U.K. Virus App Contains Privacy Loopholes, Rights Group Says
U.K. Virus App Contains Privacy Loopholes, Advocacy Group Says
(Bloomberg) --
The U.K.’s contact-tracing mobile phone app includes code that could allow authorities access to a user’s detailed location data and to send information to Microsoft Corp. and Alphabet Inc.’s Google, according to an initial technical analysis carried out by Privacy International.
Like governments around the world, the U.K. is developing a voluntary mobile app that uses Bluetooth technology to trace possible infections of the coronavirus, alerting users when they may have been near someone infectious. Authorities say the tools will help track and contain any resurgent outbreaks of the virus once lockdown measures lift.
But the U.K.’s app, which rolled out for trial on the Isle of Wight on Thursday, has faced questions from privacy experts who say its system gathers too much information about users.
The NHS says on its website “it will not be able to track an individual’s location,” but the app includes mandatory permission requests to collect both GPS and network-based location information, according to Christopher Weatherhead, a technology lead at Privacy International, which carried out analysis on both Android and iOS versions of the app.
The permissions are necessary for the Bluetooth technology to function, the privacy group said, adding that it didn’t believe the app was currently using location data. But the researchers expressed concern this could easily change with future software updates given the permission would already be granted.
“This would mean additional, very accurate data about the users’ location could be collected without additional consent,” Weatherhead said in a report obtained by Bloomberg.
The U.K.’s Department of Health and Social Care said users must enable Bluetooth for the app to work. The Android operating system requires that location services also be switched on in order to turn on Bluetooth, it said, adding that the app does not use or record location for any users. IPhone users are not asked to enable location services, it said.
“Our goal is to protect the NHS and save lives – and the NHS Covid-19 app is a key part of our plans to track the virus and keep people safe,” said a spokesperson for the department, which oversees the country’s National Health Service.
Privacy International was granted early access to the app. The group’s researchers used an internal version of an app-auditing platform called Exodus Privacy and other tools to carry out an initial analysis. It said it still plans to do more in-depth testing of the app.
Read more: Apple, Google Release Virus Contact-Tracing Tools to App Makers
The group’s findings show the app also includes code for Google Firebase Analytics and Microsoft Appcenter Analytics trackers, which collect data about the user. Based on an initial analysis, the app sends Microsoft data about a user’s interaction on the app, though not the actual content, Weatherhead said, adding the extent of the information sent to the companies is still unclear.
The U.K. said the code for the Google and Microsoft analytics services is currently used to provide basic metrics to tell the team how well the app is performing during this first phase of the roll-out on the Isle Of Wight.
Microsoft also confirmed that the data is being used to determine how well the app is working in this initial phase. A spokeswoman said that the data isn’t shared with the company. Google said its Firebase service is an app analytics solution and not an advertising solution.
“Any developer that chooses to use Google Analytics for Firebase is prohibited from passing information, like an email address or phone number, that could personally identify someone to Google, and we use a combination of machine learning and human review to identify health apps and mark them ineligible for ads usage,” a Google spokesman said in an email.
Privacy International also said its cursory testing suggests that only those with modern smartphones will be able to run the app, likely excluding those who can only afford cheaper devices. Researchers have said a majority of the population needs to download a contact-tracing app for authorities to successfully map the virus.
The U.K. said it’s looking to support earlier versions of the Apple and Android operating systems in the future.
The app has been built for the NHS by VMware Pivotal Labs, a software development consultancy that’s part of VMware Inc. Several other organizations are actively helping the NHS to develop and test the app.
©2020 Bloomberg L.P.