The NHSX COVID-19 tracing app is under fire yet again. The latest company to question its effectiveness is cybersecurity vendor Anomali. Unlike others who have focused on reported vulnerabilities, Anomali commissioned a survey from Censuswide to see who was likely to use the app. The results show that at-risk groups, such as the elderly, are least likely to be able to install the app.
Commenting on the survey, Jamie Stone, Head of EMEA at Anomali said: “The rule of critical mass demands that at least 60% of the population utilises the app in order for it to be effective. However, these findings point to a significantly diminished pool of users, and thus, the critical mass fundamental to the app’s performance now hangs in the balance.
“Moreover, many of the individuals without the necessary technology likely come from an older generation, or from low-income backgrounds. In this way, excluding the most vulnerable of society from any benefits, this app might bring.”
Key findings from the survey
The survey asked 1,001 people, from multiple locations in the UK and in different age groups about the NHSX COVID-19 tracing app. Enterprise Times had access to the survey results, which show:
- Most likely to download the app: Less than 50% of people are likely to install the app. The numbers likely to install the app by gender were similar. However, 30% of men said they would not install the app, while 30% of women were undecided.
- Which age groups won’t download the app: Those aged 16-24 (39%) and 25-34 27%) are the least likely to download the app. These are typically age groups with high mobile app usage. If they are not willing to use the app, it will be hard to reach the target 60% of the population.
- Elderly will download but lack the technology: 50% of those aged 70+ are likely to download the app. However, 63% also said that they knew people who don’t have a smartphone. The lack of technology is a barrier to success.
- Can the government be trusted to keep data safe?: Only 12% said very much with 39% saying somewhat. 32% had little faith in the ability of the government to protect data.
- Increased cyberattacks a concern: Phishing attacks (42%) are a significant concern. 36% were concerned about the government holding data on them, and a further 33% were worried about the government tracking their movements. The age groups with the greatest concerns were 16-24 and 25-34 age groups.
Are people right to worry about using the app?
To get a better understanding of the survey, Enterprise Times spoke with Jonathan Martin, director of operations, EMEA at Anomali. Martin said: “There’s a varied amount of concerns that people will have about it. I absolutely understand why the government has gone down this road. It’s the right path to take because we have to do everything speeded up now. There is no way around that.
“My overall concern is the speed this was developed will undoubtedly lead to security issues, and security issues means lots of different things. It will concern people that maybe it hasn’t been fully tested and that the Isle of White beta is actually one way of testing both the functionality and perhaps the security side of the application as well.
“We don’t live in normal times anymore. That shouldn’t obviate the need for a very secure application because of the way it’s going to be distributed across hopefully the whole nation and the type of data it’s inevitably going to collect. So while I understand the reasons, I think the government needs to take a much stronger security viewpoint of this and understand the implications of what the app cannot bring.”
Data retention and access concerns
ET asked Martin if people were concerned about the UK Government retaining data for unspecified uses post the pandemic. Martin believes that the majority of people who do download the app are not likely to read the licence agreement. That means they won’t think about the deeper issues of using data for other purposes or security issues around that data.
Not everyone has a smartphone, especially among the elderly population. That means those living in retirement villages and care homes, where vulnerable people are clustered, won’t get notifications.
Martin replied: “There are bigger issues around particular age groups. For example, my mother is 96, and my in-laws are 85. None of those has a smartphone capable of running this app. I’m sure there is a large percentage of the over 82s, who aren’t capable of installing the app and aren’t necessarily capable of using it.
“That causes an issue. One of the most at-risk parts of the population is never going to actually use this. It causes issues because those are exactly the sort of persons you would want to warn if one person has the virus.”
Limited use will impact effectiveness
If a major at-risk group cannot use the app, what impact will that have on the effectiveness of it?
“It will limit it. It’s difficult to make a complete judgement on this because there are too many unknowns. Those numbers are higher than I expected. I probably expected it to be about 30-35% of the over 45.
“The figure we quoted in the press release was the critical mass is 60% of the total population has to be tracking for it to be useful. I don’t know what percentage the over 45’s comprise in the UK, but if half of those people aren’t even going to be able to download the app never mind, want to download it, then I can’t see how we’ll ever get to that. 60%.”
Is there a need for a mix of tracking technologies?
If there are issues with getting enough people to use the app, how is this solved? Is there a place for other technologies that look at different phases of infection? ET spoke with COVI-PASS about how their app could get people back to work, playing and watching sport or flying. We asked Martin if he saw multiple options around being safe in the future?
“The solutions are going to fork into different ways of solving it. For the short term, for the immediate future, there will be multiple things. It won’t just be one size fits all in terms of a solution. There will have to be multiple tools.
“If you think about bringing pets back into the country, they’ve had to have a rabies injection within 48 hours before they’re allowed back into the country. I can see something similar to that for travel. You will have had to have a test within 48 hours of travelling, both for leaving the country and but also coming back into the UK as well.”
What about getting people back to work?
How will businesses evaluate the various options that are beginning to appear?
“I think they won’t evaluate the options themselves because they don’t have the time, money or resource knowledge to be able to do that. They have to rely on being led by the government. I don’t think there is any doubt that this has to be a government-led initiative to make available in a clear, obvious and concise way which app they should be downloading.
“How you get that knowledge out to everyone is going to be very difficult. ‘You must download from this particular site. Don’t click on a link in a mail or a text.’ There will have to be a complete intelligence programme out to the nation about what you have to prove or provide.”
The NCSC is still struggling to contain phishing emails around HMRC and other government departments. Is it realistic to say the government can make this a safe, secure and effective process?
“It’s incredibly hard. An attacker only has to be right once. The defenders have to defend all the time. I don’t think there is a silver bullet to it or we probably wouldn’t have jobs because we’d have secured the world.
“The only thing the only way I can see it working is through a nationwide campaign to educate people. ‘This is the app, and this is where you have to get it from, nowhere else.’ We’re going to have to do that via technology via mail and by SMS. It does open up an awful lot of copycat attack possibilities
“I think it will be one tool. And maybe at some point, Apple and Google build it into the OS. But again, that’s only going to apply to people with modern versions. You know, the latest iPhone, the latest Android phone. That’s going to cut out a large amount of the UK population. I don’t think there is a simple way around this, unfortunately.”
Enterprise Times: What does this mean?
The Anomali survey was carried out before a number of flaws in the NHSX app were revealed. It shows that people were concerned about the use of smartphones in parts of the population and security risks from the app. As new stories about security issues with the app emerge, the likelihood of widespread adoption drops.
There is a perception that technology is the solution to everything, but only if you have the right technology. This survey highlights the danger of forgetting to have an alternative for those cases. It’s particularly relevant as a major at-risk group is technology poor. Even when the technology does exist, it has to be user friendly. As this video clip from the BBC shows, the alert from the NHSX app creates questions, not solutions.
The ongoing use of the app to collect data post-COVID-19 is a significant worry for privacy advocates. Who will use that data? How will the data be kept safe? Why does the government need to continue using the app? What extra data will the app begin to gather? Is there a broader plan to use the app for something else.
As Martin says: “We’ve talked about could this turn into a De facto ID card, because of the amount of input that you will you will naturally end up putting into it.”
For now, the UK government is struggling to get to its 60% usage point for the app to become effective over COVID-19. Any other use, such as an ID card would require a significant uptake in both technology and the app.