Today I was planning to publish the usual Thursday blog post. However, I would like to draw your attention to this Open Letter instead. This letter was released on April 29, 2020 and signed by top information security experts in the UK. The letter expresses concerns over the NHSX coronavirus contact-tracing app which is due to be released in the UK within the next few weeks. If there is one thing you are going to read this week, please, read this. It will just take 3 minutes of your time. My own opinion about proximity apps can be found here and in this YouTube video. And, yes, I did sign the letter.
Joint Statement
Date: 29 April 2020
We, the undersigned, are scientists and researchers working in the UK in the fields of information security and privacy. We are concerned about plans by NHSX to deploy a contact tracing application. We urge that the health benefits of a digital solution be analysed in depth by specialists from all relevant academic disciplines, and sufficiently proven to be of value to justify the dangers involved.
A contact tracing application is a mobile phone application which records, using Bluetooth, the contacts between individuals, in order to detect a possible risk of infection. Such applications, by design, come with risks for privacy and medical confidentiality which can be mitigated more or less well, but not completely, depending on the approach taken in their design. We believe that any such application will only be used in the necessary numbers if it gives reason to be trusted by those being asked to install it.
It has been reported that NHSX is discussing an approach which records centrally the de-anonymised ID of someone who is infected and also the IDs of all those with whom the infected person has been in contact. This facility would enable (via mission creep) a form of surveillance. Echoing the letter signed by 300 international leading researchers, we note that it is vital that, when we come out of the current crisis, we have not created a tool that enables data collection on the population, or on targeted sections of society, for surveillance. Thus, solutions which allow reconstructing invasive information about individuals must be fully justified. Such invasive information can include the “social graph” of who someone has physically met over a period of time. With access to the social graph, a bad actor (state, private sector, or hacker) could spy on citizens' real-world activities. We are particularly unnerved by a declaration that such a social graph is indeed aimed for by NHSX.
We understand that the current proposed design is intended to meet the requirements set out by the public health teams, but we have seen conflicting advice from different groups about how much data the public health teams need. We hold that the usual data protection principles should apply: collect the minimum data necessary to achieve the objective of the application. We hold it is vital that if you are to build the necessary trust in the application the level of data being collected is justified publicly by the public health teams demonstrating why this is truly necessary rather than simply the easiest way, or a “nice to have”, given the dangers involved and invasive nature of the technology.
We welcome the NHSX commitment to transparency, and in particular Matthew Gould’s commitment made to the Science & Technology committee on 28 April that the data protection impact assessment (DPIA) for the contact tracing application will be published. We are calling on NHSX to publish the DPIA immediately, rather than just before deployment, to enable (a) public debate about its implications and (b) public scrutiny of the security and privacy safeguards put in place.
We are also asking NHSX to, at a minimum, publicly commit that there will not be a database or databases, regardless of what controls are put in place, that would allow de-anonymization of users of its system, other than those self reporting as infected, to enable the data to be used for building, for example, social graphs.
Finally, we are asking NHSX how it plans to phase out the application after the pandemic has passed to prevent mission creep.
________
Signatures as of Thursday, April 30, 2020 8:45 a.m. UK time:
Signed (in alphabetical order):
Prof Martin Albrecht, Information Security Group, Royal Holloway, University of London
Dr Francisco Aparicio-Navarro, Cyber Technology Institute, De Montfort University
Dr Budi Arief, School of Computing, University of Kent
Prof Rob Aspin, School of Science, Engineering and Environment, University of Salford
Prof David Aspinall, Informatics, University of Edinburgh
Dr Chitra Balakrishna, School of Computing and Communications, Open University
Prof Arosha K. Bandara, School of Computing & Communications, The Open University
Prof Emma Barrett, School of Social Sciences, University of Manchester
Dr Subhajit Basu, School of Law, University of Leeds
Dr Ethan Bayne, Division of Cyber Security, Abertay University
Dr Ingolf Becker, Security and Crime Science, University College London
Dr Xavier Bellekens, Department of Electronic and Electrical Engineering, University Of Strathclyde
Dr Paul Bernal, Law School, University of East Anglia
Dr John Blythe, Dawes Centre for Future Crime, University College London
Prof Eerke Boiten, Cyber Technology Institute, De Montfort University
Prof Pam Briggs, Department of Psychology, Northumbria University
Prof Achim Brucker, Computer Science, University of Exeter
Prof Bill Buchanan, Centre for Cybersecurity and Cryptography, Edinburgh Napier University
Prof Pete Burnap, Centre for Cybersecurity Research, Cardiff University
Prof Lorenzo Cavallaro, Department of Informatics, King's College London
Dr Jonathan Cave, Economics Department, Turing Fellow and University of Warwick
Prof David Chadwick, School of Computing,University of Kent
Dr Jiahong Chen, Horizon Digital Economy Research, University of Nottingham
Prof Liqun Chen, Surrey Centre for Cyber Security, University of Surrey
Prof Carlos Cid, Information Security Group, Royal Holloway, University of London
Dr Chez Ciechanowicz, Information Security Group, Royal Holloway, University of London
Dr Jennifer Cobbe, Department of Computer Science and Technology, University of Cambridge
Prof Lizzie Coles-Kemp, Information Security Group, Royal Holloway, University of London
Dr Lena Y. Connolly, Department of Computer Science, University of Bradford
Mr Ray Corrigan, School of Computing & Communications, The Open University
Dr Caitlin D Cottrill, School of Engineering, University of Aberdeen
Prof Jon Crowcroft, Department of Computer Science and Technology, University of Cambridge
Dr Karen Mc Cullagh, UEA Law School, University of East Anglia
Dr Barney Craggs, Department of Computer Science, University of Bristol
Prof George Danezis, Information Security Group, University College London
Dr Salaheddin Darwish, Information Security Group, Royal Holloway, University of London
Prof Sylvie Delacroix, Birmingham Law School, University of Birmingham
Professor Sally Dibb, Centre for Business in Society, Coventry University
Dr Rachael Dickson, Birmingham Law School, University of Birmingham
Prof Robert Dingwall, School of Social Sciences, Nottingham Trent University
Dr Constantin Catalin Dragan, Surrey Centre for Cyber Security, University of Surrey
Prof Daniel Dresner, Department of Computer Science, University of Manchester
Dr François Dupressoir, Department of Computer Science, University of Bristol
Dr Catherine Easton, Law School, Lancaster University
Prof Peter Edwards, Computing Science, University of Aberdeen
Dr Tariq Elahi, School of Informatics, University of Edinburgh
Dr Shamal Faily, Department of Computing & Informatics, Bournemouth University
Dr Pooya Farshim, Department of Computer Science, University of York
Dr Robert Ian Ferguson, Division of Cybersecurity, Abertay University
Prof Maribel Fernandez, Department of Informatics, King’s College London
Prof Ivan Flechais, Department of Computer Science, University of Oxford
Dr Virginia Franqueira, Kent Interdisciplinary Research Centre in Cyber Security, University of Kent
Dr David Galindo, Centre for Cyber Security and Privacy, University of Birmingham
Dr Vashti Galpin, School of Informatics, University of Edinburgh
Prof Flavio Garcia, School of Computer Science, University of Birmingham
Dr Alexeis Garcia-Perez, Centre for Business in Society, Coventry University
Dr Geoffrey Goodell, Department of Computer Science, University College London
Dr Murray Goulden, Horizon Research Institute, University of Nottingham
Dr Robert Granger, Surrey Centre for Cyber Security, University of Surrey
Dr Duncan Greaves, Department of Computer Science and Cybersecurity, CU Scarborough
Dr Thomas Gross, School of Computing, Newcastle University
Dr Audrey Guinchard, Law School, University of Essex
Dr Gavin Hales, Division of Cyber Security, Abertay University
Prof Chris Hankin, Institute for Security Science and Technology, Imperial College London
Dr Neil Hanley, Centre for Secure Information Technologies, Queen's University Belfast
Prof Feng Hao, Department of Computer Science, University of Warwick
Dr Edina Harbinja, Aston Law School, Aston University
Dr Adam Harkens, School of Law, University of Birmingham
Dr Tristan Henderson, School of Computer Science, University of St Andrews
Prof Julio Hernandez-Castro, Kent Interdisciplinary Research Centre in Cyber Security, University of Kent
Dr Jassim Happa, Information Security Group, Royal Holloway, University of London
Dr Chris Hargreaves, Department of Computer Science, University of Oxford
Dr Julian Huppert, Jesus College, Cambridge
Dr Darren Hurley-Smith, Information Security Group, Royal Holloway, University of London
Prof Michael Huth, Department of Computing, Imperial College London
Dr Philip Inglesant, Department of Computer Science, University of Oxford
Dr Tasmina Islam, Department of Informatics, King's College London
Dr Rikke Bjerg Jensen, Information Security Group, Royal Holloway, University of London
Prof Marina Jirotka, Department of Computer Science, University of Oxford
Dr Geraint Jones, Department of Computer Science, University of Oxford
Dr Nesrine Kaaniche, Department of Computer Science, University of Sheffield
Prof Vasilis Katos, BU-CERT, Bournemouth University
Dr Elif Bilge Kavun, Department of Computer Science, The University of Sheffield
Dr Mohamed Khamis, School of Computing Science, University of Glasgow
Dr M Taimoor Khan, School of Computing and Mathematical Sciences, University of Greenwich
Prof Aggelos Kiayias, School of Informatics, University of Edinburgh
Dr Markulf Kohlweiss, School of Informatics, University of Edinburgh
Dr Phil Legg, Department of Computer Science and Creative Technologies, University of the West of England
Prof Michael Levi, School of Social Sciences, Cardiff University
Prof Mark Levine, Department of Psychology, Lancaster University and the University of Exeter
Prof Stephan Lewandowsky, School of Psychological Science, University of Bristol
Prof Shujun Li, Kent Interdisciplinary Research Centre in Cyber Security, University of Kent
Dr Nóra Ni Loideain, Information Law & Policy Centre, Institute of Advanced Legal Studies, University of London
Prof Nicholas Lord, School of Social Sciences, University of Manchester
Dr Orla Lynskey, Law Department, London School of Economics and Political Science
Prof Christopher T. Marsden, School of Law, Politics and Sociology, University of Sussex
Prof Carsten Maple, WMG, University of Warwick
Prof Andrew Martin, Department of Computer Science, University of Oxford
Prof Keith Martin, Information Security Group, Royal Holloway, University of London
Prof Corinne May-Chahal, Security Lancaster and Sociology, University of Lancaster
Prof Keith Mayes, Information Security Group, Royal Holloway, University of London
Dr Stephen McGough, School of Computing, Newcastle University
Dr Sarah Meiklejohn, Department of Computer Science, University College London
Dr Charles Morisset, School of Computing, Newcastle University
Prof Boris Motik, Department of Computer Science, University of Oxford
Dr Tim Muller, School of Computer Science, University of Nottingham
Prof Madeleine Murtagh, School of Geography, Politics and Sociology, Newcastle University
Dr Victoria Nash, Oxford Internet Institute, University of Oxford
Prof John Naughton, Centre for Research in the Arts, Social Sciences and Humanities (CRASSH), University of Cambridge
Dr Bettina Nissen, Design Informatics, University of Edinburgh
Dr Inah Omoronyia, School of Computing Science, University of Glasgow
Prof Máire O'Neill, Centre for Secure Information Technologies, Queen's University Belfast
Prof Nir Oren, Department of Computing Science, University of Aberdeen
Dr David Oswald, Centre for Cyber Security and Privacy, University of Birmingham
Dr Dan Page, Department of Computer Science, University of Bristol
Dr Simon Parkinson, Department of Computer Science, University of Huddersfield
Dr Thomas Pasquier, Department of Computer Science, University of Bristol
Dr Paul Patras, School of Informatics, The University of Edinburgh
Dr Henry Pearce, School of Law, University of Portsmouth
Dr Andrew Percy, School of Social Science, Education and Social Work, Queen’s University Belfast
Dr Elvira Perez Vallejos, School of Medicine, The University of Nottingham
Dr Fabio Pierazzi, Department of Informatics, King’s College London
Dr Rachel Player, Information Security Group, Royal Holloway, University of London
Prof Ganna Pogrebna, University of Birmingham and Alan Turing Institute
Dr Daniel Prince, School of Computing and Communications, Lancaster University
Dr Elizabeth Quaglia, Information Security Group, Royal Holloway, University of London
Prof Charles Raab, School of Social and Political Science, University of Edinburgh
Dr Ciara Rafferty, Centre for Secure Information Technologies, Queen’s University Belfast
Prof Awais Rashid, Department of Computer Science, University of Bristol
Ms Judith Rauhofer, School of Law, University of Edinburgh
Prof Karen Renaud, Division of Cybersecurity, School of Design & Informatics, Abertay University
Ms Robin Rice, Information Services, University of Edinburgh
Dr Felipe Romero-Moreno, Department of Law, University of Hertfordshire
Prof Bill Roscoe, Department of Computer Science, University of Oxford
Prof Mark Ryan, School of Computer Science, University of Birmingham
Dr Mehmet Sabir Kiraz, Cyber Technology Institute, De Montfort University
Prof Vladimiro Sassone, Electronics and Computer Science, University of Southampton
Dr Nishanth Sastry, Department of Engineering, King’s College London
Prof Burkhard Schafer, School of Law, University of Edinburgh
Prof Steve Schneider, Surrey Centre for Cyber Security, University of Surrey
Dr Nayha Sethi, Centre for Biomedicine, Self and Society, University of Edinburgh
Prof Sakir Sezer, Centre for Secure Information Technologies, Queen's University Belfast
Dr Daniele Sgandurra, Information Security Group, Royal Holloway, University of London
Dr Siamak F. Shahandashti, Department of Computer Science, University of York
Prof Siraj Shaikh, IFTC, Coventry University
Prof Andrew Simpson, Department of Computer Science, University of Oxford
Dr Melanie Smallman, Department of Science and Technology Studies, University College London
Prof Bernd Stahl, Centre for Computing and Social Responsibility, De Montfort University
Prof Frank Stajano, Department of Computer Science and Technology, University of Cambridge
Prof Sophie Stalla-Bourdillon, Southampton Law School, University of Southampton
Dr Avelie Stuart, Department of Psychology, University of Exeter
Dr Guillermo Suarez-Tangil, Department of Informatics, King’s College London
Dr Jose Such, KCL Cybersecurity Centre, King’s College London
Carolyn Ten Holter, Department of Computer Science, University of Oxford
Dr George Theodorakopoulos, Centre for Cybersecurity Research, Cardiff University
Dr Sam Thomas, School of Computer Science, University of Birmingham
Dr Judith Townend, School of Law, Politics and Sociology, University of Sussex
Prof Helen Treharne, Surrey Centre for Cyber Security, University of Surrey
Dr Elvira Perez Vallejos, School of Medicine, The University of Nottingham
Dr Ismini Vasileiou, Cyber Technology Institute, De Montfort University
Dr Michael Veale, Faculty of Laws, University College London
Dr Vesselin Velichkov, School of Informatics, The University of Edinburgh
Prof Luca Viganò, Department of Informatics, King’s College London
Prof Christian Wagner, School of Computer Science, University of Nottingham
Dr Isabel Wagner, Cyber Technology Institute, De Montfort University
Prof David Wallom, Department of Engineering Science, University of Oxford
Dr Helena Webb, Department of Computer Science, University of Oxford
Dr Sara Wilford, Centre for Computing and Social Responsibility, De Montfort University
Dr Anthony Williams, School of Computer Science and Informatics, De Montfort University
Dr Emma Williams, School of Management, University of Bristol
Prof Lorna Woods, School of Law, University of Essex
Prof Alan Woodward, Surrey Centre for Cyber Security, University of Surrey
Dr Joss Wright, Oxford Internet Institute, University of Oxford
Prof Karen Yeung, Birmingham Law School and School of Computer Science, University of Birmingham
Dr Eiko Yoneki, Computer Laboratory, University of Cambridge
Dr Sameh Zakhary, School of Computer Science, University of Nottingham
Dr Fatemeh Zarrabi Jorshari, Cyber Technology Institute, De Montfort University
For press inquiries about the letter please contact:
Eerke Boiten eerke.boiten@dmu.ac.uk
Mark Ryan m.d.ryan@cs.bham.ac.uk
Alan Woodward <alan.woodward@surrey.ac.uk>
#proximityapp #contacttracing #cyberrisks #cyberthreats #datasecurity #cyberattack #hacking #risk #infosec #security #NHSX #COVID19 #dataprotection #informationsecurity