No, the COVID-19 app does not share your data with the police


Mike Hall
Mike Hall
Mike Hall has been working in software development for over twenty years, the last ten of those as Technical Lead and CTO. He is the producer and host of the long-running podcast Skeptics with a K, part of the organising committee for the award winning skeptical conference QED, and the former president of the Merseyside Skeptics Society.

More from this author

No, the COVID-19 app does not share your data with the police

Claims that the official COVID-19 app shares information with the police are simply unfounded, and only undermine test and trace efforts.

On Saturday evening, the website Health Service Journal (HSJ) published an article claiming the police are to be given contact details for people instructed to self-isolate under the NHS Test and Trace program.

The article was met with an immediate and visceral reaction when posted to Twitter. Frustrated users reported that they had uninstalled the NHS COVID-19 app in anger, while others complained about the violation of their privacy and cited the European Convention on Human Rights. Some sneered at the notion that the app was ever going to respect individual privacy, and that this news validates their decision not to install it.

Cartoon of  four viral particles on a purple background

The problem is: the NHS COVID-19 app is not sending your contact details to the police, and uninstalling it is not going to protect your privacy.

The NHS COVID-19 app works by exchanging anonymous tokens—effectively very long random numbers—with other phones nearby. The tokens associated with a user change regularly, so your device will built a list of tokens it has assigned to you, and when each token was used. Each device running the app maintains two lists of these random numbers: the first contains every token it has sent to another phone in the past two weeks, the second list contains every token received from another phone in the same period.

When someone tests positive for COVID-19, their phone publishes the first list, the list of tokens it has sent to other devices, which other phones then download and compare to the list of tokens they have seen from other devices.

If there is a match, it means you have been in close enough proximity to someone who has a positive test result for your phones to have exchanged information. The app will then assess how likely it is that you were exposed to the virus during that encounter, based on several factors including the strength of the signal between your phones, and if the likelihood of exposure is sufficiently high it will generate a notification to advise to self-isolate.

At no stage in this process does the app gather your name, address, contact details or any other form of identifying information. The data it collects and publishes is a list of random numbers; there is simply no way for the app to tell the police anything. Even the partial postcode, gathered while setting up the app, does not leave your phone.

So, to what is HSJ referring?

The Department of Health confirmed to Sky News that it has agreed a “memorandum of understanding” with the National Police Chiefs Council (NPCC) to provide forces with contact information on those advised to self-isolate, on a case-by-case basis. In practical terms, this means that when investigating reports of someone who is not complying with a mandatory self-isolation period, police can now request information from NHS Test and Trace about whether that person has received a positive test.

However, this data looks to be coming from the COVID-19 test centres, not from the NHS COVID-19 app. Although both are part of the Test and Trace effort, the self-isolation notifications generated by the app are effectively anonymous. Nobody other than the user knows that their device has shown them a notification.

A person wearing a lab coat, face mask and hairnet holds out a sample tube with the words "COVID-19 TEST" alongside it.

Privacy campaigners and public health experts, including the Chief Medical Officer and the British Medical Association, have cautioned that allowing police access to this data may discourage people from being tested and hamper efforts to control the spread of the virus—concerns which I share.

But uninstalling the NHS COVID-19 app is not a useful response, as it is not the source of these privacy issues. Deleting the app will serve only to exacerbate the problem by further undermining the Test and Trace infrastructure.

Finally, it is worth highlighting that the writing of this article was hampered by the requirement by HSJ’s website that the author provides personal information to them before being allowed to read the full article. HSJ also uses embedded tracking scripts to share user data with Facebook, Google, Microsoft, Twitter, Oracle, and others, without asking for permission from the reader first. I sincerely hope the irony of this is not lost on the editors at HSJ.

- Advertisement -

Latest articles

Time Team’s archaeologists showed us how experts can ruthlessly unpick a hoax

Channel 4's archaeology show Time Team's quiet destruction of a would-be hoaxer was a glorious illustration of the power of calm, patient expertise

The COVID-19 Vaccines are a sign for cautious optimism – but it is still early days

Three COVID-19 Vaccines have shown some very promising results, and we should rightly feel optimistic, but we aren't at the finish line yet

How Religion Trumped Science in America’s Coronavirus Response

There's a lot of blame to be apportioned when it comes to America's Coronavirus response - and religion needs to take its share

Real in What Sense? Consensually torturing skeptics over the nature of ‘realness’

Even a skeptic's sense of what is real can be less black and white than we think - and can lead to some surprisingly uncomfortable analysis

Four Perspectives On Peer Review: why it goes wrong, and why we need to fix it

The peer review process is vital, but it is riddled with errors and issues; the quality of future science depends on trying to improve it

More like this