The NHS has released the source code behind its coronavirus contact tracking app.
So far over 40,000 people have installed smartphone software.
The health service only targets the Isle of Wight at this stage, but claims that this is the first phase of the app launch, not a test.
Tests conducted on behalf of BBC News confirm that developers have found a way around Apple’s restrictions on the use of Bluetooth on iPhones.
In a related development, Health Secretary Matt Hancock has announced that Baroness Dido Harding will head the broader track and trace test program.
The appointment surprised some given that when he was CEO of TalkTalk, the Internet service provider suffered a serious data breach and did not correctly notify the affected customers.
The NHS Covid-19 app is designed to use people’s smartphones to track when they approach and for how long, by sending Bluetooth wireless signals.
If one of them gets sick, he can anonymously trigger a upload of the records so that the alerts can be cascaded to others he may have infected, asking them to self-isolate themselves, if deemed necessary, potentially before having symptoms but are still highly contagious.
Together with other measures, including manual contact tracking, this can help ease blocking measures without causing another peak in cases.
NHSX, the digital innovation unit of the health service, has opted for a centralized system to power the app, so the contact matching process takes place on a UK-based server rather than on individuals’ smartphones.
And there has been much speculation about this decision would mean that the app was destined to malfunction on the iPhone.
Apple limits the extent to which third-party apps can use Bluetooth when they are off-screen and running in the background, although it has promised to loosen this rule for contact tracking apps that use a decentralized system that is co-operating. developing with Google.
And Singapore and Australia have reported that they will switch from centralized to decentralized apps for this reason.
But NHSX said it had come up with its own solution.
And preliminary tests from a cybersecurity company suggest that it did.
Pen Test Partners installed the app on a handful of “jailbreak” iPhones – modified to allow them to monitor activity normally hidden from users.
“Once placed in close proximity to each other, the phones would begin to” beacon “via Bluetooth at intervals of eight or 16 seconds,” said co-founder Ken Munro.
“Others have expressed concern that the app is not effective when it is” in the background “.
“Our tests have shown that this does not seem to affect beaconing, whether the phones met for the first time or were subsequently physically moved and then re-entered.”
A second company, Reincubate, found that the app sometimes “went quiet” when it worked undisturbed in the background for more than 90 minutes, but suggested that this shouldn’t be a big deal under real conditions.
“A number of reasonable factors can trigger the extension of this window, including the other use of Bluetooth, the presence of Android devices and the effectiveness of notifications [asking the user to reopen the app], “she blogged.
“In our tests, the iOS devices on which we ran the app continued to keep the background service running overnight.”
There will be further examination of the app now that the source code has been published on Github, allowing others to see how alternative solutions have been achieved.
Earlier this week, the Joint Human Rights Committee learned that despite the app making users’ identities anonymous, they could have been re-identified in theory, which could allow authorities – or even hackers – to reveal people’s social circles for other purposes.
And the committee said a new watchdog should be created to oversee the use of the app and the measures taken to protect the data.
Harriet Harman, who chairs the committee, said: “The ministers’ assurances on privacy are not enough.
“There must be solid legal protection for people about what data will be used, who will have access to it and how it will be protected from hackers.”
Critics say that a decentralized approach, where contact matching occurs on phones, would better protect user privacy.
And BBC News was informed that members of an ethics group recommending NHSX on the app asked for it to better explain the benefits of a centralized system.
Professor Christophe Fraser, an epidemiologist who advised the NHSX, told BBC News that the two main benefits were:
- allowed to ask people to self-diagnose rather than wait for test results, because any mass attempt to abuse the process could be detected
- the collected data could be used to optimize the system in order to provide different types of warnings based on the calculated risk scores
But he added that talks with Apple and Google continue.
And analyzing how the app was used on the Isle of Wight would have informed decisions about how best to proceed.
“There has been a lot of discussion about privacy, and rightly so,” he said.
“But there is also your ability to save lives.
“And there is a possibility of not quarantining millions of people.
“Understanding how we can find the optimal system that can compensate for these different requirements is a bit of an open question at this stage.”