(A thread) I started reading the NCSC document on the new #covid19 contact tracing app to be trialled in the Isle of Wight. Lots of interesting info. Until we have the actual app to look at, this is the best we can do.

I wanted to understand a couple of things:

1- What user data is collected?
The app asks users to enter their partial post code on registration. No other personal info is collected.

2- Are locations tracked?
No. The app uses BLE to detect proximity to other devices.

If someone becomes infected, a notification is sent to everyone that that has been identified as at risk.

3- What does the app send over Bluetooth?
This one is interesting. The app creates an ID at registration. It also creates a private and public key.

Every 24 hours, a new key (made from the devices private key and servers public key) is used to encrypt the date, ID and country code. The app broadcasts this encrypted message along with the devices public key, integrity checks and transmission power & time.

4- What data is sent to the server?
Only when a user chooses to, the app uploads a log of all payloads it's seen in the last 28 days. This is encrypted using a key generated during registration and shared with the app.

Once received, the server reads the device public key from the payload and uses it (along with it's private key) to decrypt the user's ID. It then does some sense checking of the record. The records are then analysed where user's that are at high risk are sent a notification.

So, this was just an initial analysis. Are there issues? Yes, just reading though the report highlights a few things but nothing I would consider to be high risk.

In terms of privacy, the app doesn't track location but it would be possible to see who has been in proximity to who (obviously!). User's can be tracked by individuals for only 24 hours before the public key (which is transmitted in plaintext) is updated.

End for now.

#nhsx #NHSApp