NHS Covid-19 app shortcoming?

Use this board for general non-cycling-related chat, or to introduce yourself to the forum.
User avatar
Mick F
Spambuster
Posts: 50331
Joined: 7 Jan 2007, 11:24am
Location: Tamar Valley, Cornwall

Re: NHS Covid-19 app shortcoming?

Postby Mick F » 29 Sep 2020, 7:02pm

.............. using Bluetooth to keep an anonymous log of close contacts who have come within two metres of a person for 15 minutes or longer.

If two people who are using the app are in close contact to one another for more than five minutes, they will exchange keys, or Bluetooth "digital handshakes". The Bluetooth signal strength is used to measure proximity.

The data logged through these interactions is used to build up a points score of how many times and how long someone has interacted with another person over the course of a day.

If someone tests positive for coronavirus, they can tell the app, which will then ping their keys to a central server and in turn find out who has been in contact with that individual.

Should the system determine a person as a close contact, they will be automatically sent a notification asking them to self-isolate for two weeks. The recipient of the alert is not told who triggered the notification.
Mick F. Cornwall

User avatar
Syd
Posts: 696
Joined: 23 Sep 2018, 2:27pm

NHS Covid-19 app shortcoming?

Postby Syd » 29 Sep 2020, 7:07pm

The ‘NHS’ app doesn’t care where you are. All it wants to know is if your phone (which is assumed to be on your person), is within 1* metre of another phone (assumed to be on the person of someone who tests positive) for 15* minutes or more.

* figures that have previously been touted but I can’t be rs’d checking if that’s still the case.

PH
Posts: 9610
Joined: 21 Jan 2007, 12:31am
Location: Derby
Contact:

Re: NHS Covid-19 app shortcoming?

Postby PH » 29 Sep 2020, 10:21pm

Mick F wrote:
PH wrote:
Mick F wrote:What happens if someone tests positive and was there mid afternoon or into the evening?
I would have been nowhere near them, but the app would alert me and suggest I get a test! :shock:

Unless you've left your phone there, the app knows when you were there.
No it doesn't.
It doesn't know where you are unless you scan a QR code on entry .............. and you can't scan an exit code, so the app continues to have you there long after you've gone ................. and taken your phone with you.

It knows if you've been in bluetooth range of another phone using the app, but not where anyone is/was unless a QR code is scanned.

Splitting hairs, the Bluetooth on your phone doesn't normally register with other phones in the pub, so it's the app. Either way, the scenario in your opening post is false.
I would have been nowhere near them, but the app would alert me and suggest I get a test!

That isn't the case.

User avatar
Mick F
Spambuster
Posts: 50331
Joined: 7 Jan 2007, 11:24am
Location: Tamar Valley, Cornwall

Re: NHS Covid-19 app shortcoming?

Postby Mick F » 30 Sep 2020, 7:35pm

Ok guys ...........

The app registers being near other app users via bluetooth so long as they have their bluetooth on too and their app running.
Fine so far.

From what I see on the app, there is no way of knowing how many other app users have been logged on your personal phone or on theirs.
How do we know who we have been near and for how long and where?

What is the venue logging of the QR code actually for?
As I said, we were out shopping and there were no QR codes to log into.
Therefore, whilst in the supermarket with loadsa people, how many had the app and how many registered within my app ........... or within theirs?

How can you find out?
Where is all the data?
Mick F. Cornwall


User avatar
Mick F
Spambuster
Posts: 50331
Joined: 7 Jan 2007, 11:24am
Location: Tamar Valley, Cornwall

Re: NHS Covid-19 app shortcoming?

Postby Mick F » 1 Oct 2020, 9:00am

Thanks ..............

From what I read there, the data is held on the user's phone as well as other places.
What is held on our phones?
Whatever it is, it's recoverable by hook or by crook.
Mick F. Cornwall

User avatar
mjr
Posts: 16368
Joined: 20 Jun 2011, 7:06pm
Location: Norfolk or Somerset, mostly
Contact:

Re: NHS Covid-19 app shortcoming?

Postby mjr » 1 Oct 2020, 9:28am

Mick F wrote:What is held on our phones?
Whatever it is, it's recoverable by hook or by crook.

As I understand it, the id tokens of other apps you were near for long enough. You can probably extract them but you can't tell whose they are unless you get their phones, pretty much.

Unless someone goofed or did something Machiavellian.
MJR, mostly pedalling 3-speed roadsters. KL+West Norfolk BUG incl social easy rides http://www.klwnbug.co.uk
All the above is CC-By-SA and no other implied copyright license to Cycle magazine.

User avatar
Mick F
Spambuster
Posts: 50331
Joined: 7 Jan 2007, 11:24am
Location: Tamar Valley, Cornwall

Re: NHS Covid-19 app shortcoming?

Postby Mick F » 1 Oct 2020, 3:56pm

ID tokens?
Sorry, beyond me! :wink:

The way I understand it, is that if someone (with the app) tests positive and tells their app, all the other phones that their's has been near with the app running, will get a text.

If they get a text, the "system" must know these phone numbers.

Where are all these phone numbers stored?
Mick F. Cornwall

Jdsk
Posts: 3831
Joined: 5 Mar 2019, 5:42pm

Re: NHS Covid-19 app shortcoming?

Postby Jdsk » 1 Oct 2020, 4:01pm

"Privacy-safe contact tracing using Bluetooth Low Energy"
https://blog.google/documents/57/Overview_of_COVID-19_Contact_Tracing_Using_BLE.pdf

"Apple and Google joint initiative on COVID-19 contact tracing technology"
https://ico.org.uk/media/about-the-ico/documents/2617653/apple-google-api-opinion-final-april-2020.pdf

NB: It doesn't all work at the level of 'phone numbers and text messages.

Jonathan

User avatar
Mick F
Spambuster
Posts: 50331
Joined: 7 Jan 2007, 11:24am
Location: Tamar Valley, Cornwall

Re: NHS Covid-19 app shortcoming?

Postby Mick F » 1 Oct 2020, 4:14pm

Excellent! :D
Thanks muchly.
Mick F. Cornwall

User avatar
mjr
Posts: 16368
Joined: 20 Jun 2011, 7:06pm
Location: Norfolk or Somerset, mostly
Contact:

Re: NHS Covid-19 app shortcoming?

Postby mjr » 1 Oct 2020, 6:09pm

Mick F wrote:ID tokens?
Sorry, beyond me! :wink:

The ID token is just a code generated by the app on your phone. In theory, it should be unique* to that app on that phone but not otherwise linked to your phone number or ID.

The way I understand it, is that if someone (with the app) tests positive and tells their app, all the other phones that their's has been near with the app running, will get a text.

If they get a text, the "system" must know these phone numbers.

Where are all these phone numbers stored?

Nowhere. You get a notification from the app, not a text.

What should* happen is the positive app tells the NHS server, which remembers that, and then your app periodically calls the NHS server to get the list of all apps that have tested positive recently, then checks if it has seen any of them recently.

* - I've not checked this but I've read it.
MJR, mostly pedalling 3-speed roadsters. KL+West Norfolk BUG incl social easy rides http://www.klwnbug.co.uk
All the above is CC-By-SA and no other implied copyright license to Cycle magazine.

User avatar
RickH
Posts: 5227
Joined: 5 Mar 2012, 6:39pm
Location: Horwich, Lancs.

Re: NHS Covid-19 app shortcoming?

Postby RickH » 1 Oct 2020, 6:55pm

mjr wrote:
Mick F wrote:ID tokens?
Sorry, beyond me! :wink:

The ID token is just a code generated by the app on your phone. In theory, it should be unique* to that app on that phone but not otherwise linked to your phone number or ID.

The way I understand it, is that if someone (with the app) tests positive and tells their app, all the other phones that their's has been near with the app running, will get a text.

If they get a text, the "system" must know these phone numbers.

Where are all these phone numbers stored?

Nowhere. You get a notification from the app, not a text.

What should* happen is the positive app tells the NHS server, which remembers that, and then your app periodically calls the NHS server to get the list of all apps that have tested positive recently, then checks if it has seen any of them recently.

* - I've not checked this but I've read it.

That sounds about what I understand to be the case.

The only additional thing I presume is that the app also stores a code for venues scanned in & checks that code against a list of venues with positive cases that have visited that venue in the same time frame & cause the app to warn you accordingly. Nothing gets sent out, the app checks a list see if a venue code on the phone is flagged.

User avatar
Syd
Posts: 696
Joined: 23 Sep 2018, 2:27pm

Re: NHS Covid-19 app shortcoming?

Postby Syd » 1 Oct 2020, 7:06pm

It would be a very simple process to use, or generate, a unique ID for a smart phone as a hash of its IMEI number or MAC address which are already unique to the device.

User avatar
mjr
Posts: 16368
Joined: 20 Jun 2011, 7:06pm
Location: Norfolk or Somerset, mostly
Contact:

Re: NHS Covid-19 app shortcoming?

Postby mjr » 1 Oct 2020, 7:12pm

Syd wrote:It would be a very simple process to use, or generate, a unique ID for a smart phone as a hash of its IMEI number or MAC address which are already unique to the device.

The problem with that would be that a known phone could be linked to its ID(s) which has a lot of privacy drawbacks whereas they claim the app does not access phone data and the IDs are random.
MJR, mostly pedalling 3-speed roadsters. KL+West Norfolk BUG incl social easy rides http://www.klwnbug.co.uk
All the above is CC-By-SA and no other implied copyright license to Cycle magazine.

Jdsk
Posts: 3831
Joined: 5 Mar 2019, 5:42pm

Re: NHS Covid-19 app shortcoming?

Postby Jdsk » 2 Oct 2020, 9:09am

mjr wrote:What should* happen is the positive app tells the NHS server, which remembers that, and then your app periodically calls the NHS server to get the list of all apps that have tested positive recently, then checks if it has seen any of them recently.

* - I've not checked this but I've read it.

For the encounter management as opposed to any other functions, and in England;

1 There isn't anything like a central patient database: the information stored is minimal, encrypted and transient. (I'm not suggesting that the quoted post implied anything different.)

2 It isn't run by the NHS. It's run by the Department of Health and Social Care on commercial servers:
"A DHSC secure computing infrastructure, hosted on Amazon Web Services [AWS] UK and Microsoft Azure Cloud Services (UK) supporting the app, which includes a database holding exposure notification diagnosis keys"
https://www.gov.uk/government/publications/nhs-covid-19-app-privacy-information/the-nhs-test-and-trace-app-early-adopter-trial-august-2020-data-protection-impact-assessment

Jonathan