Search

Cybersecurity Experts Express Concerns over the Proposed NHSX Contact Tracing App


Today I was planning to publish the usual Thursday blog post. However, I would like to draw your attention to this Open Letter instead. This letter was released on April 29, 2020 and signed by top information security experts in the UK. The letter expresses concerns over the NHSX coronavirus contact-tracing app which is due to be released in the UK within the next few weeks. If there is one thing you are going to read this week, please, read this. It will just take 3 minutes of your time. My own opinion about proximity apps can be found here and in this YouTube video. And, yes, I did sign the letter.


Joint Statement


Date: 29 April 2020


We, the undersigned, are scientists and researchers working in the UK in the fields of information security and privacy. We are concerned about plans by NHSX to deploy a contact tracing application. We urge that the health benefits of a digital solution be analysed in depth by specialists from all relevant academic disciplines, and sufficiently proven to be of value to justify the dangers involved.


A contact tracing application is a mobile phone application which records, using Bluetooth, the contacts between individuals, in order to detect a possible risk of infection. Such applications, by design, come with risks for privacy and medical confidentiality which can be mitigated more or less well, but not completely, depending on the approach taken in their design. We believe that any such application will only be used in the necessary numbers if it gives reason to be trusted by those being asked to install it.


It has been reported that NHSX is discussing an approach which records centrally the de-anonymised ID of someone who is infected and also the IDs of all those with whom the infected person has been in contact. This facility would enable (via mission creep) a form of surveillance. Echoing the letter signed by 300 international leading researchers, we note that it is vital that, when we come out of the current crisis, we have not created a tool that enables data collection on the population, or on targeted sections of society, for surveillance. Thus, solutions which allow reconstructing invasive information about individuals must be fully justified. Such invasive information can include the “social graph” of who someone has physically met over a period of time. With access to the social graph, a bad actor (state, private sector, or hacker) could spy on citizens' real-world activities. We are particularly unnerved by a declaration that such a social graph is indeed aimed for by NHSX.


We understand that the current proposed design is intended to meet the requirements set out by the public health teams, but we have seen conflicting advice from different groups about how much data the public health teams need. We hold that the usual data protection principles should apply: collect the minimum data necessary to achieve the objective of the application. We hold it is vital that if you are to build the necessary trust in the application the level of data being collected is justified publicly by the public health teams demonstrating why this is truly necessary rather than simply the easiest way, or a “nice to have”, given the dangers involved and invasive nature of the technology.


We welcome the NHSX commitment to transparency, and in particular Matthew Gould’s commitment made to the Science & Technology committee on 28 April that the data protection impact assessment (DPIA) for the contact tracing application will be published. We are calling on NHSX to publish the DPIA immediately, rather than just before deployment, to enable (a) public debate about its implications and (b) public scrutiny of the security and privacy safeguards put in place.


We are also asking NHSX to, at a minimum, publicly commit that there will not be a database or databases, regardless of what controls are put in place, that would allow de-anonymization of users of its system, other than those self reporting as infected, to enable the data to be used for building, for example, social graphs.


Finally, we are asking NHSX how it plans to phase out the application after the pandemic has passed to prevent mission creep.


________


Signatures as of Thursday, April 30, 2020 8:45 a.m. UK time:


Signed (in alphabetical order):


  • Prof Martin Albrecht, Information Security Group, Royal Holloway, University of London

  • Dr Francisco Aparicio-Navarro, Cyber Technology Institute, De Montfort University

  • Dr Budi Arief, School of Computing, University of Kent

  • Prof Rob Aspin, School of Science, Engineering and Environment, University of Salford

  • Prof David Aspinall, Informatics, University of Edinburgh

  • Dr Chitra Balakrishna, School of Computing and Communications, Open University

  • Prof Arosha K. Bandara, School of Computing & Communications, The Open University

  • Prof Emma Barrett, School of Social Sciences, University of Manchester

  • Dr Subhajit Basu, School of Law, University of Leeds

  • Dr Ethan Bayne, Division of Cyber Security, Abertay University

  • Dr Ingolf Becker, Security and Crime Science, University College London

  • Dr Xavier Bellekens, Department of Electronic and Electrical Engineering, University Of Strathclyde

  • Dr Paul Bernal, Law School, University of East Anglia

  • Dr John Blythe, Dawes Centre for Future Crime, University College London

  • Prof Eerke Boiten, Cyber Technology Institute, De Montfort University

  • Prof Pam Briggs, Department of Psychology, Northumbria University

  • Prof Achim Brucker, Computer Science, University of Exeter

  • Prof Bill Buchanan, Centre for Cybersecurity and Cryptography, Edinburgh Napier University

  • Prof Pete Burnap, Centre for Cybersecurity Research, Cardiff University

  • Prof Lorenzo Cavallaro, Department of Informatics, King's College London

  • Dr Jonathan Cave, Economics Department, Turing Fellow and University of Warwick

  • Prof David Chadwick, School of Computing,University of Kent

  • Dr Jiahong Chen, Horizon Digital Economy Research, University of Nottingham

  • Prof Liqun Chen, Surrey Centre for Cyber Security, University of Surrey

  • Prof Carlos Cid, Information Security Group, Royal Holloway, University of London

  • Dr Chez Ciechanowicz, Information Security Group, Royal Holloway, University of London

  • Dr Jennifer Cobbe, Department of Computer Science and Technology, University of Cambridge

  • Prof Lizzie Coles-Kemp, Information Security Group, Royal Holloway, University of London

  • Dr Lena Y. Connolly, Department of Computer Science, University of Bradford

  • Mr Ray Corrigan, School of Computing & Communications, The Open University

  • Dr Caitlin D Cottrill, School of Engineering, University of Aberdeen

  • Prof Jon Crowcroft, Department of Computer Science and Technology, University of Cambridge

  • Dr Karen Mc Cullagh, UEA Law School, University of East Anglia

  • Dr Barney Craggs, Department of Computer Science, University of Bristol

  • Prof George Danezis, Information Security Group, University College London

  • Dr Salaheddin Darwish, Information Security Group, Royal Holloway, University of London

  • Prof Sylvie Delacroix, Birmingham Law School, University of Birmingham

  • Professor Sally Dibb, Centre for Business in Society, Coventry University

  • Dr Rachael Dickson, Birmingham Law School, University of Birmingham

  • Prof Robert Dingwall, School of Social Sciences, Nottingham Trent University

  • Dr Constantin Catalin Dragan, Surrey Centre for Cyber Security, University of Surrey

  • Prof Daniel Dresner, Department of Computer Science, University of Manchester

  • Dr François Dupressoir, Department of Computer Science, University of Bristol

  • Dr Catherine Easton, Law School, Lancaster University

  • Prof Peter Edwards, Computing Science, University of Aberdeen

  • Dr Tariq Elahi, School of Informatics, University of Edinburgh

  • Dr Shamal Faily, Department of Computing & Informatics, Bournemouth University

  • Dr Pooya Farshim, Department of Computer Science, University of York

  • Dr Robert Ian Ferguson, Division of Cybersecurity, Abertay University

  • Prof Maribel Fernandez, Department of Informatics, King’s College London

  • Prof Ivan Flechais, Department of Computer Science, University of Oxford

  • Dr Virginia Franqueira, Kent Interdisciplinary Research Centre in Cyber Security, University of Kent

  • Dr David Galindo, Centre for Cyber Security and Privacy, University of Birmingham

  • Dr Vashti Galpin, School of Informatics, University of Edinburgh

  • Prof Flavio Garcia, School of Computer Science, University of Birmingham

  • Dr Alexeis Garcia-Perez, Centre for Business in Society, Coventry University

  • Dr Geoffrey Goodell, Department of Computer Science, University College London

  • Dr Murray Goulden, Horizon Research Institute, University of Nottingham

  • Dr Robert Granger, Surrey Centre for Cyber Security, University of Surrey

  • Dr Duncan Greaves, Department of Computer Science and Cybersecurity, CU Scarborough

  • Dr Thomas Gross, School of Computing, Newcastle University

  • Dr Audrey Guinchard, Law School, University of Essex

  • Dr Gavin Hales, Division of Cyber Security, Abertay University

  • Prof Chris Hankin, Institute for Security Science and Technology, Imperial College London

  • Dr Neil Hanley, Centre for Secure Information Technologies, Queen's University Belfast

  • Prof Feng Hao, Department of Computer Science, University of Warwick

  • Dr Edina Harbinja, Aston Law School, Aston University

  • Dr Adam Harkens, School of Law, University of Birmingham

  • Dr Tristan Henderson, School of Computer Science, University of St Andrews

  • Prof Julio Hernandez-Castro, Kent Interdisciplinary Research Centre in Cyber Security, University of Kent

  • Dr Jassim Happa, Information Security Group, Royal Holloway, University of London

  • Dr Chris Hargreaves, Department of Computer Science, University of Oxford

  • Dr Julian Huppert, Jesus College, Cambridge

  • Dr Darren Hurley-Smith, Information Security Group, Royal Holloway, University of London

  • Prof Michael Huth, Department of Computing, Imperial College London

  • Dr Philip Inglesant, Department of Computer Science, University of Oxford

  • Dr Tasmina Islam, Department of Informatics, King's College London

  • Dr Rikke Bjerg Jensen, Information Security Group, Royal Holloway, University of London

  • Prof Marina Jirotka, Department of Computer Science, University of Oxford

  • Dr Geraint Jones, Department of Computer Science, University of Oxford

  • Dr Nesrine Kaaniche, Department of Computer Science, University of Sheffield

  • Prof Vasilis Katos, BU-CERT, Bournemouth University

  • Dr Elif Bilge Kavun, Department of Computer Science, The University of Sheffield

  • Dr Mohamed Khamis, School of Computing Science, University of Glasgow

  • Dr M Taimoor Khan, School of Computing and Mathematical Sciences, University of Greenwich

  • Prof Aggelos Kiayias, School of Informatics, University of Edinburgh

  • Dr Markulf Kohlweiss, School of Informatics, University of Edinburgh

  • Dr Phil Legg, Department of Computer Science and Creative Technologies, University of the West of England

  • Prof Michael Levi, School of Social Sciences, Cardiff University

  • Prof Mark Levine, Department of Psychology, Lancaster University and the University of Exeter

  • Prof Stephan Lewandowsky, School of Psychological Science, University of Bristol

  • Prof Shujun Li, Kent Interdisciplinary Research Centre in Cyber Security, University of Kent

  • Dr Nóra Ni Loideain, Information Law & Policy Centre, Institute of Advanced Legal Studies, University of London

  • Prof Nicholas Lord, School of Social Sciences, University of Manchester

  • Dr Orla Lynskey, Law Department, London School of Economics and Political Science

  • Prof Christopher T. Marsden, School of Law, Politics and Sociology, University of Sussex

  • Prof Carsten Maple, WMG, University of Warwick

  • Prof Andrew Martin, Department of Computer Science, University of Oxford

  • Prof Keith Martin, Information Security Group, Royal Holloway, University of London

  • Prof Corinne May-Chahal, Security Lancaster and Sociology, University of Lancaster

  • Prof Keith Mayes, Information Security Group, Royal Holloway, University of London

  • Dr Stephen McGough, School of Computing, Newcastle University

  • Dr Sarah Meiklejohn, Department of Computer Science, University College London

  • Dr Charles Morisset, School of Computing, Newcastle University

  • Prof Boris Motik, Department of Computer Science, University of Oxford

  • Dr Tim Muller, School of Computer Science, University of Nottingham

  • Prof Madeleine Murtagh, School of Geography, Politics and Sociology, Newcastle University

  • Dr Victoria Nash, Oxford Internet Institute, University of Oxford

  • Prof John Naughton, Centre for Research in the Arts, Social Sciences and Humanities (CRASSH), University of Cambridge

  • Dr Bettina Nissen, Design Informatics, University of Edinburgh

  • Dr Inah Omoronyia, School of Computing Science, University of Glasgow

  • Prof Máire O'Neill, Centre for Secure Information Technologies, Queen's University Belfast

  • Prof Nir Oren, Department of Computing Science, University of Aberdeen

  • Dr David Oswald, Centre for Cyber Security and Privacy, University of Birmingham

  • Dr Dan Page, Department of Computer Science, University of Bristol

  • Dr Simon Parkinson, Department of Computer Science, University of Huddersfield

  • Dr Thomas Pasquier, Department of Computer Science, University of Bristol

  • Dr Paul Patras, School of Informatics, The University of Edinburgh

  • Dr Henry Pearce, School of Law, University of Portsmouth

  • Dr Andrew Percy, School of Social Science, Education and Social Work, Queen’s University Belfast

  • Dr Elvira Perez Vallejos, School of Medicine, The University of Nottingham

  • Dr Fabio Pierazzi, Department of Informatics, King’s College London

  • Dr Rachel Player, Information Security Group, Royal Holloway, University of London

  • Prof Ganna Pogrebna, University of Birmingham and Alan Turing Institute

  • Dr Daniel Prince, School of Computing and Communications, Lancaster University

  • Dr Elizabeth Quaglia, Information Security Group, Royal Holloway, University of London

  • Prof Charles Raab, School of Social and Political Science, University of Edinburgh

  • Dr Ciara Rafferty, Centre for Secure Information Technologies, Queen’s University Belfast

  • Prof Awais Rashid, Department of Computer Science, University of Bristol

  • Ms Judith Rauhofer, School of Law, University of Edinburgh

  • Prof Karen Renaud, Division of Cybersecurity, School of Design & Informatics, Abertay University

  • Ms Robin Rice, Information Services, University of Edinburgh

  • Dr Felipe Romero-Moreno, Department of Law, University of Hertfordshire

  • Prof Bill Roscoe, Department of Computer Science, University of Oxford

  • Prof Mark Ryan, School of Computer Science, University of Birmingham

  • Dr Mehmet Sabir Kiraz, Cyber Technology Institute, De Montfort University

  • Prof Vladimiro Sassone, Electronics and Computer Science, University of Southampton

  • Dr Nishanth Sastry, Department of Engineering, King’s College London

  • Prof Burkhard Schafer, School of Law, University of Edinburgh

  • Prof Steve Schneider, Surrey Centre for Cyber Security, University of Surrey

  • Dr Nayha Sethi, Centre for Biomedicine, Self and Society, University of Edinburgh

  • Prof Sakir Sezer, Centre for Secure Information Technologies, Queen's University Belfast

  • Dr Daniele Sgandurra, Information Security Group, Royal Holloway, University of London

  • Dr Siamak F. Shahandashti, Department of Computer Science, University of York

  • Prof Siraj Shaikh, IFTC, Coventry University

  • Prof Andrew Simpson, Department of Computer Science, University of Oxford

  • Dr Melanie Smallman, Department of Science and Technology Studies, University College London

  • Prof Bernd Stahl, Centre for Computing and Social Responsibility, De Montfort University

  • Prof Frank Stajano, Department of Computer Science and Technology, University of Cambridge

  • Prof Sophie Stalla-Bourdillon, Southampton Law School, University of Southampton

  • Dr Avelie Stuart, Department of Psychology, University of Exeter

  • Dr Guillermo Suarez-Tangil, Department of Informatics, King’s College London

  • Dr Jose Such, KCL Cybersecurity Centre, King’s College London

  • Carolyn Ten Holter, Department of Computer Science, University of Oxford

  • Dr George Theodorakopoulos, Centre for Cybersecurity Research, Cardiff University

  • Dr Sam Thomas, School of Computer Science, University of Birmingham

  • Dr Judith Townend, School of Law, Politics and Sociology, University of Sussex

  • Prof Helen Treharne, Surrey Centre for Cyber Security, University of Surrey

  • Dr Elvira Perez Vallejos, School of Medicine, The University of Nottingham

  • Dr Ismini Vasileiou, Cyber Technology Institute, De Montfort University

  • Dr Michael Veale, Faculty of Laws, University College London

  • Dr Vesselin Velichkov, School of Informatics, The University of Edinburgh

  • Prof Luca Viganò, Department of Informatics, King’s College London

  • Prof Christian Wagner, School of Computer Science, University of Nottingham

  • Dr Isabel Wagner, Cyber Technology Institute, De Montfort University

  • Prof David Wallom, Department of Engineering Science, University of Oxford

  • Dr Helena Webb, Department of Computer Science, University of Oxford

  • Dr Sara Wilford, Centre for Computing and Social Responsibility, De Montfort University

  • Dr Anthony Williams, School of Computer Science and Informatics, De Montfort University

  • Dr Emma Williams, School of Management, University of Bristol

  • Prof Lorna Woods, School of Law, University of Essex

  • Prof Alan Woodward, Surrey Centre for Cyber Security, University of Surrey

  • Dr Joss Wright, Oxford Internet Institute, University of Oxford

  • Prof Karen Yeung, Birmingham Law School and School of Computer Science, University of Birmingham

  • Dr Eiko Yoneki, Computer Laboratory, University of Cambridge

  • Dr Sameh Zakhary, School of Computer Science, University of Nottingham

  • Dr Fatemeh Zarrabi Jorshari, Cyber Technology Institute, De Montfort University


For press inquiries about the letter please contact:




#proximityapp #contacttracing #cyberrisks #cyberthreats #datasecurity #cyberattack #hacking #risk #infosec #security #NHSX #COVID19 #dataprotection #informationsecurity

SUBSCRIBE VIA EMAIL

© 2020 by Ganna Pogrebna and Boris Taratine