Campaign groups warn GCHQ can re-identify UK’s phones from COVID-19 contact-tracing app data

Campaign groups have written to the UK Prime Minister warning GCHQ and its digital arm, the National Cyber Security Centre (NCSC), will have the capacity to re-identify the phones of people who have installed the nation’s coronavirus contact-tracing app.

In an open letter to Prime Minister Boris Johnson [PDF], the groups say the proposed phone app risks a drift toward a surveillance state. Groups who signed the missive include tech justice nonprofit Foxglove and digital rights campaigners Access Now.

The legal framework for the software, currently being trialled on the Isle of Wight, is inadequate to protect people from misuse of their data, as noted by the Joint Committee on Human Rights.

“Parliament has to quickly issue an adequate legal framework that guarantees users’ human rights protection,” argued the letter, also signed by Paul Bernal, associate professor of IT, IP and media Law at UEA Law School and Andy Phippen, Professor of Digital Rights at Bournemouth University.

The groups echo warnings about the use of a centralised model for the collection, processing and storage of users’ data. “The centralised recording of data could facilitate mission creep; there is no guarantee that the Government will not add additional tracking features or later use the data for purposes other than COVID-19 tracking. Of particular concern is the fact that the National Cyber Security Centre and GCHQ will have the capacity to (re)identify the phones of people who have installed the app. Based on the UK Government’s track record on surveillance, we consider these risks to be real,” the letter said.

Meanwhile, the campaigners warn of over-reach in another government plan: to combat COVID-19 fake-news. In March, Department for Digital, Culture, Media and Sport launched a “Counter Disinformation Cell” aimed at combating “false and misleading narratives.”

The campaigners’ letter claims the Rapid Response Unit, which operated from within the Cabinet Office and No10 since April 2018, is currently supporting the work of the Counter Disinformation Cell. That includes work with social media platforms to remove “harmful content.”

It might not be a good idea for tinfoil hat wearing conspiracy theorists spouting nonsense about links between 5G and COVID-19 to gain access to a huge audience. But there is a balance to strike, the campaigners said.

They continued:

The problem is, it seems, that opportunities to scrutinise government use of contact-tracing app data and the behaviour of the anti-fake-news team are being limited.

In April, the Information Commissioner’s Office (ICO) said it would be “flexible around enforcing Freedom of Information obligations and has told requesters that they might experience delays when making information requests during the pandemic,” according to the letter.

The impact on transparency is already clear, it goes on to claim. The groups mentioned an FoI request made on April 3 for more information about patient data-sharing deals between the UK Government and tech companies that had not yet received a substantive reply.

Concerns in the campaigners’ letter are supported by news that a unit of the MoD, called jHub, would be “facilitating the secure transfer of relevant symptom and epidemiology data from the third party COVID-19 apps to the NHSx datastore.”

Meanwhile, evidence mounts that the contact tracing app is riddled with bugs and fails to anonymise data.

The Register has contacted Number 10 and the ICO for their response. ®

Sponsored: Practical tips for Office 365 tenant-to-tenant migration

READ MORE HERE