NHSX Tracing App – How safe is your data?

It has recently come to light that almost half of the UK’s population fears abuse of the NHSX COVID-19 tracing app. A survey conducted by Censuswide found that 48% of UK residents, when asked, feared that their personal data would be at risk to cybercriminals seeking to take advantage.

NHSX_Tracing
NHSX_Tracing

The majority expressed their concern that these cyberattacks would come via smishing messages or phishing emails. Worryingly, only half of these respondents felt they would be able to tell the difference between legit email/SMS communication and a phishing one.

Other exploits that had potential users on edge was the functional use of Bluetooth, which emits an anonymous signal that keeps track of any possible COVID-19 patients in the vicinity.

With it being no secret that cyberthreat has increased in the wake of the pandemic, naturally there is a heightened sense of alertness from individuals over increased concern for the safety of both their health and sensitive personal information.

That being said, experts at the NCSC (National Cyber Security Centre) have given the green light, and assure users of the app that their personal data is entirely safe, and will not be collected by the app.

Names and emails are not required by the app to work. All users get assigned a random ID upon installation, registering only the first part of your postcode, phone make and model. This is the primary source of identification, which cannot be linked to you as an individual. For extra security, the app will also create a new ID daily (a random elliptic curve key pair), which encrypts your installation ID to allow users to stay private from other users.

For IP addresses, the foundations of the system use a ‘front-end’ that can see your IP address, however this is not seen by the NHSX ‘back-end.’ NCSC Technical Director, Dr. Ian Levy has also said that,

“The cyber security monitoring of the system keeps logs which include IP address, but they’re strictly access controlled and are only accessible to the cyber security team looking after the app system.”

The ‘back-end’ has been constructed with security in mind, holding only anonymous data, communicating to other NHS systems through private gateways, and ensuring app data cannot be linked to data held by the NHS.

Digital contact tracing at this level and size of operation is new to the UK technology scene. Ultimately, the application was introduced to help the UK’s healthcare services to get on top of the virus and mitigate, in whatever ways possible, the rise of R.

For more information, you can read a full report on the tracing system on the NCSC’s website.