NHS Denies #COVID19 App De-anonymization Plan

The United Kingdom's National Health Service (NHS) has refuted claims that it considered giving ministers the power to de-anonymize users of its planned COVID-19 contact-tracing app.

Plans to roll out the new smartphone app were announced on Sunday, April 12, by health secretary Matt Hancock during a daily UK pandemic briefing. It is hoped that by allowing people who develop COVID-19 symptoms to quickly alert others with whom they have been in proximity, the app will help to stem the spread of the deadly novel coronavirus in the UK.

The new app is currently being developed by the NHSX—the digital innovation branch of the National Health Service—with testing of an early version expected to get under way in the North of England this week. 

Explaining how the NHS app would work, Hancock said: “If you become unwell with the symptoms of coronavirus, you can securely tell this new NHS app and the app will then send an alert anonymously to other app users that you’ve been in significant contact with over the past few days, even before you had symptoms, so that they know and can act accordingly.”

The NHSX has said that for the app to be effective, it will need to be adopted by more than 60% of the UK's 66.65 million inhabitants. 

Addressing privacy concerns over the contact-tracing app, Hancock said that it would be completely voluntary to use and that users would remain anonymous.

"All data will be handled according to the highest ethical and security standards and would only be used for NHS care and research," said Hancock.

However, a draft government memo produced in March and seen by The Guardian discusses how ministers might be given the ability to order “de-anonymization” of data collected via the app to identify people from their smartphones.

The document headed “official – sensitive” and “draft – not yet approved” stated that the app could use device IDs, which are unique to all smartphones, “to enable de-anonymization if ministers judge that to be proportionate at some stage.”

A spokesperson for NHSX denied there were ever plans to de-anonymize data.

What’s Hot on Infosecurity Magazine?