‘We can’t even see your data’, government insists, after contact tracing app privacy fears
The public cloud infrastructure used to host the Scotland’s proximity contact tracing app has been configured so no one can access user data which is entirely anonymised and encrypted at source, the Scottish Government has insisted.
The NHS Scotland Protect Scotland app, which has now been downloaded by 1.1million people in Scotland, relies on a Bluetooth based ‘exposure notifications system’ developed by Apple and Google which cannot track a user’s location, nor see individuals’ identities.
Only the app itself, which sits on an Amazon Web Services cloud account owned by NHS Education for Scotland, can receive data, but because it is encrypted – turned into random numbers – it means it is entirely anonymised and cannot be associated with someone’s personal information.
A Scottish Government spokesperson said: “The Scottish Government takes the privacy of app users incredibly seriously. That is why a deliberate choice was made that Protect Scotland would use the privacy-first ‘decentralised’ Google/Apple Exposure Notification System, and why an ethical framework was adopted for the development of Protect Scotland. A number of privacy groups were engaged throughout the development of Protect Scotland, as were the Information Commissioners Office. A full Data Protection Impact Assessment has been published alongside a detailed explanation of how people’s data is used. In the interests of full transparency the Scottish Government has also made available the source code used to develop the Protect Scotland app.
“Whilst Amazon Web Services do process some data, as set out in the Privacy Notice and the DPIA, this is done using an existing NHS Education for Scotland (NES) cloud storage account provided by AWS. Only NES control access to this and the data stored in the app backend is entirely anonymised codes. It complies to all NHS Scotland and GDPR data standards, in the same way that all other data that is handled by NHS Scotland and its contracted providers does. Users’ mobile number, test code (and the relevant date) and IP address are not stored by the app and they are not made visible by the app to anyone, including AWS.”
Privacy fears were raised last week over disclaimers included in the download section of the app, which meant users had to automatically agree to Amazon Web Services accessing “personal information”. That information pertained to a mobile phone number, estimated date of infection, an authorisation code, the IP address, the exposure notification and confirmation of app use [which] will go to the NHS. However, the Scottish Government – which contracted the services of Irish company NearForm in developing the app, insisted all the information would be encoded and could not be read by AWS, or them.
Google and Apple have both published privacy notices which insist the exposure notification system – which uses a Bluetooth setting users must agree to switch on for the app to work – does not allow for people’s locations to be tracked, or their identities to be revealed. They say that the Bluetooth system instead only collects random ID numbers from others users who have the app installed, and ENS enabled on their smartphones, whether they be Android or Apple iPhone users. That system only swaps the IDs – described as a ‘virtual handshake between devices’ – if the people who have the setting switched on are within a two-metre proximity of someone else who has the app activated for 15 minutes or more. Anyone that tests positive for COVID-19 in Scotland will then be contacted by a contact tracer, who will ask them about their close contacts and whether they are an app user. If they are an app user, the contact tracer will send them an SMS message with a randomly generated test code to enter into their app alert.
The app will then seek permission to share the anonymous IDs it has been gathering from close contacts over the past 14 days. These IDs are stored on a secure NHS Scotland server so that other users’ apps can periodically check-in to see if they match up with a positive case.
The spokesperson added: “In NearForm and AWS, we are using trusted suppliers used by multiple governments, with all of our work complying with GDPR. We have also carried out a detailed security assessment, with advice from the UK National Cyber Security Centre.”
Scotland’s leading cryptographer, Professor Bill Buchanan, OBE, said: “As a society, we don’t quite understand how the public cloud works. I use AWS, but I own data infrastructure and I am responsible for the security (not Amazon). I can encrypt my data at the source, and Amazon will never see it. I can apply my own access controls on it, and Amazon will never be able to access the data. We really need to be talking about the cloud in a better way and – as experts – get involved in the debate, otherwise we will fail to build new cloud-based systems which better protect our citizens.”
Aberdeenshire leads the way in work-based learning
There has long been debate about the distinction to be drawn between vocational and academic learning. However, in Aberdeenshire Council the focus is on what is best for our learners;…
5G connectivity can ’empower people to restore our planet’
Six years on from the Paris Climate Accords and the world is still getting warmer. We are now seeing first-hand the impact of climate change – the floods and fires…
Cracking the code to offline computational thinking
In our digitally connected world, it can be argued that coding and especially computational thinking have become essential parts of a new ‘computing literacy’ to support traditional literacy. These computational…
Edinburgh rocket company encourages girls to reach for the stars
Since Yuri Gagarin’s maiden trip into space 60 years ago, the aerospace industry has been largely dominated by men. Men are, on average, paid £11,000 more than women. The mean…
How to keep women in tech
Discussions around the gender gap in technology tend to focus on the challenges women face when entering the sector – that is, the subjects they’re encouraged to study at school…
Putting the fun back into learning with edtech and edutainment
Life is all about learning, no matter how young or old you are. If you close your eyes for a second and think back to your school years, it will…
How Facebook took themselves off the internet… a lesson in resilience and a need to decentralise
In a post-pandemic world, one thing that we are now sure of is that we are almost completely dependent on the internet for both our social and working lives. Over…
Forget the elevator, it’s the second pitch that will help you scale new heights
What you say to industry analysts makes the difference in growth The UK is one of the most vibrant places in the world for creating tech ventures. Yet, according to…