Customize Consent Preferences

We use cookies to help you navigate efficiently and perform certain functions. You will find detailed information about all cookies under each consent category below.

The cookies that are categorized as "Necessary" are stored on your browser as they are essential for enabling the basic functionalities of the site. ... 

Always Active

Necessary cookies are required to enable the basic features of this site, such as providing secure log-in or adjusting your consent preferences. These cookies do not store any personally identifiable data.

No cookies to display.

Functional cookies help perform certain functionalities like sharing the content of the website on social media platforms, collecting feedback, and other third-party features.

No cookies to display.

Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics such as the number of visitors, bounce rate, traffic source, etc.

No cookies to display.

Performance cookies are used to understand and analyze the key performance indexes of the website which helps in delivering a better user experience for the visitors.

No cookies to display.

Advertisement cookies are used to provide visitors with customized advertisements based on the pages you visited previously and to analyze the effectiveness of the ad campaigns.

No cookies to display.

Matt Hancock, Health Secretary lets UK intelligence agency GCHQ have more access to NHS health systems. Can the UK look to other countries’ security techniques?

Matt Hancock, Health Secretary lets UK intelligence agency GCHQ have more access to NHS health systems. Can the UK look to other countries’ security techniques?

For some people, a new Health Service Journal that reports that Health Secretary Matt Hancock has granted the UK intelligence agency GCHQ additional levels of access to NHS health systems, with additional powers, over the proposed UK contact tracing app raises privacy concerns.

GCHQ

Irene Ng, CEO, Dataswift commented:

“A spokesperson for the Government said that GCHQ will not receive access to patient data. Even so, this news is likely to add fuel to already existing privacy concerns around the handling of the COVID-19 crisis for example, in the use of contact tracing apps that many Governments across the world are now rolling out.

“The debate around these issues tends to focus heavily on whether or not we can trust Governments, and the NHS, with our health data. But these debates often conflate trust with privacy. If there is trust, then should privacy not follow?

The proper data infrastructure that is required to ensure complete data privacy is something that global corporations struggle with, and many organisations in the last five years have been lured – by the “big data” economy – into thinking they can be a data company too.

Alternatives

“If some of the largest global corporations are struggling to properly manage customer data, should we be trusting that the Government can? There are alternatives to the government model, so we shouldn’t just trust them implicitly just because they asked us to. Privacy (or lack of) is not a trust problem, it’s a data infrastructure problem.”

Also Felix Marx, CEO at Truata, observed that the UK will be rolling out a mass programme of contact tracing to limit the spread of Coronavirus when lock-down restrictions are eased, but there likely will be concerns over technology privacy.

The Greater Good

Felix pointed out, “There is clearly a societal need and purpose for utilising this data for the greater good. However, we echo the fears raised regarding patient privacy. Even in these exceptional times, we must be cognisant of the protection of the personal data of the data subjects.

In this instance, the data should be handled in a balanced way that manages both the safety and privacy concerns of the patients. Furthermore, issues such as transparency cannot be overlooked even in these most challenging circumstances. Questions that need to be considered include what type of personal data is being shared, for what purposes and for how long?

Safeguards

“The government must also ask itself whether appropriate safeguards and technologies are being applied so that they are not, in using that data to benefit society, failing to protect the rights of the individuals behind that data. To that end, applying the highest standards of anonymisation to this data can ensure that they are protecting the privacy of the individual while enabling insights to be generated that will benefit us all.”

 NHS app

Potential technical security issues have also been raised in relation to the NHS’ app.

Chad McDonald, VP of Customer Experience at Arxan, now part of Digital.ai, commented “Keeping the data on the user’s device certainly affords the user more personal control over their data.? That said, Bluetooth isn’t the most secure means to transmit data.? Just last year a major vulnerability was announced that facilitated interception of Bluetooth data by attackers.??

“Given that the data in question is personal health data, there exists a substantial risk to the individual.? We are in trying times and capturing and tracking infection data may prove one of the most useful tools in combating continued spread of the virus.?

Whether or not surrender of personal privacies is justified in this case will not really be known until well after the COVID-19 risk has passed.?

Bluetooth

“While the Bluetooth transport is risky, allowing the user to retain their data and the application locally could theoretically limit the risk associated with having millions of user’s information in a centralised location.? Any exploit of the application or data would likely be limited to those users within Bluetooth range of the attacker.”

Munich

A research team at the Technical University of Munich (TUM) has developed a model for a contact tracing app that protects personal data. The basis of this is an encryption process that stops the temporary contact numbers (TCNs) of infected people from migrating to the phones of their contacts. A prototype is now being tested in cooperation with the ITO Open Source Consortium. This new app has also now successfully completed the Bluetooth Special Interest Group Qualification process.

Decentralised

Researchers also chose to adopt a decentralised approach, noting that the infected individuals release only the TCNs transmitted by their own device to the server. These TCNs are downloaded from the server by all devices where the app is installed.

The check to decide whether any of these “infected” TCNs were previously received now happens locally on the individual devices. So, the only party with knowledge of possible contact with an infected individual is the contact person himself, not the central server.

A centralised approach means all data is stored at a single location with therefore a major risk of abuse, because it is then possible to ‘de-anonymise’ & disclose personal contacts the moment data on the server can be accessed.

TCNs

The cross-checking of TCNs of infected individuals against those collected on mobile phones happens without needing to load the infected individuals’ TCNs onto the phones. An encryption process known as private set intersection cardinality, which does not require information to be exchanged in plain text makes this possible.

Utilising the ContacTUM concept, contact people can be warned without their mobile phones being able to recognise the “infected” TCNs among the TCNs stored there.

“As a result, the risk scenario in which an attacker could combine the received TCNs with other information such as the date, time and location where the TCN was transmitted – which would endanger the anonymity of an infected person – is minimised to a large extent,” explains physicist Kilian Holzapfel.

Prototype

A prototype of this app is currently being tested on the Android operating system. Code is publicly available. “But it will still probably be a few weeks before an absolutely secure & technically flawless app is ready for use,” concludes Holzapfel.

SHARE ARTICLE