Author: Gary Hibberd
Date: 24 September 2020
On the 24 September, the long-awaited and much discussed ‘Test, Track and Trace’ App was launched for England and Wales. It is intended to be used by over 16’s, which is a reduction from 18, and is in line with Scotland’s “Protect Scotland contact-tracing app”.
To say it has been dogged by controversy is an understatement. From the earliest days of the COVID19 pandemic, the Government talked about the need to test, track, and trace people in March, and with Dido Harding, at the helm, we saw the government trip over itself and finally scrap its planned App.
Now, months later than promised we have a second app being rolled out; But only for England and Wales. If you’re travelling to Scotland, then presumably you should download their App too?
Confused? Yes… Me too!
But what has the country been doing in a bid to help, as we waited for this much anticipated App? Well, the country improvised, and in doing so managed to lay the foundation for individual companies to walk blindly into breaching the Data Protection Act, and companies to wilfully normalise the mass-collection (harvesting) of personal data!
The ICO Speaks – No one listens
Of course the Information Commissioners Office (ICO) made statements about the need for protecting personal data, but let’s be honest; Who is listening?
The UK Government has issued its privacy notice, which states that the App helps people manage their risk of exposure to COVID-19 and identify and inform those who have been or may be at risk. This may be because of where they live, who they have been in close contact with or as a result of venues visited. It also states that the App tracks the spread of the virus but does not track people.
The App also allows you to:
- view current risk in your local area
- keep a personal record of venues visited where you ‘check-in’ using the official NHS QR code poster
- check whether any symptoms you have could be COVID-19
- order a test, via a link to the NHS Test and Trace website
- count down how many days you have left if you need to self-isolate
It makes for interesting reading. But who is reading this privacy notice? Privacy and Security specialists, yes. General public? Not likely. And let’s be honest; Do we actually trust that the data will be held securely anyway? Last week we heard how Public Health Wales, on the 30 August 2020, uploaded personal information of 18,105 Welsh residents to a public-facing server. The data contained personal information on people who had tested positive for COVID-19, and the cause of the breach was stated as; human error.
Perhaps it’s a sign-of-the-times, that a story like this didn’t cause even a stir on the mainstream news. Perhaps it’s a sign-of-the-times, that because it was ONLY 18,105 records, it didn’t cause much of a stir in the Cybersecurity or Data protection sector either. But I noticed. And it worries me.
Sleepwalking into a nightmare
On the rare occasions, over the past few months when I have ventured out to cafes, restaurants, and bars, I have been met with a variety of requests for me to hand over my personal data, for “Track and Trace purposes”.
These processes have included;
- Downloading an App (from some unknown third-party)
- Writing my name on a sheet of paper, which is left on public display
- Giving my personal details to the waiter, who scribbled it down on a pad, alongside my order for tea and cake
I have been sent images by friends and family who have stood next to pages, and pages of contact details. They clearly recognise that it’s an issue, but don’t see the irony, in that by taking a picture and sending it to me, THEY have wilfully created a Data Breach!
The amount of data that is now ‘sloshing’ around in an uncontrolled manner is genuinely terrifying, and the ways this data, OUR data, can be misused is no less worrying. It would be irresponsible for me to go into detail here, how Cybercriminals can use this data to their own advantage, but we are already hearing stories of individuals who work in these establishments contacting customers, openly marketing to them. We’re also hearing of individuals (like bar staff) contacting people and asking them out on a date!
What can we do about it?
The first step in preventing a problem is to be aware of the risks. There is no doubt that we need to have a reliable Track and Trace capability, and if that means an App that we have to download and use, then so-be-it. But my worry is that in a rush to get this App out, “Data Protection by Design and Default” (Article 25) has been ignored.
The UK Government will make a big noise about the new Track and Trace App and will urge us all to download and use it. They may mention that security and privacy concerns have been addressed – but would you expect them to say anything different?
I would also suggest that it is not the App that is the problem; It is what the App represents and leads to a fundamental shift in expectations of Government and of peoples attitudes towards handing over personal data.
The App itself may not collect large swathes of Data, but how it has been designed and put together has not been fully explored. The processes surrounding it have not been fully experienced, and the risks surrounding this is something we will only discover over time.
Of course, I would not like to discourage anyone from downloading the App, but I for one will be reading very carefully the Privacy Notice that comes with the App and acting cautiously in relation to the data I provide.
Stay well and Stay safe.
Cyberfort Deep Dives
Cyberfort’s cybersecurity consultants explore issues in cyber threat intelligence, incident planning and data security. Read our whitepapers to help make decisions that benefit your business.
Find out more >