Plus: Serco plays email fail game by mass-mailing human contact tracers; NCSC gives feedback on feedback about beta app
Analysis Worried about identifiable personal data from your coronavirus contact-tracing app making it into a British government database? Fear not! The Ministry of Defence is sanitising it all first.
The bizarre and not-particularly-reassuring pledge came from the MoD last night as it announced that one of its units, called jHub, would be “facilitating the secure transfer of relevant symptom and epidemiology data from the third party COVID-19 apps to the NHSx datastore.”
Public fears are already running high after official COVID-19 contact tracing app maker NHSX’s CEO admitted to Parliament that data harvested by the app would be retained after the pandemic ends for “research”.
Jhub is a military sci-tech thing that aims to bring “market ready or near market technology” into the hands of the armed forces. Its areas of interest include AI, blockchain, behavioural sciences and data analytics, among other areas.
In a statement jHub declared that it would be sanitising inputs from private sector coronavirus tracing apps to remove personally identifiable information before passing what remains onto the National Health Service’s digital arm, NHSX. It said: “jHub will receive and review the data, removing any information which may inadvertently identify users, ensuring that only symptom and demographic data is included. The data will then be checked for any security issues, with any incorrect or duplicate data also being erased.”
It seems doubtful that the Ministry of Defence’s tech appendix – with its focus on areas of heavy marketing interest over the past few years – having access to personally identifying health data is likely to reassure an already sceptical public.
NCSC: We’re listening to you, and not in the GCHQ sense
“We asked for feedback and we’ve had feedback. Lots of it,” wrote the National Cyber Security Centre’s technical gros fromage Ian Levy. In a blogpost addressing the official NHSX COVID-19 app, he thanked everyone who trawled through the beta code posted on Github to poke holes in it.
One key piece of feedback-from-the-feedback is that logs in the beta version of the app which are submitted to NHSX’s servers are not encrypted. Levy explained that a key sentence in his original blog post should have read: “The log is integrity protected with an HMAC [hash-based message authentication code; explanation here], computed [rather than encrypted] with the shared symmetric key.”
He also wrote: “As a design principle, we want to minimise the security dependencies on third parties, including but not limited to Google and Cloudflare, as far as possible. We recognise that wasn’t clear in the documentation for the beta app.”
A new sign-up scheme for the app will be launched following the Isle of Wight trial after lots of folk spotted “weaknesses” with how the current version distributes its public key and installation ID. Those weaknesses include the possibility for attackers to steal the keys and prevent users being notified if someone they had come into contact with tested positive for COVID-19.
Aaaannd 3…2…1…. it’s the first data breach
UK outsourcer Serco has apologised for leaking the email addresses of around 300 human contact tracers, the people paid to go around finding out who an infected person was in touch with before their symptoms began showing.
It appears to have been a classic case of CC-instead-of-BCC, judging by the BBC’s description: “Serco wrote the email to tell new trainees not to contact its help desk looking for training details. But the staff member who sent it put their email addresses in the CC section of the email, rather than the blind CC section – revealing them to every recipient.”
Separately, senior Labour MP Harriet Harman called for stronger legal protections for the data harvested by contact-tracing apps. ®