More than 170 UK researchers and scientists working in information security and privacy have signed a joint statement about their concerns over NHS plans to use a contact-tracing app to help contain the coronavirus outbreak, warning that the government must not create a tool that could be used for the purposes of surveillance.
The letter, signed by some of the top academics in cybersecurity at some of the most prestigious universities in the country, urges that any digital solution for helping the fight against Covid-19 should be analysed by security and privacy specialists.
It comes after the NHS and the government rejected a joint approach put forward by Apple and Google to help trace the spread of the virus, instead choosing to develop a separate tool for the UK.
However, the centralised approach to building an application to monitor contact tracing with the aid of Bluetooth technology has been met with concerns over privacy and medical confidentiality.
Some of the key concerns are around potential de-anonymised information about people diagnosed with coronavirus – as well as anyone they’ve come into contact with – being stored in a central database and the potential ability, via mission creep, to turn it into a form of surveillance.
“It is vital that, when we come out of the current crisis, we have not created a tool that enables data collection on the population, or on targeted sections of society, for surveillance,” the letter said.
SEE: Coronavirus contact-tracing apps: What are the privacy concerns?
The statement points to concerns that the data could be used to trace the people someone has been in contact with – something which, in the wrong hands, could be highly detrimental to privacy.
“Such invasive information can include the “social graph” of who someone has physically met over a period of time. With access to the social graph, a bad actor (state, private sector, or hacker) could spy on citizens’ real-world activities, said the letter, adding “We are particularly unnerved by a declaration that such a social graph is indeed aimed for by NHSX”.
The government has said all of the data analysed and stored in the fight against coronavirus will be deleted when it’s no longer required. ZDNet has approached NHSX for comment, but hadn’t received a response at the time of publication.
And while the 170 academics understand the idea of a contact tracing app is to help get people through the coronavirus crisis, they urge that it be done with data protection in mind by collecting the minimum amount of data necessary to achieve the objective of the app.
The joint statement calls for NHSX to, as a minimum, publicly commit “there will not be a database or databases, regardless of what controls are put in place, that would allow de-anonymization of users of its system, other than those self reporting as infected” to avoid it being built into social graphs or a surveillance tool.
“Finally, we are asking NHSX how it plans to phase out the application after the pandemic has passed to prevent mission creep,” it said.
MORE ON CYBERSECURITY