The UK MOD Defence Strategic Command’s innovation hub, jHub, is now offering support to NHSx in order to be able securely gather, & share, COVID-19 symptom data for ‘Project OASIS.’
Security concerns & well-publicised doubts pertaining to the proposed NHS Covid10 tracing app are emerging because of registration problems, & also the use of unencrypted data within the app. These can be exploited by cyber-criminals, according to David Grout, CTO for EMEA at FireEye.
David observed, “One of the biggest concerns is attached to the fact it’s based on a “centralised” model. Just yesterday, France came out in defence of its own centralised model where contact-matching happens via a computer service as opposed to the decentralised model which uses the people’s phone to make the match.”
“The UK Government will need to address these safeguarding issues ahead of the full nation roll-out, so citizens are fully confident that their data is not compromised but stored securely.”
“Whilst the National Cyber Security Centre (NCSC) is addressing the security issues raised, this news will make the public very uneasy ahead of a full national rollout. Experts suggest that for the UK as a whole, about 60 percent of the population needs to install and use the software for it to live up to its full potential.”
“The government is relying on a public buy-in for the project to work. To get the public on side, the government will need to not only ensure data is stored securely but also build trust by being open and transparent about the measures taken to defend citizen data, and also make the public aware of their rights to privacy. With this in mind, the Government should only gather data and information which will be used towards its sole purpose to mitigate the spread of the virus.”
“With concerns surrounding the usage of the data in the app, and what will happen to that data even after the pandemic, there needs to be an agreed time restriction on how long the data is collected for and deletion rights which align with current data privacy regulations.”
“Citizens should be made to feel in control of their data and reserve the right to have data deleted from the record once the crisis is over.”
In response to these concerns, the Ministry of Defence Strategic Command’s innovation hub, jHub, is now supporting NHSx to securely gather & share Covid-19 symptom data for project OASIS.
Several third-party apps & websites have been collecting Covid-19 symptoms & basic demographic data to track the spread of the virus. OASIS will not be receiving, or requesting, data that can identify individuals (e.g. names or GPS specific location data).
Project OASIS is supported by JHub for “coordination and coherence of the Covid-19 symptom tracker apps; including facilitating the secure transfer of relevant symptom & epidemiology data from the third party Covid-19 apps to the NHSx datastore.”
Information & any free text accidently identifying users is taken out, so that only symptom & demographic data is included. The data then is checked for security issues, with any incorrect or duplicate data deleted, then it is securely shared with NHSX, (NHS England) to help it understand where the virus is spreading & how quickly.
A government statement says: “Project OASIS will adhere to strict controls to ensure the data sharing meets data protection legislation.”
Natasha Gedge, the Chief Operating Officer at jHub, explained “At jHub, we are always working to deliver for UK Defence and we are proud to be able to take our approach, & apply it in support of the NHS & the people of the UK.
NHSx & jHub say they are only working with apps that have been assessed to the NHS Digital Health Technology Standard or against the Digital Assessment Questionnaire (DAQ) which include these App Providers:-
Others will reportedly be announced soon.
Grant Goodes, Chief Scientist at Guardsquare supported the approach to data privacy adopted by OASIS, but also warned of inherent dangers posed by potential hackers. He reasoned “It appears the NHSx programme (project OASIS) is a well-considered and practical approach which recognises the serious concerns around data privacy while still maintaining effectiveness.”
“Put simply, as an essential element of this programme, Contact Tracing apps must be trusted by the general public, or else will not be broadly installed and adopted, which will defeat their basic effectiveness.”
In addition, he added, “There are two primary elements to ensuring that Public Trust can be established: The first is a basic design with privacy and data-security in mind, and on this front, the OASIS project seems to be on solid ground, with a data-gathering & sharing model that adheres to the highest standards expected of UK and European governments as enshrined, for example, in GDPR.
“The second, & equally important aspect is Application Hardening: Even with the best data-security design, the application code itself is vulnerable to exploitation by malicious actors including criminal organisations or even amateur hackers, & as has been demonstrated again and again, the “out of the box” resistance of mobile applications against modern hacking tools & techniques is effectively zero.”
“To ensure that Contact Tracing apps do not become a target for exfiltration of personal data, the developers & deployers of these apps must include code & data-obfuscation protections as well as RASP (Runtime Application Self-Protection).”
Isle of Wight
An NHS tracing app went on trial on the Isle of Wight on May 4, & nationwide rollout is scheduled to follow the 3-week trial, i.e. the end of May. Circa half the IOW population have downloaded the app.
While the government aim is for 60% coverage, the shortfall does not appear to be due to privacy concerns raised regarding the central data sharing model, but due to older phones not having access plus some segments of the population not being Internet users (about 2 million in the UK are believed not connected, & another 7 million described as having ‘very basic skills/limited usage’).
Also, outsourcing firm Serco has apologised because of accidentally sharing the email addresses of almost 300 contact-tracers, says BBC News. Serco is one of the companies hiring, training & operating the 15,000 contact tracers who do not have clinical training & shared the information when emailing trainees to tell them about training.
Last year the Home Office made a similar error & it referred itself to the Information Commissioner, but Serco will not do this. The error did not involve patients’ data but does not sit that well for a project that will ask thousands of people who have fallen ill to share the details of their friends & acquaintances.
Jake Moore, Cyber-Security Specialist at ESET added “At a time when people are already questioning the app’s privacy concerns, this comes as a serious blow. Apps like this need the public’s inherent trust from the outset, so learning of even a small number of email addresses leaked is a shame.
Those affected must remain aware that they could be used in phishing attempts, however the numbers are low enough to mitigate any further risk. There is real fear for many people as to if they should download this app because of potential privacy concerns. The question is now as to if the public will trust the app after this has happened so early on? Moreover, if the app does not achieve the desired uptake, it is flawed from the start.”