With the UK rollout just weeks away, our data breach experts analyse the pros and cons of the widely debated app.
The biggest concern is the security issues associated with capturing such sensitive information, such as location and health data, from a large portion of the population. While the NHS has completed its data protection impact assessment (DPIA) and scored itself a low-to-medium risk on all of the potential privacy issues raised, this may do little to ease public fears.
Most of these worries are based around the fact the UK Government has opted for a centralised approach, meaning the anonymised data is uploaded to a central remote server where it matches contacts if one develops coronavirus symptoms. In comparison, a decentralised model, which is being promoted by Google, Apple and in other countries, gives users more control over their information by keeping it on the phone. It can be argued that the centralised model gives authorities more insight into the spread of the virus, but does that come at the cost of the privacy of its users?
This personal information will be a gold mine for cyber criminals and, therefore, data protection concerns need to be a central and transparent part of the Government’s process. If the database is compromised, it would not only further increase public anxiety, but the Government could find itself having to pay out hefty data breach fines, at a time of existing economic uncertainty.
There have been a number of examples recently highlighting how cyber criminals have accessed personal data. Just this month, EasyJet admitted that a “highly sophisticated cyber-attack” affected approximately nine million of its customers.
The issue of data retention has also come under fire as, without a set policy, data could be retained for long periods and breach GDPR. While the DPIA addresses this and states personal data will not be kept longer than necessary, it is yet to set a time limit on when this might be, due to the uncertainty about how long the crisis will continue. It also states that data from the app may be used for research purposes which “may be linked with identifiable data”, although such requests are still awaiting further confirmation and approval.
A final flaw is the self-report system itself which could lead to many false alerts being generated resulting in people receiving incorrect alerts that they’d been in contact with someone with suspected coronavirus. Incorrect reports could be created in various ways, from people deliberately manipulating or exaggerating symptoms to children accidentally accessing the app!
The biggest benefit is that this technology could be the key to ending UK lockdown and ultimately a return to normal life. By instantly alerting somebody that they may have been exposed to the virus and giving them specific guidelines to follow, they can self-isolate immediately to avoid infecting others.
By tracking cases in this way, we can protect vulnerable people and minimise the virus’s spread meaning work and travel restrictions could potentially begin to ease.
If successful, it could also be used to predict upcoming hotspots at the epicentre of the crisis, meaning restrictions could be dialled up or down in parts of the country as required and hospitals could prepare by ensuring they have the supplies they need.
All of these benefits, however, will require a take-up rate of approximately 60% of the UK population. Singapore, which is much more tech-oriented than the UK, only had a take up of about 20%. However, an initial poll has reported that around 50% of the UK population would be willing to download the app, and research has found that it would start becoming very effective at reducing infection with take-up of anything above 50%.
A successful rollout could be crucial to testing, tracking and tracing the spread of the virus. It could help us start to relax lockdown restrictions and return to a more normal life. But, there are legitimate concerns about the app’s usage and how privacy will be protected, and reviews from the Isle of Man trial have certainly been a mixed bag. With data breaches sadly becoming a much more common occurrence, the Government needs to assure the public that privacy as well as public safety remains a top priority.