There follows a guest post by Lockdown Sceptics’ technology correspondent about last week’s vaccine passport update to the NHS App which, according to this industry insider, has created a honeypot for hackers.
Back in March I warned that the government had plans to turn the previously unremarkable NHS App into a cyber bully and privacy blabbermouth. Last week, an update appeared that increased the app’s functionality to include a Covid status certificate, but it included a privacy notice that strongly implied it held an unbelievable range of information about us all: “Information relating to the family of the individual and the individual’s lifestyle and social circumstances; Information which relates to the ethnic origin of the individual; Information relating to genetic/biometric details (where processed to uniquely identify an individual) and criminal convictions or alleged criminal behaviour”.
We knew vaccine passports were going to be a threat to our liberties but what this implied was off the scale. It was soon picked up by security experts like Prof Eerke Boiten of De Montfort University who fired off a Twitter thread that got the attention of the Daily Express and Julia Hartley-Brewer’s morning TalkRADIO show.
The policy was quickly updated, and you can read the saner version here.
The app’s upgrade has given it a new section: “Share your COVID-19 status.” If you click on it you could be forgiven for thinking you are still within the NHS app, but in fact you are taken to this website which is run by NHSX. It might seem an irrelevant detail, but despite its name NHSX is not the NHS. What is going on here is that one arm of the state is hiding behind the more trusted brand of another arm to get its software into your pocket. That’s sneaky and it does not take much imagination to see how this trick might be repeated in the future, with the NHS App being the conduit for all sorts of intrusive government schemes. What’s more, this is happening in the NHS App, which will be around for as long as the government wants, not in the COVID-19 app which Hancock promised to withdraw when the pandemic was over. This makes the prospect more likely that long after the pandemic is over we will be sharing things like immigration status, outstanding criminal allegations or historic driving convictions alongside our COVID-19 status for any busybody who feels they are doing their bit to keep us all safe.
The implication of this new section being hosted by NHSX is that the data is not being drawn from your GP-held medical record as I speculated in my previous article, but from a single national database, the National Immunisation Management System, previously used to coordinate national flu vaccine programmes, but now also used in the rollout of the Covid jabs. As the NIMS site says:
The demographic details of everyone resident in England or registered with a GP in England are imported into the system from the Primary Care Registration Management Service… Further data such as lists of shielded patients, NHS staff, social care workers, unpaid carers and ethnic category information are also uploaded. This data can then be used for prioritising invitation for flu or COVID-19 vaccination, and for reporting purposes.
That is a lot of very sensitive data in a single central database. It is a high-risk design with a single point of failure, but even worse from a security point of view, it is a honeypot for hackers. Last year, when a similar centralised approach was considered for the COVID-19 app, the E.U. weighed in with a statement saying “data are not to be stored in a centralised database” and this was followed up with a letter from 300 security and privacy researchers from 27 countries repeating the warning. NHSX subsequently changed tack and went with the Apple/Google decentralised model instead. Now, with the NHS App, those lessons are being un-learned. There is a naturally decentralised database available in GP-held records, but it has been shunned – presumably in favour of speed of deployment. And yet there is no public outcry this time, no open letters from security professionals.
We are suffering an ultra-cautious approach when it comes to reopening, but a reckless approach when it comes to privacy. With Covid-related phishing attacks up 15-fold and hackers raking in over £35m in UK Covid-related online scams since the start of the pandemic, the motivation and resources are there to crack these databases. So long as the politicians see privacy as an afterthought, the scammers will be toasting every new version of the app.