- Security TWENTY
- Women in Security
The long-promised NHS COVID-19 app has launched in the UK – previously only trialling on the Isle of Wight and the east London borough of Newham – towards control of COVID-19 transmission alongside national and local contact tracing. Adverts begin on UK primetime TV tonight with the strapline: ‘Protect your loved ones. Get the app.’
It’s voluntary, for those aged 16 and over, in languages besides English – Urdu, Punjabi, Bangla and Gujarati. UK major mobile network operators, including Vodafone, Three, EE and O2 (including giffgaff and Tesco Mobile), Sky and Virgin, have confirmed that all in-app activity will not come out of customers’ data allowance. Some businesses in England are now required by law to display NHS Test and Trace QR codes so customers with the NHS COVID-19 app can use them to check-in.
The contact tracing element of the app works by using low-energy Bluetooth to log what time you spend near other app users, and the distance between you, so it can alert you if someone you have been close to later tests positive for COVID-19 – even if you don’t know each other.
As for data privacy, no personal data is shared with the government or the NHS. The app generates a random ID for an individual’s device, which can be exchanged between devices via Bluetooth (not GPS). These unique random IDs regenerate frequently to add an extra layer of security and preserve anonymity.
The app does not hold personal information such as your name, address or date of birth, and only requires the first half of your postcode to ensure local outbreaks can be managed. For FAQs, visit https://faq.covid19.nhs.uk/.
Health and Social Care Secretary Matt Hancock said: “We are at a tipping point in our efforts to control the spread of this virus. With infection rates rising we must use every tool at our disposal to prevent transmission, including the latest technology. We have worked extensively with tech companies, international partners, and privacy and medical experts – and learned from the trials – to develop an app that is secure, simple to use and will help keep our country safe.
“Today’s launch marks an important step forward in our fight against this invisible killer and I urge everyone who can to download and use the app to protect themselves and their loved ones.”
The mobile phone app was launched in Newham on August 21 with more than 300,000 residents receiving a letter, text message, or email, with a unique code encouraging them to download it. Restaurants, cafes, shops, salons, leisure centres, or places of worship, and others, were encouraged to display the codes so that app users can scan them when they visit venues.
As for security and privacy concerns, Paul Farrington, EMEA CTO at Veracode has urged a DevSecOps approach. He said: “Despite the initial security flaws flagged in the pilot version of the UK’s COVID-19 contact tracing app, the UK has raced to bring the app to the masses. With the general availability launch of the contact tracing app today, the government will need to work with security researchers to help ensure public trust and to drive long-term adoption.
“According to Veracode’s State of Software Security report, 52 per cent of healthcare apps have higher severity (level 4 or 5) flaws. Indeed, of all the industries analysed, which include infrastructure, retail, financial services, government/education, technology and manufacturing, healthcare has the highest prevalence of severe flaws. This is a result of the sector having the longest time to remediation, with a median of 131 days until a flaw is resolved. A fairly high fix rate, however, helps keep the average amount of security debt from getting too out of hand compared to other industries. It is therefore imperative to integrate developers with IT operations and focus on implementing better security practices well ahead of the COVID-19 contact-tracing app’s release. This way development teams can deliver more secure software with greater speed and efficiency.
“DevSecOps can help accelerate the process of delivering secure code and reduce the risk of unplanned work, meaning software can be delivered to the end user more quickly. If the government succeeds in convincing users that the application is secure and privacy is respected, this could be a really important measure in helping to reduce the potential impact of a second wave across the UK.”