‘We can’t even see your data’, government insists, after contact tracing app privacy fears
The public cloud infrastructure used to host the Scotland’s proximity contact tracing app has been configured so no one can access user data which is entirely anonymised and encrypted at source, the Scottish Government has insisted.
The NHS Scotland Protect Scotland app, which has now been downloaded by 1.1million people in Scotland, relies on a Bluetooth based ‘exposure notifications system’ developed by Apple and Google which cannot track a user’s location, nor see individuals’ identities.
Only the app itself, which sits on an Amazon Web Services cloud account owned by NHS Education for Scotland, can receive data, but because it is encrypted – turned into random numbers – it means it is entirely anonymised and cannot be associated with someone’s personal information.
A Scottish Government spokesperson said: “The Scottish Government takes the privacy of app users incredibly seriously. That is why a deliberate choice was made that Protect Scotland would use the privacy-first ‘decentralised’ Google/Apple Exposure Notification System, and why an ethical framework was adopted for the development of Protect Scotland. A number of privacy groups were engaged throughout the development of Protect Scotland, as were the Information Commissioners Office. A full Data Protection Impact Assessment has been published alongside a detailed explanation of how people’s data is used. In the interests of full transparency the Scottish Government has also made available the source code used to develop the Protect Scotland app.
“Whilst Amazon Web Services do process some data, as set out in the Privacy Notice and the DPIA, this is done using an existing NHS Education for Scotland (NES) cloud storage account provided by AWS. Only NES control access to this and the data stored in the app backend is entirely anonymised codes. It complies to all NHS Scotland and GDPR data standards, in the same way that all other data that is handled by NHS Scotland and its contracted providers does. Users’ mobile number, test code (and the relevant date) and IP address are not stored by the app and they are not made visible by the app to anyone, including AWS.”
Privacy fears were raised last week over disclaimers included in the download section of the app, which meant users had to automatically agree to Amazon Web Services accessing “personal information”. That information pertained to a mobile phone number, estimated date of infection, an authorisation code, the IP address, the exposure notification and confirmation of app use [which] will go to the NHS. However, the Scottish Government – which contracted the services of Irish company NearForm in developing the app, insisted all the information would be encoded and could not be read by AWS, or them.
Google and Apple have both published privacy notices which insist the exposure notification system – which uses a Bluetooth setting users must agree to switch on for the app to work – does not allow for people’s locations to be tracked, or their identities to be revealed. They say that the Bluetooth system instead only collects random ID numbers from others users who have the app installed, and ENS enabled on their smartphones, whether they be Android or Apple iPhone users. That system only swaps the IDs – described as a ‘virtual handshake between devices’ – if the people who have the setting switched on are within a two-metre proximity of someone else who has the app activated for 15 minutes or more. Anyone that tests positive for COVID-19 in Scotland will then be contacted by a contact tracer, who will ask them about their close contacts and whether they are an app user. If they are an app user, the contact tracer will send them an SMS message with a randomly generated test code to enter into their app alert.
The app will then seek permission to share the anonymous IDs it has been gathering from close contacts over the past 14 days. These IDs are stored on a secure NHS Scotland server so that other users’ apps can periodically check-in to see if they match up with a positive case.
The spokesperson added: “In NearForm and AWS, we are using trusted suppliers used by multiple governments, with all of our work complying with GDPR. We have also carried out a detailed security assessment, with advice from the UK National Cyber Security Centre.”
Scotland’s leading cryptographer, Professor Bill Buchanan, OBE, said: “As a society, we don’t quite understand how the public cloud works. I use AWS, but I own data infrastructure and I am responsible for the security (not Amazon). I can encrypt my data at the source, and Amazon will never see it. I can apply my own access controls on it, and Amazon will never be able to access the data. We really need to be talking about the cloud in a better way and – as experts – get involved in the debate, otherwise we will fail to build new cloud-based systems which better protect our citizens.”
The pandemic has taught me how to share more – and I feel a better leader for it
As a young professional starting out in the tech sector 30 years ago, I thrived on the fast pace,constant change and demanding workload. I lived in London, Singapore and Australia…
We need to shout about our successes. Liz Fletcher on celebrating women in biotech
Throughout my career in biotechnology and life sciences, I have seen many women leading ground-breaking research studies in their fields of expertise. Yet, and I include myself in this, we…
Getting the best out of patient data is key to unlocking future health benefits in Scotland
It is important that clinicians’ voices are heard in the consultation around Scotland’s new health and care data strategy, which closes this week (12 August). Busy GPs like myself are the trusted…
How motherhood helped me be a better leader
Consider this an open letter to anyone I have worked with before I became a mother and before I fully understood how being a parent is actually a prized asset…
‘We cannot achieve our goals without entrepreneurs’ – Kate Forbes on vision for new ‘tech scaler’ network
From the very start of my ministerial career, I have had responsibility for the Scottish tech sector – and I can still say what I have said from the start,…
Finding a role in cyber was ‘tough’ for Cheryl Torano. Now she’s determined to help other women join an under-represented industry
When I decided to upskill to change careers at the age of 30 and dive into the digital world, I knew I would be starting out at the bottom of…
Why innovation and marketing are the perfect partners to make changes that matter￼
With the rapid evolution of traditional marketing and the appearance of digital marketing, technology and innovation has become part of any marketer’s life without the need of working for a…
Transitioning to a four-day week – CEO’s vow to strike a healthier balance in the workplace
I came to Scotland nearly 20 years ago from Ireland, with no contacts but a lot of determination. While Ireland will always be my home, Scotland has given me amazing…