Coronavirus: New NHS contact-tracing app vulnerable to ‘malicious false alerts’, warn experts

Individuals could send out false alerts causing people to self-isolate unnecessarily and hackers could generate ‘proximity events’

Lizzie Dearden
Security Correspondent
Tuesday 05 May 2020 22:16 BST
NHS contract tracing app 'will have unintended consequences'

The new NHS contact-tracing app could be used to send malicious alerts causing people to isolate unnecessarily, it has been warned.

The app, which is being trialled in the Isle of Wight, tells users if someone they have been in proximity with may be suffering from coronavirus, meaning they could be exposed.

But because users can set off the warnings themselves by reporting symptoms – rather than positive Covid-19 test results – it could be used to send out false alerts.

​Dr Michael Veale, a lecturer in digital rights and regulation at University College London who this week gave evidence to MPs on the technology, told The Independent that Britain’s tracing app had nothing to stop individuals “maliciously triggering notifications” using its normal functionality.

“People can deliberately put others into quarantine or report large areas,” he said. “A child could try to get a day off school by reporting symptoms from a parent’s phone to trigger a quarantine.”

Dr Veale warned that people could “lose trust in the system” and ignore alerts if they discover a false warning was issued.

The UK is thought to be the only country in the world allowing people to self-report symptoms, rather than using Covid-19 test results. In other nations, such as Australia, positive tests are confirmed by officials before those who have come into contact with sufferers are alerted.

The UK app, which was rolled out to NHS and council workers on the Isle of Wight on Tuesday, uses Bluetooth to detect other users nearby.

Hancock can't say if people pinged by smartphone app should self-isolate

It builds a database of significant contacts, within two metres and for at least 15 minutes, that can be voluntarily alerted if a user develops coronavirus symptoms.

Under the current lockdown, only a small number of people would be alerted by users abiding by guidance to stay at home.

But as restrictions lift and people return to work, potential contacts in offices and on public transport will increase dramatically.

Officials have said that if the NHS discovers a diagnosis was wrong, another alert telling people they can stop self-isolating will be sent out.

But with limited testing being carried out in the UK, it is unclear how frequently people’s declarations will be verified.

“It’s the first time this has been deployed, so we don’t know what looks like fraud,” Dr Veale said. “Self-reporting is a UK quirk, and a pretty strange one.”

The National Cyber Security Centre (NCSC) has worked to mitigate against possible cyberattacks where hackers could generate “realistic-looking proximity events” for large numbers of people.

Ian Levy, the NCSC’s technical director, said that self-diagnosis had brought “security challenges”.

“One of the obvious ones is that an attacker can, for example, sit outside a hospital with some custom kit and create fake but realistic-looking proximity events for everyone in the hospital and then report themselves as sick,” he wrote.

“Without some smarts, everyone would be told to self-isolate. In our model, the risk modelling can catch this sort of attack and mitigate it.”

Not everyone a person with symptoms has contact with will receive an alert, and the system has been designed to spot suspicious activity before one is sent out.

The app will be updated over time to respond to potential misuse.

Mr Levy said that removing self-reporting from the app would “make managing the disease very, very hard in the UK”, amid criticism of the government’s testing regime.

It was unclear whether the NCSC’s technology could also catch malicious reports by people who use the app’s normal functionality.

Dr Veale said that while hacking could be spotted, individuals “reporting maliciously look the same as a legitimate use”.

He added that hypochondriacs and people who genuinely believe they have coronavirus symptoms, but do not have the virus, will also generate false alerts.

The app has also generated privacy concerns because of its “centralised” system, which sends user data to a server controlled by public authorities.

Other countries, including Ireland, are using a “decentralised” model that works through individual phones and does not build a central database on how the disease is spread.

Matthew Ryder QC, who wrote a joint legal opinion on the issue, told BBC Radio 4’s Today programme that the government was yet to “present the evidence or the material it would need to justify the course it is taking”.

The Information Commissioner’s Office previously suggested that a decentralised approach would best protect user privacy and will assess NHSX’s data protection impact assessment. But a centralised system allows outbreaks to be tracked on a national scale.

Privacy campaign groups have raised concern that the app could be extended to monitor individuals’ movements and contacts, but the government emphasised that users will not need to give their names or other personal details.

Matt Hancock, the health secretary, said its purposes were “purely and simply to control the spread of the virus” and urged people to download the app.

He argued that it was “completely wrong” to claim it represents a threat to civil liberties.

Giving evidence to parliament’s Joint Committee on Human Rights on Monday, the head of the unit developing the app warned of “unintended consequences”.

Matthew Gould, chief executive of NHSX, said officials do not know “exactly how it will work”.

“There will be unintended consequences, there will for sure be some things we have to evolve,” he added. “When we launch it, it won’t be perfect and as our understanding of the virus develops, so will the app.”

A spokesperson for the Department of Health said: “As we have seen throughout this crisis, the vast majority of people have taken their responsibility to protect the NHS and save lives seriously and we’re confident this will be no different when they use the new app.

“Nonetheless we have taken precautions to mitigate against malicious activity.”

Thank you for registering

Please refresh the page or navigate to another page on the site to be automatically logged inPlease refresh your browser to be logged in