England & Wales Tracing App to be released Sept 24th

[pdeaves]

I won't download the app because the phone I have isn't mine to download stuff onto.

I understand that in Malaysia last March they had a simple but effective 'track & trace' system of tapping your bank card on entering and leaving shops (presumably effectively a zero cost transaction) like tapping an Oyster card. I've never been there but a contemporary who was visiting then stranded there for around four months thought the local populace considered it a good system.

 

[Bletchleyite]

I won't download the app because the phone I have isn't mine to download stuff onto.

I understand that in Malaysia last March they had a simple but effective 'track & trace' system of tapping your bank card on entering and leaving shops (presumably effectively a zero cost transaction) like tapping an Oyster card. I've never been there but a contemporary who was visiting then stranded there for around four months thought the local populace considered it a good system.

Was it actually a bank card? Malaysia has compulsory identity, and the ID cards are I believe contactless chip cards known as MyKad (corrected) which also have some form of stored value ability. Was it not those?

 

[Peter Mugridge]

A caller to R5 this morning said their local testing centre in south west London had found a workaround to the problem. Husband turned up without an appointment because he couldn't get one. The testing station was empty, the operator entered a postcode for Aberdeen and he was given a booking code.

That wouldn't mean that if he then tests positive it would be recorded by the Government as a positive case in Aberdeen instead of South West London would it...?

 

[AdamWW]

That wouldn't mean that if he then tests positive it would be recorded by the Government as a positive case in Aberdeen instead of South West London would it...?

Let's hope not.

Something curious seems to be going on. I don't get the impression that the government is keen to tell us exactly what the problem is. Perhaps it's commercially sensitive information.

 

[MikeWM]

I understand that in Malaysia last March they had a simple but effective 'track & trace' system of tapping your bank card on entering and leaving shops (presumably effectively a zero cost transaction) like tapping an Oyster card. I've never been there but a contemporary who was visiting then stranded there for around four months thought the local populace considered it a good system.

But what's the point of that (other than to increase Government surveillance and tracking of everyone's movements)?

The purpose of 'track and trace' is supposedly to find people that a person with the virus has been *close* to *for a period of time* (15 minutes or more), not to find people who may have been four aisles away for a few seconds.

 

[Bletchleyite]

But what's the point of that (other than to increase Government surveillance and tracking of everyone's movements)?

The purpose of 'track and trace' is supposedly to find people that a person with the virus has been *close* to *for a period of time* (15 minutes or more), not to find people who may have been four aisles away for a few seconds.

Because it narrows things down. Proper contact tracing involves invasive interviewing, CCTV etc to establish exactly who was a close contact well beyond what people would remember.

 

[Bantamzen]

Because it narrows things down. Proper contact tracing involves invasive interviewing, CCTV etc to establish exactly who was a close contact well beyond what people would remember.

Crickey, even North Korea would struggle with that level for thousands of cases a day!

 

[MikeWM]

Because it narrows things down. Proper contact tracing involves invasive interviewing, CCTV etc to establish exactly who was a close contact well beyond what people would remember.

We're way beyond the stage in pretty much every country where you could do that with any success though. Perhaps if you have one or two infections in the entire country that may just about be feasible as a strategy - but that raises other issues about proportionality (would you have done the same for swine flu, SARS-1, MERS, etc.?)

 

[Bletchleyite]

Crickey, even North Korea would struggle with that level for thousands of cases a day!

It would, but it is the approach taken (even here) if someone manages to get here with some sort of rare tropical disease or something like that.

 

[nlogax]

I'll be getting as soon as it's available. While I appreciate some here find the very prospect of knowing whether there's a chance they may have been near someone with C19 a massive inconvenience I'd rather be somewhat informed. Also I don't care so much about tin foil and privacy that I feel the need to stick my phone in a lead case.

Annoying that the Scottish and English systems are different so I will have both apps on my phone but meh..minor quibble.

 

[Bantamzen]

It would, but it is the approach taken (even here) if someone manages to get here with some sort of rare tropical disease or something like that.

I can guarantee it won't be the approach to covid in most countries.

 

[takno]

That wouldn't mean that if he then tests positive it would be recorded by the Government as a positive case in Aberdeen instead of South West London would it...?

Probably. It's possible that the test and trace people would correct it, and it may not make it onto Aberdeen's figures because of Scotland and England having somewhat separate systems, but on the face of it I'd be surprised if the figures are any more advanced than that

 

[pdeaves]

Was it actually a bank card? Malaysia has compulsory identity, and the ID cards are I believe contactless chip cards known as MyKad (corrected) which also have some form of stored value ability. Was it not those?

Maybe, but then the guy to whom I refer isn't Malaysian so probably doesn't have a compatible ID card. Anyway, whatever the actual mechanism, my general point was that another country managed to implement something acceptable to the majority population a full six months before we did without inventing some potentially complicated bespoke system.

 

[takno]

Maybe, but then the guy to whom I refer isn't Malaysian so probably doesn't have a compatible ID card. Anyway, whatever the actual mechanism, my general point was that another country managed to implement something acceptable to the majority population a full six months before we did without inventing some potentially complicated bespoke system.

Lots of other countries managed to get a solution based on the tech we are now using in place several months ago. It's a shame we didn't, because it would have seemed a lot more useful back then, and could have been tied up in a narrative about reducing restrictions rather than being lumped in with the rule of 9 or whatever the number is.

The main reason for our delays was that the government started off on a different track, which involved an impossible amount of central tracking and a lot more Dev work. Not only was that harder to get running stably, but IT also grabbed massive amounts of tracking data and stored it centrally for nefarious purposes, which has led to a lot more people than necessary being worried about installing the new app

 

[MikeWM]

The main reason for our delays was that the government started off on a different track, which involved an impossible amount of central tracking and a lot more Dev work. Not only was that harder to get running stably, but IT also grabbed massive amounts of tracking data and stored it centrally for nefarious purposes, which has led to a lot more people than necessary being worried about installing the new app

And apparently cost £10 billion. I can't begin to even conceive how it is possible to spend that much money on a (failed) app, unless there have been some incredibly dodgy things going on.

 

[AdamWW]

And apparently cost £10 billion. I can't begin to even conceive how it is possible to spend that much money on a (failed) app, unless there have been some incredibly dodgy things going on.

I think that figure may be incorrect.

 

[Bletchleyite]

I think that figure may be incorrect.

£10 million might be viable when it also considers the purchase/leasing of data centre infrastructure etc that won't have been used but will have to be paid for contractually.

 

[MikeWM]

I think that figure may be incorrect.

Yes, I think you're right - though *something* seems to have cost 10 billion. Sorry this link is from the Sun, best I could find

https://www.thesun.co.uk/news/12072680/bungled-test-trace-system-10-billion/

Bungled Test & Trace system will cost Ministers £10 billion despite STILL failing to track a quarter of infected people

...

The NHS app was ditched by the Government after it failed to work - but the project still cost the taxpayer £12million.

£12 million I can understand. There's rather a key question where the other £9.99 billion has gone though.

 

[AdamWW]

Yes, I think you're right - though *something* seems to have cost 10 billion. Sorry this link is from the Sun, best I could find

https://www.thesun.co.uk/news/12072680/bungled-test-trace-system-10-billion/



£12 million I can understand. There's rather a key question where the other £9.99 billion has gone though.

So far as I can see the actual story is closer to:
Government allocates £10B to track and trace overall (i.e. not just the app - it's money to Serco etc.)
As of the story, track and trace wasn't doing so well (and had cost an unspecified fraction of the £10B)
The app itself was ~£10M (which still seems like quite a lot to me, even including the costs of running the Isle of Wight trial)

 

[mmh]

£10 million might be viable when it also considers the purchase/leasing of data centre infrastructure etc that won't have been used but will have to be paid for contractually.

I think you're correct, people have been saying billions rather than millions. A minister told the Lords in June it had cost about 12 million. The bulk of that went to a development consultancy (Zuhlke, 7 million) and an infrastructure company (VMWare, 3 million). My guess is they planned to host it with one of the approved "cloud" vendors. Some of them are expensive, but not 10 billion expensive!

 

[AdamWW]

I think you're correct, people have been saying billions rather than millions. A minister told the Lords in June it had cost about 12 million. The bulk of that went to a development consultancy (Zuhlke, 7 million) and an infrastructure company (VMWare, 3 million). My guess is they planned to host it with one of the approved "cloud" vendors. Some of them are expensive, but not 10 billion expensive!

I'm used to developing actual things, not software. But 7 million for the app seems quite high considering what I could develop and build for that money. Especially considering the timescale they must have spent it on.

 

[Bletchleyite]

I'm used to developing actual things, not software. But 7 million for the app seems quite high considering what I could develop and build for that money. Especially considering the timescale they must have spent it on.

It sounds about right to me.

 

[birchesgreen]

I'm used to developing actual things, not software. But 7 million for the app seems quite high considering what I could develop and build for that money. Especially considering the timescale they must have spent it on.

About 6.999 million would have gone to "consultants" and people with fancy but mysterious titles like software architects, the rest to the people who actually do the work.

Cynical former software engineer? Me?

 

[IanXC]

So long as the proximity system genuinely is the Apple Google system without any 'add ons' I probably will install it.

Unless the QR code scanning aspect simply adds a location code to the list of other codes I've been exposed to (and checks then against the 'hot list' as per proximity), then I don't see myself using that. I shall stick with the paper/individual business versions of there is any chance of centralised data collection.

 

[Bantamzen]

So long as the proximity system genuinely is the Apple Google system without any 'add ons' I probably will install it.

Unless the QR code scanning aspect simply adds a location code to the list of other codes I've been exposed to (and checks then against the 'hot list' as per proximity), then I don't see myself using that. I shall stick with the paper/individual business versions of there is any chance of centralised data collection.

Looking at the site set up to generate the QR codes it appears that all that is recorded on them is the name & address / email of the premises, along with contact numbers. And according to the NHS app site it is stored only on your device, and is not centralised:

What data is used by the NHS COVID-19 app? · COVID-19 app support

The app will never access your GPS location, contacts, or any other personal data saved in your phone.

The app does record the following:

• Contact tracing data, including how long you're close to another app user and the date and time of these encounters. It records the signal strength of other anonymous app users’ Bluetooth to work out how far apart you are. Contact tracing data will stay on your phone for 14 days.
• Venue check in data. This is protected data about which venues you checked in to and at what time. This data never leaves your phone and is automatically deleted after 21 days.
• Your postcode district, which is the first part of your postcode before the space. Read more about how the app uses your postcode district.

 

[adc82140]

I'm not concerned about privacy levels on the surface of it. What concerns me if how hacker proof it is, and what could happen if people with ill intent get access to the data. Because it will happen. The more someone says their system is unhackable the less confidence I have in it.

 

[DelayRepay]

I'm not concerned about privacy levels on the surface of it. What concerns me if how hacker proof it is, and what could happen if people with ill intent get access to the data. Because it will happen. The more someone says their system is unhackable the less confidence I have in it.

What is the motive though? What benefit would a criminal gain from knowing that I visited pub x on Tuesday afternoon, and sat near you on the 52 bus to town on Saturday morning? I am sure there would be a way to use that knowledge for gain, but I cannot immediately think how. I also think if someone was determined, they would be able to obtain most of that data anyway from my GPS records (yes, I know some people turn it off, but I don't think they're in the majority).

I do share the concern about whether, in time, the data will be made available to other authorities. It is easy to say this won't happen, but what happens when the police think that access to data is important when searching for a suspected terrorist, or a missing child, or potential witnesses to a murder? If you do allow access, where do you draw the line? Overall I think the app is a good thing but like everything it's not without risk.

NB: Not sure if I mentioned it, but my friend's barber used the details left for Track and Trace to phone my friend when he left his bag behind in the shop. Strictly not allowed but friend was grateful to get his bag back!

 

[Bantamzen]

I'm not concerned about privacy levels on the surface of it. What concerns me if how hacker proof it is, and what could happen if people with ill intent get access to the data. Because it will happen. The more someone says their system is unhackable the less confidence I have in it.

What is the motive though? What benefit would a criminal gain from knowing that I visited pub x on Tuesday afternoon, and sat near you on the 52 bus to town on Saturday morning? I am sure there would be a way to use that knowledge for gain, but I cannot immediately think how. I also think if someone was determined, they would be able to obtain most of that data anyway from my GPS records (yes, I know some people turn it off, but I don't think they're in the majority).

I do share the concern about whether, in time, the data will be made available to other authorities. It is easy to say this won't happen, but what happens when the police think that access to data is important when searching for a suspected terrorist, or a missing child, or potential witnesses to a murder? If you do allow access, where do you draw the line? Overall I think the app is a good thing but like everything it's not without risk.

NB: Not sure if I mentioned it, but my friend's barber used the details left for Track and Trace to phone my friend when he left his bag behind in the shop. Strictly not allowed but friend was grateful to get his bag back!

On the face of it there doesn't seem to be that much data that would be of interest to a hacker. The app records close contact with other app-enabled devices, and any check-in scans. It doesn't store personal data, nor does it transmit any to a central database as a matter of course. As I understand it if a person records a positive test, the contact / check-in details are then used to ping messages to all enabled phones, and if your phone has corresponding details then you get the alert. Contact data is deleted after 14 days, check-in data after 21 days.

Of course hackers might be more interested in all these devices with Bluetooth enabled, but they'd likely make use of their own software to try to hack phones, but of course they'd have to be a few feet away, which they would likely not be.

 

[birchesgreen]

What is the motive though? What benefit would a criminal gain from knowing that I visited pub x on Tuesday afternoon, and sat near you on the 52 bus to town on Saturday morning? I am sure there would be a way to use that knowledge for gain, but I cannot immediately think how. I also think if someone was determined, they would be able to obtain most of that data anyway from my GPS records (yes, I know some people turn it off, but I don't think they're in the majority).

If a criminal stole your identity and needed your location for alibi purposes perhaps? Unlikely i know but its always best never to underestimate the criminal mind.

 

[MikeWM]

Looking at the site set up to generate the QR codes it appears that all that is recorded on them is the name & address / email of the premises, along with contact numbers. And according to the NHS app site it is stored only on your device, and is not centralised:

That's a rather sensible model if true.

Not sure how it will work in practice for businesses though. If customers are doing the QR thing, then the business itself doesn't need to keep a record of the customer visit. But it will if they're not. Sounds a bit complex to manage.