My Authors
Read all threads
A tonne of information is now out there for @NHSX App, released without fanfare.

Key documents include a FAQ (with some errors) and the Data Protection Impact Assessment.

faq.covid19.nhs.uk

In the FAQ, a link to the DPIA

faq.covid19.nhs.uk/article/KA-010…

#TrackingApp
I’ll quickly point out an error or two:

faq.covid19.nhs.uk/article/KA-010…
France probably centralised but undecided; Italy maybe undecided but announcements say they are decentralised; Singapore, Australia have said they are moving to decentralised. Only Norway is centralised and apparently staying so (albeit their app doesn't work very well).
On the DPIA, a few quick things (others like @mikarv will have better points to make):

The government admits it is processing personal data, which is pseudonymous (and therefore capable of being reidentified easily). Rather different to what @matthancock said.
This is a start, I guess. “public trust and confidence in the App is paramount to its success. transparency … is key to engendering that trust and confidence”
Unclear retention conditions; admission that data could be extracted and disclosed.
This was contradicted by @privacyinternational and @benlaurie, both of whom found trackers in the App (maybe the Git codebase rather than public release?)
Who is doing this aggregation and analytics? Palantir have contracts around that. Clarity over the processors and what they are doing exactly will be needed.
Here’s a description of various IDs that link your identity to the device (p6)
There’s information about the purposes you would expect the App to do
And more things you’d expect (p7)
And then things you wouldn’t necessarily expect (but Matthew Gould has said they will do).

Note: research using 'deidentified' data.
Some more here on the process of data matching to produce the results
The “screening questions” part near the end looks the most interesting. At a quick glance some of the answers look wrong or incomplete, or underplay some of the issues quite a lot.

I am sure @mikarv @PrivacyMatters and others will be …
Some of it is a bit glib. Are we sure there is no systematic monitoring of an area on a large scale?
Are we sure that someone’s personal data will never be processed without their knowledge?

Is sharing phones a thing?
Do we really think that, if lost, this data could never be linked back to real identities? Should we spell that consequence out a bit better?
Missing some Tweet in this thread? You can try to force a refresh.

Enjoying this thread?

Keep Current with Jim Killock

Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

Twitter may remove this content at anytime, convert it as a PDF, save and print for later use!

Try unrolling a thread yourself!

how to unroll video

1) Follow Thread Reader App on Twitter so you can easily mention us!

2) Go to a Twitter thread (series of Tweets by the same owner) and mention us with a keyword "unroll" @threadreaderapp unroll

You can practice here first or read more on our help page!

Follow Us on Twitter!

Did Thread Reader help you today?

Support us! We are indie developers!


This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3.00/month or $30.00/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!