Protect Scotland: What does Scotland’s new contact tracing app mean for data privacy?
The Scottish Government has launched its Protect Scotland app, to assist in Covid-19 contact tracing efforts. In the first day alone, the app has been downloaded by over half a million people, which will undoubtedly be seen as a hugely successful launch. The long-term success of contact tracing apps relies on their widespread adoption, but concern has been expressed by some about the privacy implications of this technology, particularly in the case of the aborted NHS Covid-19 app from earlier this year. So are these concerns valid? Well... yes and no. The original NHS Covid-19 app proposed and built by the UK Government was designed with a centralised approach to data storage, whereby user data would be collected and sent to a centralised server for contact matching. The aim of this, they said, was so the NHS could monitor new cases and identify spikes in certain areas. However, links between the app and the UK Government’s chief advisor Dominic Cummings (former campaign director of Vote Leave), brought back bad memories of the Cambridge Analytica scandal and raised eyebrows about user privacy. There were also major compatibility issues with Apple iPhones, discovered during testing, which would have hampered its uptake on a wider scale. Ultimately the UK-wide app was a bit of a disaster and was axed in mid-June, leaving the Scottish Government to go their own way and develop the Protect Scotland app. So how does it fare for user privacy? Well it’s based on the Apple and Google Exposure Notification system, which sends and receives anonymous Bluetooth beacons. These beacons are used to record the distance between two participating devices and the time that they are in close contact. These beacons are encrypted and randomised every 15-20 minutes, an important feature which should help allay fears of the app being used to track users. If your token changes frequently, there is no constant token to track. Protect Scotland’s data storage and processing is decentralised, meaning all contact matching happens on your phone, not on a remote server. The only time data leaves your phone is if you consent to sharing it, following a positive test result. Even then, they’ve done a good job to ensure the data remains anonymous and there is a clearly set out process for users to delete their data, should they wish. The app appears to have been designed with user privacy in mind from the outset, using only minimal permissions and with clear, detailed explanations of how data will be processed, addressing key GDPR principles. These include the purpose and legal basis for processing data, as well as the length of time data will be stored – the longest of which appears to be 14 days, in keeping with the widely accepted incubation period for the virus. These explanations are presented in a way which is fairly easy to understand, even for those who aren’t fully tech literate. Moreover, these aren’t hidden away in some small text or obscure web page, but presented front and centre of both the website and the application – allowing users to make an informed decision and raising awareness of the greater issue of user privacy and data protection. Some have complained that the app will not run on iPhones below iOS 13 and Android phones below Version 6 (both around five years old) and pointed to the fact that many will still be using these devices. However, statistics show that nearly 80% of iPhones and 88% of Androids are covered and actually, this provides a timely reminder of the importance of upgrading out of date technology. These same out-of-date devices will be vulnerable to any number of cyber threats which could expose user data or worse. There is a debate to be had whether manufacturer support for security updates is long enough, but that's for another day. So… overall, I do think it’s a good thing that people are being more aware of their right to privacy and feeling protective about sharing their data. But I’d suggest that if you’re concerned about the data collected by Covid apps, you might want to look into the information being processed by other apps such as Facebook, Snapchat, TikTok and various other social media apps. Not to mention those fun wee apps that put your face on a celebrity….. why is this asking for access to my phone book? Most people skip through the T&Cs and don’t actually realise the stuff they’re agreeing to – including in some cases, handing over copyright for their photos in perpetuity! Ultimately, it comes down to individual judgement... but I think education is key so that people can make an educated choice. Who is the app developer? What do they need my data for? Do I really want the app that much? In the case of Protect Scotland, I’m pretty satisfied that it’s based on a model with privacy as a main concern and I think the wider cause is a very worthy one. So I’ve downloaded it and have it running. And I think you should too.