NHSX Contact Tracing App: In-depth explanation of how it works is available

These in-depth, detailed explanations of how the NHSX Contact Tracing App actually works (from head of the NCSC) seek to settle people’s minds on privacy concerns. Have a read – Has it helped convince you?

Person holding a mobile phone to download the contact tracing app

One of the main concerns voiced in connection with the NHSX Contact Tracing App has been that the privacy of those using it will be compromised. This has been a view from some of the public, as well as a selection of articles in the media.

There have been a number of high-level explanations of how the App works, touching on the privacy aspects, such as News OnTheWight’s How to setup NHSX Contact Tracing App article, but sometimes high-level isn’t enough.

National Cyber Security Centre
Dr Ian Levy, Technical Director, NCSC (The National Cyber Security Centre) has published an article that goes into how the App and the system behind it works.

The first half of the document gives background on the history of contact tracing and discusses the Centralised and Decentralised models (UK is launching with Centralised).

Getting into the detail
The lower section is where those who are seeking detail should find some meat to get their teeth into.

The section titled, “Here comes the crypto – So, how does the NHS app work?” goes into details of:

  • installation ID that each App is issued, 
  • how that ID is encrypted (initially changing every 24 hours), 
  • how that encrypted token is exchanged over Bluetooth when another App-running handset comes near
  • How other handsets are alerted to an infection of a nearby phone user

It even has a section titled, “Anonymity and attacks”, where it discusses how the system could be attacked – and how they can be countered.

Getting hardcore
If that depth wasn’t enough for you, fans of really in-depth information will find Dr Levy’s 13 page PDF, modestly-named ‘semi-technical paper’ (original version embedded below), more satisfying.

It provides detailed explanations complete with formulas, exploring many areas in detail.

Security and privacy criteria
The privacy concerned might well find their definition of ‘Security and privacy criteria’, the most interesting:

  1. We enforce the following high priority security and privacy requirements:
  2. Minimise collection of personal data (ideally, no personal data should be collected).
  3. Active user consent is required for any action involving collected data.
  4. It should not be possible to track users of the app over time,through the Bluetooth transmissions.
  5. It should not be possible for an external observer to associate any Bluetooth transmission with any device-specific information, over and above what they can infer through proximity (e.g. I can see that this ephemeral Bluetooth LE transmission value is linked to Alice’s device because I can see that Alice is the only person close to me).
  6. It should not be possible to submit spoofed data on behalf of another user.
  7. It should not be possible for the recipient of a notification to determine which of the people they have been in contact with has asserted symptoms.
  8. The system must be tolerant to the actions of malicious users:
    1. Single user seeking to gain from a false self-diagnosis
    2. Malicious user seeking to cause mass notification in a given area (e.g. trying to shut down a hospital)
    3. Nation state actor seeking to cause panic through mass notification across the country
  9. A malicious user must not be able to replay a notification of proximity from the service to another user.These are not the only security and privacy promises we make, but seem to be the most important to explain early in the app’s development

Potential privacy issues explored
Over the 13 pages, there’s a lot there including explorations of “Notification issues” and the exploration of the following potential privacy issues: ‘The low contact number problem’, ‘The mass notification problem’, ‘The incorrect submission problem’ and ‘The targeted false alerts problem’

If you have the time and the inclination, you should find it a fascinating read.

Coronavirus Contact Tracing App
The NHSX Coronavirus Contact Tracing App was launched on the Isle of Wight in the first week of May 2020. The App is the first phase of the new ‘test, track and trace’ programme, aimed at reducing the spread of Coronavirus (Covid-19).

To download the App follow this link in your phone’s Web browser

Background reading
Coronavirus Contact Tracing App on the Isle of Wight: What you need to know | FAQ: NHSX Coronavirus Contact Tracing App | How to setup and use NHSX Coronavirus Contact Tracing App | In-depth explanation of how it works is available |Podcast with IW Council leader pitching the Island for the pilot

Wednesday, 6th May, 2020 9:24am


ShortURL: http://wig.ht/2nE9

Filed under: Health, Island-wide, Isle of Wight News, Top story

Any views or opinions presented in the comments below must comply with the Commenting 'House Rules' and are solely those of the author and do not represent those of OnTheWight.

Leave your Reply

2 Comments on "NHSX Contact Tracing App: In-depth explanation of how it works is available"

newest oldest most voted

Interesting no doubt and tells us only what they want us to know. Like the fact that Baroness Dido Harding will head up the wider test, track and trace programme.

Her sudden appointment has surprised some given that when she was chief executive of TalkTalk, the internet provider suffered a major data breach and failed to properly notify affected customers.


To know more about the GCHQ involvement in the app, go to youtube and watch the Latest Report from UK Column News @36.37minutes (UK Column News – 6th May 2020)