There follows a guest post by Lockdown Sceptics’ technology correspondent about last week’s vaccine passport update to the NHS App which, according to this industry insider, has created a honeypot for hackers.
Back in March I warned that the government had plans to turn the previously unremarkable NHS App into a cyber bully and privacy blabbermouth. Last week, an update appeared that increased the app’s functionality to include a Covid status certificate, but it included a privacy notice that strongly implied it held an unbelievable range of information about us all: “Information relating to the family of the individual and the individual’s lifestyle and social circumstances; Information which relates to the ethnic origin of the individual; Information relating to genetic/biometric details (where processed to uniquely identify an individual) and criminal convictions or alleged criminal behaviour”.
We knew vaccine passports were going to be a threat to our liberties but what this implied was off the scale. It was soon picked up by security experts like Prof Eerke Boiten of De Montfort University who fired off a Twitter thread that got the attention of the Daily Express and Julia Hartley-Brewer’s morning TalkRADIO show.
The policy was quickly updated, and you can read the saner version here.
The app’s upgrade has given it a new section: “Share your COVID-19 status.” If you click on it you could be forgiven for thinking you are still within the NHS app, but in fact you are taken to this website which is run by NHSX. It might seem an irrelevant detail, but despite its name NHSX is not the NHS. What is going on here is that one arm of the state is hiding behind the more trusted brand of another arm to get its software into your pocket. That’s sneaky and it does not take much imagination to see how this trick might be repeated in the future, with the NHS App being the conduit for all sorts of intrusive government schemes. What’s more, this is happening in the NHS App, which will be around for as long as the government wants, not in the COVID-19 app which Hancock promised to withdraw when the pandemic was over. This makes the prospect more likely that long after the pandemic is over we will be sharing things like immigration status, outstanding criminal allegations or historic driving convictions alongside our COVID-19 status for any busybody who feels they are doing their bit to keep us all safe.
The implication of this new section being hosted by NHSX is that the data is not being drawn from your GP-held medical record as I speculated in my previous article, but from a single national database, the National Immunisation Management System, previously used to coordinate national flu vaccine programmes, but now also used in the rollout of the Covid jabs. As the NIMS site says:
The demographic details of everyone resident in England or registered with a GP in England are imported into the system from the Primary Care Registration Management Service… Further data such as lists of shielded patients, NHS staff, social care workers, unpaid carers and ethnic category information are also uploaded. This data can then be used for prioritising invitation for flu or COVID-19 vaccination, and for reporting purposes.
That is a lot of very sensitive data in a single central database. It is a high-risk design with a single point of failure, but even worse from a security point of view, it is a honeypot for hackers. Last year, when a similar centralised approach was considered for the COVID-19 app, the E.U. weighed in with a statement saying “data are not to be stored in a centralised database” and this was followed up with a letter from 300 security and privacy researchers from 27 countries repeating the warning. NHSX subsequently changed tack and went with the Apple/Google decentralised model instead. Now, with the NHS App, those lessons are being un-learned. There is a naturally decentralised database available in GP-held records, but it has been shunned – presumably in favour of speed of deployment. And yet there is no public outcry this time, no open letters from security professionals.
We are suffering an ultra-cautious approach when it comes to reopening, but a reckless approach when it comes to privacy. With Covid-related phishing attacks up 15-fold and hackers raking in over £35m in UK Covid-related online scams since the start of the pandemic, the motivation and resources are there to crack these databases. So long as the politicians see privacy as an afterthought, the scammers will be toasting every new version of the app.
To join in with the discussion please make a donation to The Daily Sceptic.
Profanity and abuse will be removed and may lead to a permanent ban.
The “scammers” and the “hackers” are far less of a concern than the totalitarian one world government that’s making use of this data.
“We are suffering … a reckless approach when it comes to privacy”.
And to experimental vaccines.
Indignation over privacy breach. Silence on vaccines maiming and killing.
I don’t have a smartphone.
They can get stuffed.
Sounds like they may already have your data whether you use a smartphone or not.
“The demographic details of everyone resident in England or registered with a GP in England are imported into the system from the Primary Care Registration Management Service… ”
Also suggests my opt out from the NHS sharing any data may have been ignored.
The security implications of this were one of the points I raised in my comments on the other article about Covid Status certificates. The Irish have very recent experience of a massive hack of a medical database, and other examples abound.
The point was well made. There is no intelligent reason to use any such NHS app on a ‘smartphone’, even if one uses them for other reasons (lots of us do not use them at all).
On this thorny subject, I previously linked the Medconfidential pages concerning Hancock’s download grab of all medical data from GP systems, apparently for sale to various parties. Here is the link again:- https://medconfidential.org/2021/let-us-tell-you-about/
We now find ourselves faced with:-
All in all, there appears to be a massive increase in the nexus of personal data of all sorts (medical, sociological, lifestyle, financial etc.) gathered and held by the State, without permission of the owner of the data, and with little or no open explanation of the reasons and purposes for the State to do this. The supine and toothless Information Commissioner’s Office, as an arm of Government, is probably complicit and accepting of this.
There’s another factor too. When I was permitted to see my GP notes it turned out that there was information that did not apply to me. At worst it was made up, at best it applied to some other patient and got into the wrong file. Also a lot of my notes were missing. Of course there may be another individual who has the rest of my notes. How often does this happen?
Quite often, I suspect. I’m not sure what or how different practices have loaded old paper records into new computer systems, of which there are several for GPs, but entering those data are a sure-fire way of accidentally getting them into the wrong records. Those are errors, but on the last of the two occasions I have consulted a GP in 30 years, omissions of more recent information, such as being a non-smoker of 20 years standing, were evident.
What we actually need is a massive hack and privacy leak. ASAP. Ideally sharing all sorts of unsavoury information about top politicians.
That way people will acknowledge the risk, and stop this farce in its tracks. Fingers crossed hackers are onto it already.
Best comment of the day
and leak it all widely!!!
I’ve been reading about NHS Digital & the opt out for it is only a month away. Is this all linked with that?
I’m sorry I don’t know how to copy & paste links, but a good starting point is in the Byline Times. The article is from 19 May and 8s about the government wanting to sell ‘our’ data.
However, I am connecting NHS Digital with this monstrosity.
See FiatLux comment below – I think he’s saying it much better than me!
Lockdown Sceptics you have got your facts wrong!!
The standard NHS App login goes to https://www.nhsapp.service.nhs.uk/login and leads on to Enter your email address (login.nhs.uk) or https://access.login.nhs.uk/enter-email
The Domain is NHS.UK – when you login to the NHS App and choose to “Share your COVID-19 Status” it takes you to https://covid-status.service.nhsx.nhs.uk/SelectedFlow/
The Domain is again NHS.UK
The Website to which you refer is also https://covid-status.service.nhsx.nhs.uk/ or COVID-19 status – NHS (nhsx.nhs.uk)
The Domain is again NHS.UK
That again leads to Enter your email address (login.nhs.uk) or https://access.login.nhs.uk/enter-email
If you go to WHOIS https://www.nominet.uk/whois/ and search for NHS.UK Domain Name it is shown as:
Registrant type:
UK Government Body
Registrant’s address:
NHS Digital
1 Trevelyan Square
Boar Lane
Leeds
LS1 6AE
GB
Registrar:
NHS Network Addressing Team, NHS Digital
So where the LS article says:
The app’s upgrade has given it a new section: “Share your COVID-19 status.” If you click on it you could be forgiven for thinking you are still within the NHS app, but in fact you are taken to this website which is run by NHSX. It might seem an irrelevant detail, but despite its name NHSX is not the NHS.
Actually…it is not only still the NHS but is a branch of the same NHS App website!!!