There follows a guest post by our in-house technology correspondent. He wrote a series of pieces for Lockdown Sceptics about the NHS Covid-tracking app last year and now he returns to the fray to cover the NHS vaccine app.
All that is missing from the dystopian movie that our lives have become is a Bond-style henchman, created through diabolical processes by the wicked super villain. Speaking of which, Michael Gove has a cunning plan to fill that gap. The runt of the NHS app litter, whose creators couldn’t even be bothered to give it a name beyond “The NHS App” has been selected for a set of maniacal modifications transforming it from a lacklustre dictionary of medical conditions into a cyber-bully fit to harass and torment a nation. As we shall see, this once unloved and overlooked app is set to become the accomplice and collaborator of scammers, blackmailers and fraudsters.
According to the Daily Mail, Gove envisages a world where you can’t just go somewhere freely: you have to be permitted by a state-operated app that displays your medical records to unwitting restaurant owners, bar staff, and presumably anyone with an authoritarian streak who sees themselves as an agent of our new bio-security state. It is morally and ethically bankrupt, but technically, could it work? What we know about its implementation is sketchy, but we can contemplate what would be involved.
To prove you have had a jab you must show the relevant entry on your medical record, which is held by your GP, assuming you are registered with one and you didn’t opt out of summary care records in the past. If you are a tourist or business traveller from abroad that rules you out. No Diet Coke for you. Those records are the most personal, private data possible and there is rightly a lot of security around who can access them. Indeed, this information is considered so private that in 2004 the NHS instructed BT to build an entirely separate national network just to handle it! Now for the app to work, any random member of the public needs access to that private data, by connecting to the correct medical record at the correct GP surgery. Get that wrong and you are exposing medical records on a massive scale.
The NHS was already working on a system to do this, called NHS Login. It has various levels of “proofing”, and access to medical records requires the highest, known as level nine. Proof level nine is simple: enter your email address and create a new password, accept the terms and conditions and wait for the validation email, return to the app and enter your full name, date of birth and the postcode that you gave your GP, accept the two check boxes for the terms and conditions, get your passport, UK drivers’ licence or EU ID card, and use your phone to take a photo of it and answer some questions about it then allow the app to take a picture of your face unless flashing lights and colours make you feel unwell in which case you can record a video of yourself reading out some numbers instead, submit and wait up to two hours for email saying that your picture is ok. Got that?
That’s your NHS Login account set up, now to find your GP surgery. Let’s hope they have one of the seven recognised systems in which case you get an email from your GP confirming the connection. Or it might be from a scammer, it’s hard to tell. This is a big problem. The onboarding process puts you in a frame of mind where you are clicking anything, getting emails, taking photos of identity documents and you just want to get to the end of the process so you can go to the pub. If you get lost or distracted or have a question or just want to ask someone about it all, then the opportunities for scammers to insert themselves into the process are endless. At which point they have your most fundamental identity documents and access to your medical records to boot. Blackmail, extortion and fraud are sure to follow.
If they get this wrong, they will truly have created a monster for our technocratic age. An enabler of identity theft and medical data leakage on a national scale, exposing every embarrassing medical episode and blackmailable exploit imaginable. Scammers, crooks, and menaces around the world must be licking their lips.
Beyond the setup process, how does Gove’s fever-dream play out? If you have a jab the app will not know until it makes its way onto your summary care record at your GP. How long will that take? What is your status in the meantime? What if it never appears? Who you do call to fix it, your GP? If it is on your record when does the app consider immunity to be effective, how many weeks after the jab? Is it the same for all vaccines? Does it consider you immune after just one jab or will you be forced to wait for a second jab? And how long does it consider immunity to last? Your app could be showing green for months, then just as you are going to your daughter’s wedding, oops red, the app thinks you need a booster shot. No wedding for you. And if you can go to the wedding if you can show you’ve tested negative, who puts those tests on your medical record? Lateral flow tests are easy to do at home, but it would be too easy to fake a negative if you could write your own record. So, it will have to be carried out by an official at their convenience not yours, and the result will have to make its way onto your GP-held record. How long will that take? It had better be quick because the result is only valid for two days.
The doughty few that make it through the setup process will be rewarded by an app that puts them at the whim of NHS data entry clerks and ever-changing rules from public health panjandrums. They will live in a constant state of anxiety, fearful that it will turn from showing green to red and all their plans will be on hold for an arbitrary time with no reliable way to fix it.
I can only appeal to any developer building this app to realise what they are doing and make a stand. Refuse to work on it. Consider it as bad as any spyware, ransomware, virus, or weapon system. It is going to make a lot of people’s lives miserable and that is not why you went into software.