrete planter (aka anti collision bollard) and a brick wall/window.

      Now, technically if the phones are in the right places with two pieces of glass between us then bluetooth could register that we have been in close proximity. But with the infected person in a car and wall/window between us i'd feel fairly safe. What would bluetooth think?

      Or I drive past a stopped bus with somebody infected onboard on the road side of the bus. You have potentially been one meter away from somebody infected. But with two sealed vehicles and a gap between them, what's the risk?

      I'd say though that it's more than politicians. I think it's people generally "the computer is always right" and people really don't understand GIGO.

    3. Anonymous Coward
      Anonymous Coward

      Re: Corrona App - Whats the rest of the story ?

      As for rangefinding, it looks sketchy. Bluetooth low energy has no feature for measuring distance leaving measuring signal strength aka RSSI as a crude proxy for that. Probably all are passing transmit power to improve the calculation, many will be using some form of per-type calibration but possibly not a complete tx/rx model, few appear to be using heuristics to try to determine if they are inside/outside buildings or inside bags/pockets which are critical factors. I doubt any are looking at channel numbers (frequencies) to see if there's scope for improving the accuracy there.

      An independent review of the results from one of the large scale controlled trials would be very interesting to see how accurate the proximity data is. Unfortunately, I doubt we will be allowed to see that.

      1. EnviableOne

        Re: Corrona App - Whats the rest of the story ?

        they are sending the TSSI in the contact packet, and recording the RSSI on the recieve end.

        if you know what the sending and reciving devices are, with both of those you can work out the distance.

        its not exact science, environmental variables, but its better than trying to work out Time of flight.

        theres a lot of work gone on into the idea recently, and signal loss is a pretty reliable measure of distance.

        1. Anonymous Coward
          Anonymous Coward

          Re: Corrona App - Whats the rest of the story ?

          >> and signal loss is a pretty reliable measure of distance.

          You clearly are drinking some kool aid on Rssi and have never used it. it most certainly in the 2.4G ism band is utterly terrible at accuracy.

          Read up on channel models and fading. Think of you speaking facing the person and putting your hand over your mouth and determining distance for those two sounds. That same low volume can come from the same position and from far away.

          Also The centralised approach is by design.. to get low uptake stats and then use it to assume further powers.

          After all the government chose the “experts” here. if you ask a data mining firm wtf else are they going to say? It’s like consulting the drug cartel to design border security.

  15. Anonymous Coward
    Anonymous Coward

    So, if you're the government and already have everyone's census data, plus access to cell site triangulation data with timestamp , and now a whole set of someone's (perpetual blob, timestamp) pairs this is then trial to unpick to identify every one, and everyone they know.

    Let's wait for someone to unpick what they've actually done rather than trusting the PR....

    1. EnviableOne

      unfortunaley, the RIPA allows sharing of this data with the Maritime Management Organisation, but not the DHSC or NHS

  16. Anonymous Coward
    Anonymous Coward

    Maybe only turn it on when you’re in a supermarket, or similar?

    Not when you’re at home or just walking on a quiet street?

  17. Gadbous

    I just turned off my phone.....

    1. Anonymous Coward
      Anonymous Coward

      Makes no difference what you do with your phone - unless you take out the battery which, of course, various manufacturers have stopped you from doing (can't imagine why!).

      Spooks have been able to access the hardware for donkeys years even when 'switched off'.

      1. Teiwaz

        Spooks have been able to access the hardware for donkeys years even when 'switched off'.

        At least while the battery still has charge....

        Even if there's a secret extra battery just for the spook snooping (which I doubt), that'll run dry eventually without recharge too.

        I've only a feature* phone from 2011 or so, the battery last a good long time, but it does run out after a week and a bit on standby.

        * Not really much of the 'feature' left that still works though.

  18. Dave Pickles

    Like SETI?

    So as I understand it, nothing leaves the phone until you decide to 'out' yourself and declare yourself infected. As with the search for extra-terrestrials, the rational decision is to listen but not to transmit.

    1. Homeboy

      Re: Like SETI?

      "nothing leaves the phone until you decide to 'out' yourself"

      Of course you only have their word fof this.

  19. Stratman

    Anyone want to buy a Windows phone?

    As per title. The Windows phone store went to its grave some time ago, not that they'd make a version for WP anyway.

    Blackberry too?

    1. BrownishMonstr

      Re: Anyone want to buy a Windows phone?

      I sincerely hope the NHSX app traces contacts via Infrared, I would definitely use the app if it did, but I doubt I would be able to get a infrared phone with no Bluetooth.

      Infrared, when sharing with your friends took tens of minutes, if at all.

      1. Fred Dibnah

        Re: Anyone want to buy a Windows phone?

        I want the app to share data using cassettes. I hope they are writing a version for the BBC Micro.

    2. Anonymous Coward
      Anonymous Coward

      Re: Anyone want to buy a Windows phone?

      Should the app become mandatory it will be easy to create a fake version good enough to fool the average Polis. I doubt it will take me more than a day.

      All I need are some half decent screenshots...

    3. WereWoof

      Re: Anyone want to buy a Windows phone?

      So glad I have a Windows phone, as you say I very much doubt there will be a version of this spyware for it.

      1. Intractable Potsherd

        Re: Anyone want to buy a Windows phone?

        And, as I've previously mentioned, I doubt there will be a SailfishOS version, so Jolla and Experia users will have an out.

  20. Mike Shepherd

    Next step

    The next step is to announce that "in the public interest", Google and Apple have agreed to install the app automatically, without an option to refuse.

    1. Doctor Syntax Silver badge

      Re: Next step

      Probably not. They have their own solution to push that positions themselves as the good guys. I can't see them wanting to condone what they've already condemned.

  21. Drew Scriver
    Big Brother

    Gov't not deleting the data.




    Here's what's next: keeping the app 'just in case'. After all, wouldn't it have been much better if everyone had been tracked already back in January? December? Forever?

    1. EnviableOne

      Re: Gov't not deleting the data.

      Tracking in January wouldnt have helped,

      In order for track and trace to work, you need to have Mass testing to work out who has it.

      Testing capacity is still nowhere near what it needs to be and the positive rate (positives/tests) is consequently still high, as the people being tested are more likley to have it.

      the improvements seen with yesterdays figures, only hide the fact that they counted tests that didnt have results yet

      1. Drew Scriver

        Re: Gov't not deleting the data.

        "Tracking in January wouldnt have helped,"

        France just announced they retrospectively diagnosed a man and concluded that he had COVID-19 back in December.

        Also, with the extended incubation time there would be value in knowing people's whereabouts in the past. Secondly, with asymptomatic patients this value increases.

        Having said that, I am not sure the price (full and total tracking of every individual, including whom they meet, where, and for how long) isn't too high for the benefit. In many countries people have risen up (and lost their lives) to shake government oppression like that.

        Don't forget that criminal behavior is defined by whomever is in power. History is rife with examples where a change of power suddenly redefined what is acceptable and this continues to happen.

  22. Drew Scriver

    You have virus?

    Is that an actual screen capture?

    "Your symptoms indicate you may have coronavirus"

    Me thinks that would be grammatically incorrect. But then again, what do I know? English is my second language, after all, and my grades back in high school made my teachers want to quit.

  23. Anonymous Coward
    Anonymous Coward

    I'll only install it ..

    .. as soon as Ross Anderson confirms it's kosher. He's impartial and BS free enough to trust.

    My apologies to Ian Levy, but he should appreciate an independent evaluation if he's really committed to security and privacy. That said, his write-up is clear and structured enough to give me at least the confidence someone has actually put a decent amount of effort in - it's been a while that I've seen something done in a hurry documented so well.

  24. Anonymous Coward
    Big Brother

    What is this fascination that people have with carrying a tracking device with them at all times?

    If I don't feel like talking to people, I turn my mobile phone off. I rarely take it with me when I leave the house. I don't see that changing. Nothing is so important that people can't leave a message or call back later.

    As if people in the UK don't have enough information collected about them already. Now they want to add everyone you even came within a few metres of you to that vast trove of circumstantial evidence and people willingly agree to provide it? Madness.

    1. Jamie Jones Silver badge
      Thumb Up

      I'm exactly the same. Mine is usually left in the house.

      It seems very few people know that phones have "missed call" notifications, and a thing that in my day was called an "answerphone"!

      1. Teiwaz

        It seems very few people know that phones have "missed call" notifications, and a thing that in my day was called an "answerphone"!

        People have forgotten the old adage, "Good news will wait, bad new will refuse to wait" in favour of

        "I want the latest gossip, now!".

  25. marlarkey


    They describe the uploading part...

    Where is the description of how the people to be alerted will be identified to be alerted... ????

    And what happened to the promise to publish the design and the source code ???

  26. Anonymous Coward
    Anonymous Coward

    Reverse engineer the Bluetooth LE data stream

    Anyone interested in working together to reverse engineer the Bluetooth LE data stream to see what this app is really doing?

    1. Richard 12 Silver badge

      Re: Reverse engineer the Bluetooth LE data stream

      The Bluetooth side is probably fairly harmless.

      The problem is the mesh of triangulation data locating every single smartphone in a conurbation within a few metres and seconds.

      Just imagine if Priti Patel thought she knew that.

  27. Anonymous Coward
    Anonymous Coward

    FOI for the code

    I am unsure on the details but is this technically being funded by taxpayers - or is NHSx a private (in some crafty way) offshoot of the NHS?

    I won't be installing this under any circumstances, unless I can build the source code by myself. I wonder if a freedom of information request could get the code out to those who don't want a closed source wiretap on their device.

    1. Pink Duck

      Re: FOI for the code

      No need, "We intend to open source our codebase once the first release is finalised", presuming they ever reach the first release :)

  28. EH

    Incredibly counter-productive decision

    What do they think people will assume, when they learn that this untrustworthy government have turned their backs on the decentralised model? This app is dead in the water. So, so foolish.

    1. MRS1

      Re: Incredibly counter-productive decision

      I very much hope that you are correct but most people (i.e. the millions who don't read websites like this one) just don't care.

  29. Mike Brown

    Apple and Google wont allow this on their platforms?

    Surely this breaks all sort of polices from both Apple and Google. How will the Government compel them to allow this on their closed eco systems? They can even compel them to follow the law and pay tax

    1. Rameses Niblick the Third Kerplunk Kerplunk Whoops Where's My Thribble?

      Re: Apple and Google wont allow this on their platforms?

      Surely this breaks all sort of polices from both Apple and Google. How will the Government compel them to allow this on their closed eco systems? They can even compel them to follow the law and pay tax

      They certainly seem to be going out of their way to make Huawei's Google free experience seem ever more attractive

  30. Anonymous Coward
    Anonymous Coward


    ...ignoring for one moment, the hilarity that this app is a thinly veiled excuse for a tracking app by proxy (and again, ignoring IMSI/IMEI pair tracking via cell tower/signal strength *anyway* - given the as mentioned V5 BLE strength can be "a fair way")....

    How many 'concerned citizens' are just going to wait a bit, go for a few/walks/shopping trips with a 'spare phone' and then click "I've got symptoms" - cueing lockdown hilarity for all....?

    I mean, in terms of "user stories" and "what could possibly go wrong?" - what could possibly go wrong?

  31. Doctor Syntax Silver badge

    Let's say Joe Public has installed the app. It goes off telling him that he's been in contact with someone who has tested positive. What is he supposed to do? AIUI rather than go and get a test to check he's supposed to hole up for 14 stressful days waiting to see if he develops symptoms. A good proportion of those alerts are going to be false positives. How many of those will Joe tolerate before he gets thoroughly pissed off and deletes the app - assuming he's allowed to?

    Unless it's backed up by a quick and easy to access testing system with the capacity to handle the alerts* the whole system is going to be dead in the water in a few months' time.

    *And for positive results, access to prophylactic treatment if the drug trials come out with something that works.

    1. Tim Almond

      False Positives

      There's some fascinating stuff out there (and I can't remember the link) where people have looked into where there have been massive spreads and where there hasn't, and it doesn't appear as simple as being next to a person. Cinemas and concert halls didn't lead to much spreading, but funerals and weddings did.

      The writer seemed to speculate that things like physical contact, or talking to one another were much more likely to spread the germs. Also, what's the effect of indoor vs outdoor?

      I'm wary that there could be catastrophic effects of this app: everyone goes paranoid and locks themselves away for an almost imperceptibly small risk. Remember, all of this isn't supposed to be about 0%, it's supposed to be about managable levels.

      1. eionmac

        Re: False Positives

        but funerals and weddings did

        Hugs, much handshaking, kissing etc. Difference between an 'audience' and a funeral reception.

  32. Sarev

    Three things...

    Three things I'd require before I'd touch this with a bargepole:

    1. A clear EULA stating the data (blobs) belong to me (as the owner of the device upon which the data were generated) in perpetuity and a reasonable mechanism exists for me to exercise my right to be forgotten.

    2. Also clear in the EULA, a statement of intended use for the data (tracing potential transmission of COVID-19 while there is still an outbreak), and that the data will not be used, shared, sold for anything other than that intended use. All harvested data is automatically deleted once the outbreak is determined to have passed.

    3. The app is Open Source.

    1. alain williams Silver badge

      Re: Three things...

      EULA controls what the End User can do. You should be after something that controls what the government can do (with the data).

  33. Anonymous Coward
    Anonymous Coward

    UK+ USA's spiking again

    Look at the UK and USA Corona virus new cases, and notice that you're not controlling it. You've only flattened it, its not dropping.

    This is USA, go see the 'Daily New Cases', flat but not dropping:

    This is UK, same story, flat but not dropping:

    You've flattened the curve, but it should be going down, NOT JUST FLAT, like Italy:

    And Thailand:

    And Singapore and China, and New Zealand and South Korea and Australia and everywhere in the world that Murdoch's press don't undermine quarantine.

    Quarantine WORKS, you just have to do it, it's not hard, its so well understood that we even have a word for it, FFS!

    Over in the USA, Republicans are opening States with rising cases (Virginia, Florida, North Carolina etc.).

    In Ohio, meat processing plants are kept open with Covid infected workforces. If Corona Virus can last on surfaces for 18 days, then it can last on meat, and contaminated meat will be spreading Covid throughout kitchens in the USA, maybe beyond.

    They're doomed, its 2% death rate, and they have no health care, so its maybe 5% for them. Diamond Princess, 13/712 = 1.8%, New York antibody test puts it just about 1% but with 20,000 unexplained/unexpected pneumonia deaths, likely putting it back to 2%. They don't do enough testing in the USA to use their test results to estimate. Florida is cutting testing to make its numbers look better, fewer tests, mean fewer deaths attributed to Covid19, means Republicans can keep it going till election time.

    But that doesn't have to happen in the UK, just turn off the Murdoch press, turn off Fox News liars and do the quarantine.

    Ireland just next door:

    Cases dropping sharply. Be like them.

    1. Anonymous Coward
      Anonymous Coward

      Re: UK+ USA's spiking again

      You speak as if this is a bad thing.

      Think of it as species improvement - the USA seems intent on making covid endemic.

      The good news is that the effects will be more in the freedumb states.

      Q: What's a couple of hundred thousand dead Americans and Britons?

      A: A good start?

      1. Ken Hagan Gold badge

        Re: UK+ USA's spiking again

        Taking the OP's numbers at face value, 2% is 6 or 7 million in the US, not a few hundred thousand.

        1. EnviableOne

          Re: UK+ USA's spiking again

          probably enough to tip the scales and dump trump in 2020

    2. Jason 24

      Re: UK+ USA's spiking again

      We've also ramped up testing considerably, so we will find a lot more new cases, hopefully these will be the less serious cases, so our cases:deaths ratio will improve. Compare our testing with Thailand is completely out there 19k/1M pop, to 3K/1M pop.

      The population density is half ours too.

      We are also doing lockdown "lite", compared to Italy, so yes, our curve is going to take longer flatten.

      I've come to the conclusion that there's no point drawing any conclusions about any of this yet because;

      a) There are so many variables, I've highlighted a few above.

      b) This isn't over, so to say that X is wrong and Y is right before the whole thing is sorted seems very odd.

      It could be that complete lockdown was correct, and NZ never sees another case again.

      Or it could be herd immunity was right, and NZ has just pushed the cases down the line 6 months.

      If a vaccine emerges by January then excellent. But if it takes until January 2025?

      I do feel the Donald needs a special shout out though for his incoherent blabbering, that is a prime example of how now to behave on the world stage....

      1. Anonymous Coward
        Anonymous Coward

        UK is flat, not slow decline

        UK isn't just 'slow decline', its flat. It's not getting better. USA is the same.

        There is no such thing as 'lockdown lite'. There is only half-assed quarantine, where you leave SOME infection paths open. It doesn't matter if there are three paths to infect a person, it only takes one of those paths to be left open, to pass the infection along. Half assed quarantine is a failed quarantine.

        No national lockdown is a failed quarantine. Pretending that failed quarantine was the plan all along and calling it 'herd immunity strategy' is bollocks. The plan was quarantine and have the cases down in the low tens by end of May. That's being undermined by the Republican governors.

        If they'd simply done the quarantine, it would be done and over with like Thailand.

        @"The population density is half ours too"

        Hello remember Bangkok!? Population over area ignores the real world. Thailand has one of the densest mega cities on the planet.

        @"Or it could be herd immunity was right,"

        First you fail to act, then you pretend it was the plan all along.

        @"NZ never sees another case again"

        Oh they will, it will be contact traced and that cell isolated. Quarantine 101. Made possible because the number of cases is low. For Thailand they've set the limit at 30 per day before they'll impose hard lockdown again. If its below that they plan on contact tracing. If contact tracing reveals community spread they'll hard lockdown the district, the province, even the whole country if needed.

        In six months time, you pretend that somehow they won't simply quarantine again if there was a large outbreak, but that just false. They can break any outbreak with a hard lockdown and will.

        It is over for most of Asia/ Australasia and even Spain and Italy have dramatic drops. Pandemic response by scientists not Fox News pundits.

    3. Intractable Potsherd

      Re: UK+ USA's spiking again

      @AC OP - so much misinformation in one post!

      Diamond Princess - population unrepresentative of general population (lots of old people) and densely-packed environment. New York: generally unrepresentative population (lots of old people) and densely-packed environment, plus poor testing. In both situations, you are reporting the case fatality rate (number of people dead compared to number of people known to have the virus) not the population fatality rate (number of people dead compared to the entire population). The latter figure is much, much smaller - the former figure is used to justify extreme measures. If this was a virus that killed 2% of the entire population, even I'd be rethinking my attitude.

      Your comments about viral transmission by meat is just panic-mongering. There is absolutely NO evidence of this, regardless of what seems "obvious" to you.

      Lastly, this isn't a football match - the scores don't matter. I am seriously tired of obsessive, morbid people like you spouting deaths as if there is a league cup at stake. Quite simply, we don't know what the longer term effects are of any method. Later peaks may affect the currently low Ro countries much more than the others.

      1. Anonymous Coward
        Anonymous Coward

        Re: UK+ USA's spiking again

        >Lastly, this isn't a football match - the scores don't matter. I am seriously tired of obsessive, morbid people like you spouting deaths as if there is a league cup at stake. Quite simply, we don't know what the longer term effects are of any method. Later peaks may affect the currently low Ro countries much more than the others.

        We also at this time do not know for definite if recovery confers immunity (although reports from South Korea suggest it does), how long said immunity lasts, or if there are any long-term sequelae associated with recovery. Infecting a population without knowing those answers makes far too many assumptions for my liking.

        1. Intractable Potsherd

          Re: UK+ USA's spiking again

          That's my point - there are too many unknowns. What seems to be wrong now might turn out to gave been right later.

          1. Anonymous Coward
            Anonymous Coward

            Re: UK+ USA's spiking again

            @"What seems to be wrong now might turn out to gave been right later."

            Strategy 1, dead people 70,000.

            Strategy 2, dead people 54.

            Well whose to say which strategy works, its all too complicated, what if it happens again, then Strategy 2 would double, to erm, 108... the cure is um, worse than the disease, erm, herd immunity something something something. Dr Laura Ingraham said so.

            Covid19 is all a theory anyway, like evolution, which definitely doesn't exist, because if it did it would be really dumb to let a deadly infectious disease have a massive population surface to mutate over.

            So the science isn't set, this 'quarantine' thing is all new and untested and next up on Fox and Friends, we speak to a Grandma that wants to die to help the economy.

            I mock you, but let me put it in terms you an understand.

            The countries without Covid 19, will seal themselves off from the US and UK. That's mainland Europe, and all of Asia, China, etc. that 2/3rd of the worlds economy you're shut out from. Its bad for business.

            There I said it, do the lockdown because otherwise its bad for business. I know Republicans are reeling in horror, dead people are one thing, but a fall in profits. OMG! The horror.

            1. EnviableOne

              Re: UK+ USA's spiking again

              comparing raw numbers is wrong

              70k in the us is small 7 in the holy see is large

              the nyumbers that matter are test positive rate, R (not R0) and per population numbers, this is slightly better for comparison, but still, other factors come into play, and SARS-CoV-2 is new and we dont know the long term effects, immune response, or much about it yet

              They have narrowed down R0 between 1.4 and 3.9, with at 2.24, this is the base reproductive rate of the virus.

              Each state them puts in place its controls and restrictions that limit the infecable population available to the virus to determine R, so to decrease the spread of the virus, you are looking at needing at least 55% of the population unable to transmit, bringing your R to below 1.

      2. Anonymous Coward
        Anonymous Coward

        Re: UK+ USA's spiking again

        @"Diamond Princess - population unrepresentative of general population (lots of old people) and densely-packed environment."

        It was caught early, proper healthcare by the Japanese, and the ship was disembarked by age, oldest first. You don't have the luxury of disembarked cities in the USA. New York's State population is not somehow unrepresentative of the US demographic.

        @"If this was a virus that killed 2% of the entire population, even I'd be rethinking my attitude."

        By which time it would be too late.

        @"viral transmission by meat is just panic-mongering"

        Those meat packing plants are infected, so why are they open? You can assert the virus doesn't stay on meat surfaces, based on what exactly? Wishful thinking? Can you pass it hand to hand? Is the skin on the outer surface of your body dead? It is. If the meat dead? Yep. Does it therefore pass on meat? Tick tock tick tock, its a hard one to figure out why meat plants are such contagious areas. Do you think you should close the FOOKING INFECTED MEAT PLANTS?

        USA has a trade war with China ongoing, remember Trumps trade war? China stopped buying US meat, and Trump bailed out the farmers. So you should have a frozen meat supply. What happened to that?

        @"Lastly, this isn't a football match - the scores don't matter."

        Those scores are dead people. They do matter.

  34. Paul 87

    Wish software developers would stop misusing the word anonymous.

    If you have a unique identifier on a record then that data is not anonymous, and indeed the app couldn't function if it was anonymous. The system has to know where every user is to be able to notify anyone in a pool of uploaded data.

  35. TheMeerkat

    I am not installing it

  36. Danny 5

    Dutch government

    Is doing something similar, there's no way in hell I'm joining that program. Governments, IT and personal information, you just know it's going to be a massive pig's breakfast and I'm not having it.

    These people don't know the first thing about privacy and they don't give a shit about patients, they just want to be the ones to get paid for finding out stuff.

  37. Anonymous Coward
    Anonymous Coward

    BLE & GPS

    Can any knowledgeable types, having access to a modern Android phone, confirm or deny whether it is even possible to enable BLE without also having to permit/enable GPS location services.

    i.e. does Google get free location data over and above what the NHS gets.

    I seem to recall reading a couple of items about state-of-the-art headphones that didn't work unless GPS was turned on because the BLE/GPS permissions were inextricably (and willfully?) combined.

    1. Richard 12 Silver badge

      Re: BLE & GPS

      They're separate but linked.

      The reason being that BLE on its own gives inferred precise location data.

      So while you can use BLE and keep GPS off, the app can very likely work out your position anyway.

      1. Anonymous Coward
        Anonymous Coward

        Re: BLE & GPS

        Thank you Richard (and Chris),

        I had always taken it for granted that the NHS database would be able to infer locations unless everyone turned off their GPS. That surely is the whole point in centralisation - user#1 with GPS off is within 2m of user#2 with GPS on, so #1 must also be in Tesco.

        But it is nice to know that I won't actually have to turn my GPS on and gift the precision data directly to Google and all the other apps on the phone that might like to harvest it.

    2. Chris G

      Re: BLE & GPS

      I can tell you that Bluetooth will not function on my android without enabling location.

      My only use of blue tooth is for the app to my solar panels, I always have location off , if I feel the need to check battery status, a window comes up telling me I need to enable location.

  38. thondwe

    "Don't worry Load Balancers hide IP addresses"

    Buried in the GCHQ stuff is something about load balancers hiding IP addresses so the ID can't be connected by the back end and a safe because they are run by someone else. I'd don't see any evidence that "someone else" is running the load balancers - and I thought the only masked IPs for the server side not the client side.

    If someone controls the entire end-to-end system, then they can put in code to de-anonymize the data. And frankly, I wouldn't put it past some nefarious company to try and match up the NHSX app data with another data set (e.g. Facebook) and identify a fair few people by some clever analysis/pattern matching...

  39. jev42

    Has anyone got any good resources on the tech feasibility of this?

    Why doesn't the OS just kill it if it thinks it's idle?Does it work if you're also using a smart watch and headphones?

    What happens when the phone goes into power saving mode?

    What happens when the app is in the background.

    And all of that is before the idea you can effectively judge proximity via Bluetooth.

    I feel like I'm missing something.

    Privacy and security concerns are real, but if the tech is nonsense, what's the point of even going down this road?

  40. Anonymous Coward
    Anonymous Coward

    A plague on both your houses ...

    How have we evolved a 'democracy' where it is impossible to elect any party that can be trusted with the basic human right of anonymity in our daily lives? Whether you believe in conspiracy theories or political Darwinism the outcome is the same. The evidence is that even in the worst possible circumstances there is always someone in the government working to leverage the outcome to their advantage. I will not install this app and I will encourage those I know not to do so either. Basic human rights are worth fighting for and this continual pressure to give them up is indicative of the knife edge into totalitarianism our western democracies have reached.

    1. saabpilot

      Re: A plague on both your houses ...

      The problem with the Orwellian state is the government of the day could not afford to implement it! Otherwise it would have done so before 1984. Now it doesn't have to. We the people, have done it for them, and spend £1000's every few years doing so! Don't think the Spy-Masters can't remotely turn on your camera, microphone, GPS, Bluetooth, or scan & extract your phones memory or even triangulate your location just using the 2/3G signal. Big bother has been watching you, and for a long time.

  41. Matt Collins

    I Want My Life Back

    Perhaps I'm lucky that I have a work phone I can install it on. If using this app is a prerequisite for getting out and about again, I will install it - but only for as long as necessary to take advantage of freedoms it may enable. Then it's toast. It's never going on my personal phone. On the other hand, if there's nothing in it for me, I won't install it at all.

  42. DrBobK
    Black Helicopters

    Lots of tin-foil hatters.

    I'm amazed at how many of the tin-foil hat brigade showed up for this one. If you are that paranoid about surveillance and the lengths higher powers will go to to get it, then surely you realise that the NSA have 'special' code inserted into all smartphone OSs and every network adapter driver for every operating system used by more than five people. Despite all this guff about the security of open-source, no-one actually checks everything (and they don't know the 'one special trick').

    1. MRS1

      Re: Lots of tin-foil hatters.

      No, it is simply knowledgeable people who have the ability to learn from experience and history.

  43. saabpilot

    WTF They the government work for US we don't work for them. A public petition, simple to arrange on-line, to protest at the NON-NHS use of the data gathered, should be enough to stop that bit of money making scheme, by those scumbags who are in parliament to feather their own nests. Maybe the Data Commissioner should step in here, prove he's got some balls, as this data should be collected for Covid-19 track and trace purposes only. Or was the only person with honest intentions to enter Parliament, Guy Faulks.

    1. Chris G

      The government is only obliged to 'discuss' the issue raised by a petition that has enough signees, that does not mean that they will in any way concur with the petition.

      The ICO is not a he, it is Elisabeth Denham, who, if you read the article is more in line with the government's plan than against it.

      Legally, I doubt the government has ever worked for us, though that should be the case.

      I also diubt that any in the government consider that they work for us beyond allegedly receiving a mandate each election time.

      Even in the Fifth Republic, where there is a constitutional requirement to listen to the people, they have slapped down most of the demands from Les Gilets Jaunes with ever increasing force.

  44. steviebuk Silver badge

    Open to abuse

    Having seen the screenshots of the IOW trial, you can see you enter the details yourself if you believe you have it.

    How long before dicks start poisoning the database with bogus data because

    1. They are dicks

    2. Not sure about their heath so, not maliciously, say they have symptoms when they don't.

    3. Is a hypochondriac and believes they have it when they don't so just fills in the form saying they do.

    And lets put bets on how long before that centralised database is breached. Hancock has wanted "digital" in the NHS for years, he's using this as his chance to get what he wants.

    And whats the better who ever has developed this or "Helped" develop the app they'll be MPs with shares in the company.

    1. Fonant

      Re: Open to abuse

      This is the biggest problem: the users are expected to reliably and honestly say if they "think" they have COVID-19 symptoms.

      Even honest people may have infectious COVID-19 with no symptoms, and symptoms might look like COVID-19 but be something else.

      The false positives and false negatives will be significant.

  45. LOOP

    Lets face it, this is social media. It will certainly go VIRAL

  46. djvrs


    What happened to GDPR and the 'right' to be forgotten?

    1. Pink Duck

      Re: GDPR

      Only applies if you have personally identifying information held about yourself. The app looks likely to only request postcode out code and a couple of question responses to the nature of self-reported symptoms and only when reporting/donating contact history, device type and country code. That alone isn't uniquely identifying, but could be resolved back to a given handset via IP logging and cellular network providers and on to a rough triangulated location for each of the Bluetooth Low Energy active connection periods, plus name and address of service provider record.

      1. steviebuk Silver badge

        Re: GDPR

        What if you run it through a VPN? The IP will be invalid. I wonder if it will end up like the South Korean anonymised medical data, that people were able to track back to the original owner. And like South Korean had in 2015 with their ID numbers.

  47. scrubber

    It's almost like it's not actually for the disease...

    Burner phone

    Download NHS app

    Use public transport

    Tell app you have Covid19.

    Rinse and repeat.

    1. MRS1

      Re: It's almost like it's not actually for the disease...

      Indeed. It is very open to being poisoned, intentionally or not.

  48. Anonymous Coward
    Anonymous Coward

    Lying ?

    Haven't RTFT (119 comments ...) but I wonder what the penalties might be for deliberately lying (i.e. pretending you have symptoms but you haven't).

    What if a group of malcontents *all* lied ?

    And how much will it cost to set 1,000 Russian bots a day to work on this ?

    Am I hearing right that it needs passport number and a video clip ?

    1. steviebuk Silver badge

      Re: Lying ?

      But that's the problem. We all want it to be anonymous so you won't be able to ID people. Push it via VPN, the VPN is purchased with "cleaned" bitcoin and although the GPS will give away your location (which won't match your VPN saying you're in America), a simple use of a burner phone with false details given or purchased off Fleabay, Gumtree or the like and I don't know how they'd be able to prosecute anyone. Especially if you could just say "I believed I had it".

  49. This post has been deleted by its author

  50. AndyFl
    Big Brother

    Elliptic curve?

    I wonder if they are basing the system on Dual_EC_DRBG which is generally known to have a backdoor ( It could easily be GCHQ and their allies trying to convince everyone to use so called anonymous Ids to which they can reverse engineer the originator.

    On the other hand if they know your postcode, location and movements it is pretty easy to match that to a person. Previous history doesn't encourage me about confidentiality - look at the range of organisations which can covertly snoop on you and access your Internet history.

    Sorry, I don't trust them to manage sensitive data on a centralised system.


    1. TRT Silver badge

      Re: Elliptic curve?

      Ah, but you only upload your blob list WHEN you have symptoms. So not EVERY movement will be traced. At least not during the first few weeks and months... but seeing as though eventually EVERYONE will get this virus... EVERYONE'S blob list will end up in Big Brother's library.

      And I do mean everyone will get it. For those who wondered about it and thought it's SAFE to come out once the all-clear siren has gone off and you won't get the disease... remember the purpose of lockdown is to FLATTEN the curve - it still has the same area underneath - that area, that integral, is the absolute number of deaths. Still going to be the same number of deaths from the disease itself - it just won't be higher than it needed to be as a result of life saving (or death preventing) medical intervention being denied due to over-demand.

  51. batfink

    And now the good news!

    I see that the UK government has handed over the recruitment and management of the (alleged) 15,000 contact tracing staff, who will presumably have access to this data, to Serco.

    Naturally, I have the utmost confidence in Serco's ability, inclination and competence to keep my data private.

    After all, they haven't been implicated in any scandals in the past, have they?

  52. HLH

    UK Covid-19 Contact Tracing

    It is rather unfortunate that many OAP.s who would in all probability use the new Covid-19 Tracing App do not possess or use mobile phones. So how can the NHS and the Government get a true an accurate measure on the migtration of the dreaded virus against the whole age range, when a good percentage of the UK public will not be traced. Yet again the aged population are not important.

  53. Chris 239

    Having some Tiles to help finding lost keys my expectation is that this simply won't work.

    With a tile you are supposed to be able double click the button on the tile and the phone will ring so you can find it, my experience is that that does not work unless the tile app is running in the foreground.

    Bluetooth tooth is great but not all it's cracked up to be.

  54. Neoc

    "...random-looking..." <sweatdrop> that's kinda telling, right there...

  55. Frumious Bandersnatch

    "it in a way that only the NHS server can recover"

    So it's like a one-way hash, except it's reversible. Give these guys a Nobel Prize!

  56. Anonymous Coward
    Anonymous Coward

    Open source perhaps?

    Is there any news if the code will be disclosed?

  57. Anonymous Coward
    Anonymous Coward

    Where's my Lumia?

    Don't know why, but I've got a sudden urge to fire up my old Windows Phone. The security risk from an elderly, unsupported OS seems quite tractable compared to those from this government.

  58. IB12345

    Does anyone know what permissions this app needs? Is it going to ask for access to my photos, files, camera and microphone?

  59. Danny 2


    I know this is off topic but I am probably the only IT smoker left in the UK and so I think my logic and experience is worth consideration.

    Chinese statisticians found smokers were less likely to catch Covid and more likely to die of it. French scientists reckoned the only protective component must be nicotine so they are testing nicotine patches as a preventative measure.

    I think the real protective effect is probably the smoker's cough. During a pandemic characterised by a hacking cough my normal smoker's cough keeps everyone else at a safe distance. Covid seemingly often presents a dry cough, mine is the normal phlegm one I've had for years, but nobody else knows that so people give me a wide berth. That gives me some protection from the seemingly healthy asymptomatic carriers.

    300,000 British smokers have quit smoking recently which is welcome but weird - cancer, bronchitis, pleurisy and heart disease weren't as scary as Covid‽ My main worry is my normal cough would mask a dry cough. It's the first time I've found phlegm reassuring.

    ETA: I've recently wore a surgical face mask for the first time, and started making them too. This terrified the public around me more than my smoker's cough! I highly recommend facemasks over smoking, partly because it hides the two teeth I've had to remove since my dentist disappeared.

    1. TRT Silver badge

      Re: Smoking

      If your airways are liberally coated in slime then there are fewer cell surfaces for the particles to bump into. Then there's all the other muck that the mucus is trapping. Tar and nicotine and carbon monoxide all have horrible effects on lipids and proteins, which are the compounds that the outer shell of a virus is made from. It's why hand washing, alcohol gels and bleaches work - soap and alcohol works on the lipid, peroxide and hypochlorite works on the proteins. UV destroys the nucleic acids, so get out in the sun too!

      You also have a heavy stream of mucus moving up and out, carrying the trapped viral particles out of the body. Very effective. Smokers do seem to get fewer but more serious colds. Been known about for years, so why it's a surprise for some medical professionals, I don't know! And it doesn't shock me in the least that healthy fitness fanatics who regularly inhale outside air right down into the very bottom of the lungs through nice, big wide open bronchioles seem to get the virus really bad if they come down with it.

      1. Danny 2

        Re: Smoking

        Thankin' you! I was guessing, as ever, whereas you seem to have actual knowledge.

        You seem to agree that it doesn't bode well for the French nicotine patch trial, but I think you've made an argument for smokers to keep smoking until the end of the lockdown, and government taxes to be lifted.

        ETA: Ta to The Register yet again. I am always the smartest person in the room, and that isn't a boast, it's a consequence of door policy keeping me out. It's refreshing to be allowed here to chat with far smarter folk.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like