Dr Ian Levy
National Cyber Security Centre, UK
Overview: This document provides a high-level overview of the security and privacy characteristics of the app that is in development by NHSx, the digital innovation unit of the National Health Service, to help manage the COVID-19 crisis in the UK.
This is not a full description of the entire system, the socio-technical design, epidemiological modelling or the plethora of other work being performed outside of this application development. Nor does this document detail the significant, diverse, expert input to the overall system and oversight of its development.
Instead, this technical paper concentrates only on the most important and unique security and privacy characteristics of the putative app and its infrastructure. We only describe epidemiological and clinical aspects of the system, in order to set context for some technical decisions and trade-offs.
The epidemiological advice and models that the NHS is working from show that self-diagnosis is an important part of managing the spread of the disease, alongside various clinical tests and the wider public health response strategy. The Oxford group responsible for the model publishes much of its work.
Self-diagnosis can reduce by days, the time it takes a potentially infectious person to isolate. This is critical to the management of the spread of the disease, under the assumptions in the UK’s model.
There are obvious corollaries to a model that includes self-diagnosis. We explore some of those here, with their current mitigations.
Finally, a contact tracing app cannot work in isolation – it must work in concert with, and be a pathway into, the wider public health response. We do not cover that integration here, but it is in place.