TL;DR: please install the app. It’s not malware. It’s not spying on you. It might just help keep infections down, but it can only work if everyone uses it.
I am writing this blog in response to the deluge of misinformation spreading on social media about the NHS Covid 19 app, and the damage this is doing to its reputation and peoples’ willingness to use it. Every day I see many false or misleading statements along these lines being spread widely:
- “It’s not the NHS app, it’s the Serco app”. (Reality: Serco has nothing to do with the app. They operate some aspects of traditional contact tracing, which is a separate endeavour).
- “It’s tracking you”. (Reality: the app doesn’t know your location).
- “Big Brother”. (Reality: the app doesn’t know who you are, where you go, or who you meet).
- “They didn’t bother to make it work on my phone”. (Reality: older phones lack the necessary capabilities).
I’m a professional iOS and Android software developer with a particular interest in application security. I’ve looked at how the app works and I’m satisfied that the app, in conjunction with the Apple/Google exposure notification system, is carefully designed to ensure users’ privacy.
So here are some Q&A style notes that might reassure people who are in any doubt about using the app.
How does the app protect me?
The short answer is, it doesn’t protect you directly. What it does is alert you to the possibility that you have already been infected. That enables you to get tested ASAP and quarantine yourself until you get your test results. So you are playing your part in suppressing the spread.
The longer answer is, if enough people install the app, then it should contribute to a lower R value, and that means you are less likely to be infected. So it does protect you after all – indirectly – but only if there is widespread adoption of the app.
Why do we need an app? What’s wrong with interviewing people and calling their contacts?
Traditional “interview-based” contact tracing is vital and effective. But it’s labour intensive, it can be slow, and some contacts may not be reached. The app can alert people you encountered even if you don’t remember them or cannot name them. The two efforts are almost completely separate and both have an important role to play in suppressing the spread. Belt and braces.
How can it work without revealing my location or identity?
This video explains it well: https://www.youtube.com/watch?v=1Cz2Xzm6knM
My phone continuously transmits a random number using a Bluetooth Low Energy radio beacon. If your phone is nearby, it will receive the number and store it in its memory for the next two weeks. If I then get unwell and receive a positive test result, I trigger my phone to send its random number to a server, which will forward it to every other phone that runs the app. Your phone receives the number, finds the number in its memory, and alerts you that you were potentially exposed. And now you can get a test, and if you are positive then your phone sends its code to the server, and so it continues. Just as the virus spreads exponentially, so too can the exposure notifications.
(I’ve left details out to keep the explanation brief. For example the random numbers change every few minutes.)
It’s clever because it works without revealing anything about you to me, or about me to you, or about either of us to the Government.
Apple and Google got together and developed the underlying technology, which is embedded in your phone’s operating system. They limit whose apps can use it (to bona fide public health authorities) and they also prevent the app from accessing other features of your phone. Notably, the app is banned from accessing your personally identifiable information and your location. That is easy for Apple and Google to enforce due to the strong privacy features already built into iOS and Android.
How can I be sure it’s not tracking my location?
Any app that accesses your location must prompt you for permission. The app can’t get round that. You can also review which permissions your app has in the system settings. Any app that has access to your location would show “Location” on these screens. Note that it also doesn’t have access to your address book.
Then why did my Android phone tell me to switch location on?
Before Android 11, in order to use Bluetooth Low Energy beacons, the overall systemwide switch for location services had to be turned on. That doesn’t mean that the NHS app (or any other app) can access location, unless the app also requests and prompts you for location permission (which it doesn’t).
Why doesn’t my postcode change when I travel around?
Because the app doesn’t know your location! The app has three rather separate functions. The postcode district risk level is not related to exposure notification and is just a general warning about how much infection there is in your area, If you go somewhere else you can put in a different postcode manually if you wish.
What about the venue check-in?
The other rather separate function of the app is scanning a 2D barcode to check in to a venue. This is not part of the Apple/Google technology. But it too is done in such a way that the venue information does not leave the phone. If an outbreak is traced to a particular venue (a superspreader event) then the code for the venue is sent to all phones and your phone checks it against a list of your check-ins that it has stored in its memory, and can notify you if you were in that venue at the time.
NHS app QR codes always look like the one shown. Some venues may still be running their own check-in schemes using incompatible QR codes which require a different app. This is their alternative to asking you to write down your name and phone number on a piece of paper, it’s not part of the official test and trace system except inasmuch as it would enable the venue to provide a list of customers to the manual contact tracing team. A third party app is unlikely to have the same anonymity guarantee as the NHS app.
It doesn’t work on my phone!
Apple support exposure notification on iOS 13 and 14. Older phones which are stuck on iOS 12 can’t use the app. That means iPhone 6 and older. It’s unclear whether this is a deliberate decision by Apple, or because those phones lack the necessary hardware. In any case it’s not the NHS’s decision to not support your phone, it’s Apple’s.
It’s likely that some Android phones lack the necessary type of Bluetooth radio.
If you can’t run it yourself then encourage those of your friends who can, to install it.
In closing I will acknowledge that it’s by no means certain that the app will play a decisive role in quashing the pandemic. It’s new technology and the Bluetooth beacon only gives a rough approximation for how close you were to another phone. But what is certain is that if lots of people refuse to install it, it will never have a chance to succeed. Please do install it and let it have a chance.
The source code for the app is open sourced on GitHub: https://github.com/nhsx/