USERS of the UK Government's coronavirus contact tracing app could be giving away intimate secrets, experts have warned.
Security researchers found a weakness in the app's registration process could be exploited by hackers and used to manipulate data or create logs of fake contact events.
And Professor Vanessa Teague and Dr Chris Culnane also found the storing of unencrypted data on a user's phone could potentially be used by law enforcement agencies to determine when two or more people met.
Their research found that generating new random ID codes for users once a day, rather than every 15 minutes like in other systems, makes it theoretically possible to determine intimate details about an app user's lifestyle, such as whether they "woke up and went to bed with the same person, or more revealingly, if they did not".
The issues have been flagged to the National Cyber Security Centre (NCSC), which is involved in the app's development, which says it is in the process of fixing them.
The researchers warned strong legal protections around data use are needed in order to better protect personal privacy on the app, which is currently being trialled on the Isle of Wight and could be rolled out further.
They say data associated with the app - which has been downloaded tens of thousands of times, potentially by people living in other places - should be protected by legislation "from use by law enforcement, or any usage not directly related to Covid-19 prevention".
Harriet Harman, chair of the Joint Committee on Human Rights, has said new laws to protect the privacy of personal information gathered by the app are a "no brainer".
Harman, who has prepared a Bill on the issue which is ready for introduction, said assurances by Health Secretary Matt Hancock do not provide any protection after he wrote to her saying the Government believes legislation is unnecessary because there is already the Data Protection Act.
In a blog post, Dr Ian Levy, technical director of the NCSC, said: "The intent of being open before national launch was to show what the app will do, how it will do it, and to get some peer review from security and privacy researchers.
"Thank-you to everyone who's taken the time to look at the design and the beta code and provide us with useful feedback.
"Everything reported to the team will be properly triaged (although this is taking longer than normal)."
In a further statement, the NCSC said: "Responsible security researchers are an overwhelming force for good and their feedback was openly requested for the quickly developed beta app.
"It was always hoped that measures such as releasing the code and explaining decisions behind the app would generate meaningful discussion with the security and privacy community.
"We look forward to continuing to work with security and cryptography researchers to make the app the best it can be for the public."
On Sunday, Scottish Health Secretary Jeane Freeman said the app will only be introduced in Scotland if it is found to compliment existing work here.
Why are you making commenting on The National only available to subscribers?
We know there are thousands of National readers who want to debate, argue and go back and forth in the comments section of our stories. We’ve got the most informed readers in Scotland, asking each other the big questions about the future of our country.
Unfortunately, though, these important debates are being spoiled by a vocal minority of trolls who aren’t really interested in the issues, try to derail the conversations, register under fake names, and post vile abuse.
So that’s why we’ve decided to make the ability to comment only available to our paying subscribers. That way, all the trolls who post abuse on our website will have to pay if they want to join the debate – and risk a permanent ban from the account that they subscribe with.
The conversation will go back to what it should be about – people who care passionately about the issues, but disagree constructively on what we should do about them. Let’s get that debate started!
Callum Baird, Editor of The National
Comments: Our rules
We want our comments to be a lively and valuable part of our community - a place where readers can debate and engage with the most important local issues. The ability to comment on our stories is a privilege, not a right, however, and that privilege may be withdrawn if it is abused or misused.
Please report any comments that break our rules.
Read the rules hereLast Updated:
Report this comment Cancel