The UK’s contact-tracing mobile phone app includes code that could allow authorities access to a user’s detailed location data and to send information to Microsoft Corp. and Alphabet Inc.’s Google, according to an initial technical analysis carried out by Privacy International.
Like governments around the world, the UK is developing a voluntary mobile app that uses Bluetooth technology to trace possible infections of the coronavirus, alerting users when they may have been near someone infectious. Authorities say the tools will help track and contain any resurgent
outbreaks of the virus once lockdown measures lift.
But the UK’s app, which rolled out for trial on the Isle of Wight, has faced questions from privacy experts who say its system gathers too much information about users.
The NHS says on its website “it will not be able to track an individual’s location,” but the app includes mandatory permission requests to collect both GPS and network-based location information, according to Christopher Weatherhead, a technology lead at Privacy International, which carried out analysis on both Android and iOS versions of the app.
The permissions are necessary for the Bluetooth technology to function, the privacy group said, adding that it didn’t believe the app was currently using location data. But the researchers expressed concern this could easily change with future software updates given the permission would already be granted.
“This would mean additional, very accurate data about users’ location could be collected without additional consent,” Weatherhead said in a report. The UK’s Department of Health and Social Care said users must enable Bluetooth for the app to work. The Android operating system requires that location services also be switched on in order to turn on Bluetooth, it said, adding that the app does not use or record location for any users. IPhone users are not asked to enable location services, it said.
“Our goal is to protect the NHS and save lives – and the NHS Covid-19 app is a key part of our plans to track the virus and keep people safe,” said a spokesperson for the department, which oversees the country’s National Health Service.
Privacy International was granted early access to the app. The group’s researchers used an internal version of an app-auditing platform called Exodus Privacy and other tools to carry out an initial analysis. It said it still plans to do more in-depth testing of the app.