Why did the Government’s Track and Trace App fail?
by Luke Potter
As governments around the world work to respond to the challenges of the COVID-19 outbreak, technology firms globally have been developing new technology solutions, including digital contact tracing via mobile apps, to help in the fight against the pandemic.
More than 30 countries are building tracing apps and the UK is no different. Its tracing software – the NHS Covid-19 app – was trialled on the Isle of Wight from the 7th May and is expected to be rolled out to the rest of the UK later this month.
Countries such as South Korea have successfully employed digital contact tracing technology, taking it from one of the worst hit countries outside of China, to having the outbreak effectively under control by using its three guiding principles: test, trace and contain. Yet the UK NHS app has been plagued with problems since the start of the trails. Issues have been raised over security concerns and doubts have been cast about the app’s effectiveness.
After initially turning down offers to collaborate with Apple and Google, the UK government instead decided to deploy a go-it-alone UK app. However, they have now announced that they are pausing trials of the second version of the UK Track and Trace App - which were due to begin on the Isle of Wight on Tuesday 16th June - and are instead joining forces with the two tech giants to develop a new contact tracing app powered by their technology.
In this article, we take a look at why the UK-developed Track and Trace app failed, and what the future of the new, collaboratively developed app looks like.
Why the support of the general public is vital, and why the NHSX app failed to gain it
Back in May, Senior NHS sources revealed that the app, developed by NHS's technology and research arm NHSX with researchers from Oxford University and developers from tech companies like VMWare, had actually failed all of the tests required for inclusion in the NHS app library, including cyber security, performance and clinical safety. This was attributed to the fact that the app was in the early development stages. The source described the app as “a bit wobbly” but added that it was not a “big disaster.”
Even NHSX themselves weren’t exactly convinced. Giving evidence to parliament’s Joint Committee on Human Rights, the head of the unit developing the app warned of “unintended consequences”. Matthew Gould, chief executive of NHSX, said officials do not know “exactly how it will work”.
This rhetoric (unsurprisingly) didn't gain the support of the general public. In fact, a survey of 1,000 U.K. citizens revealed that nearly half of the public surveyed about the NHSX COVID-19 tracing app did not trust the UK government to keep their information safe from hackers. And over a third of respondents were concerned that the app might allow the government to collect their data.
The problem with this is that for the app to be effective in containing the spread of COVID-19 after lockdown is eased, at least 60% of the UK public need to download it. Since downloading the app in the UK won’t be compulsory, the government needs to urgently address some of the main concerns surrounding the app to convince the population to part with their personal data.
A centralised database raised major concerns about data misuse
The NHSX COVID-19 Track and Trace app planned to use a centralised database, rather than a decentralised app like in other countries. Such a database would contain anonymised records of those reporting symptoms, as well as who their phone has come into contact with. Other countries, including Ireland, are using a decentralised model, where personal data is stored on devices rather than government databases.
Privacy campaign groups raised concerns that this centralised database model could be extended to monitor individuals’ movements and contacts. It’s also impossible to ignore the fact that a large database containing the general public’s personal information is a prime target for hackers with malicious intents.
In May, a security flaw in Qatar’s coronavirus contact-tracing app put the sensitive personal details of more than a million people at risk, according to an investigation by Amnesty International. Hackers gained access to highly sensitive personal information including names, national ID, health status and location data of users.
Ultimately, the government accepted the security flaws of using a centralised database model, and has now made a major U-turn on its initial decision to turn down offers of collaboration from Apple and Google. By adopting a new, decentralised model, the new UK Track and Track app is more likely to resemble tech such as the Swiss government’s Covid contact-tracing app, SwissCovid. SwissCovid was the first app in the world to be built around privacy-first technology developed by Apple and Google. SwissCovid operates in a decentralised manner, with Swiss health authorities receiving no personal information.
Self-reported symptoms opens the door for app misuse
The UK is thought to be the only country in the world which plans to allow people to self-report symptoms, rather than using COVID-19 test results. In other nations, such as Australia, positive tests are confirmed by officials before those who have come into contact with sufferers are alerted.
Self-diagnosis of symptoms opens up a wealth of security challenges, since app users reporting symptoms maliciously are indistinguishable from legitimate users. Dr Michael Veale, a lecturer in digital rights and regulation at University College London said that the initial version of the UK tracing app had nothing to stop individuals maliciously triggering notifications using its normal functionality.
A malicious user could, for example, deliberately put others into quarantine or report large areas by creating fake but realistic-looking proximity events for everyone in the area and then report themselves as sick, or a child could try to get a day off school by reporting symptoms from a parent’s phone to trigger a quarantine.
The only way to prevent malicious misuse of symptom reporting within this model would be to introduce verification measures before an alert is triggered. At the moment, the government hasn't revealed whether they plan to continue with a model of self-reporting in the new version of the app, produced in collaboration with Google and Apple.
A field day for COVID related fraud
During the first stages of the Track and Trace app trials, there was no clear guidance from the NHS on where to download the app or what a legitimate alert looks like. This put the public at risk of being faced with floods of emails with bogus links to convincing looking domains offering a fake app download.
This is more than just speculation. In India, cyber security experts found fake versions of the government's contact tracing app, Aarogya Setu, carrying spyware capable of making phone calls, recording audio, sending texts, taking pictures and recording videos from the camera.
Several public health directors have called for all forms of communication from contact tracers to involve two-step verification to eradicate the risk of scammers gaining confidential information. Awareness campaigns which educate the general public about where to download the app and what a legitimate alert looks like would also greatly reduce the chances of scam apps and alerts being successful.
Failings in the Bluetooth technology
Finally, digital contact tracing apps operate using Bluetooth technology. Bluetooth has had several vulnerabilities in the past, including as recently as February, when a critical vulnerability named BlueFrag affected multiple Android and Apple iOS devices.
Bluetooth is less widely used in app technology, and developers might have less experience with Bluetooth compared to online platforms, potentially leading them to overlook certain elements that might result in a bug or vulnerability. In order to gain public trust, there is a need for government assurance that the app will be regularly tested for vulnerabilities and that patches will be swiftly released to plug potential holes.
One of the main reasons behind the NHSX-built app being scrapped was failings in the Bluetooth technology. An audit found that the app could only detect one in 25 contacts on Apple phones. The app also did not work on Android phones that were more than four years old. The root of this problem was the fact that NHSX were trying to get round privacy limitations placed on smartphones by Apple and Google. Working together with Apple and Google will allow the government to overcome these privacy limitations, rather than spending time looking for ways around them.
Will the new app be any better?
Contact tracing technology is not new - it’s been around and has served as an effective way to contain public health pandemics, such as HIV, for decades. The COVID-19 pandemic is no exception, and other countries around the world have already proven the effectiveness of track and trace apps in the fight against the outbreak.
In order for the new app to be successful in the UK, it needs to gain the support of the public - where the previous app failed to do so. Before this can happen, government cybersecurity experts need to issue solid assurances that public data is safe, Bluetooth technology is secure, and clearly educate users about the app to prevent people accidentally downloading fake apps or being scammed by fake alerts.
It’s not yet been announced when the new app will be released, but Lord Bethell, the Junior Health Minister has told MPs that: "we are seeking to get something going for the winter, but it isn’t the priority at the moment”.
About the Author
Luke Potter, Senior Director of Cybersecurity at SureCloud
Luke is an industry leader in the Cybersecurity sector and currently heads up the Cybersecurity division at SureCloud, with responsibility for our Global Penetration Testing team. With over 15 years of practical experience in IT and with a specialism in Penetration Testing, Luke works with our enterprise clients across all sectors globally. Luke is a CHECK Team Leader, Tigerscheme Senior Security Tester, ISO 27001 Lead Auditor and Microsoft Certified Enterprise Administrator. Previously, Luke managed the IT team at a large UK insurance brokerage.