The UK coronavirus tracking app

NHSX, the digital innovation wing of the NHS, is going to leverage an API (Application Programming Interface) from Apple and Google to introduce smartphone tracking for coronavirus.

The basic idea is as follows:

  1. You download the smartphone app to your phone and switch bluetooth on. Other people do likewise.
  2. When you're out somewhere, your phone will exchange anonymous keys over Bluetooth with any other phone in range (that has the app installed).
  3. If you self-diagnose as having coronavirus, you flag yourself as such in the smartphone app and an anonymous code will be uploaded to a government database. This will flag you as a yellow alert.
  4. If you subsequently get tested and are confirmed as having coronavirus, you'll be upgraded to a red alert.
  5. Other users will now get notified if they were in range of you, thus letting them know they've been in contact with someone who may have coronavirus (yellow alert) or someone who definitely has coronavirus (red alert).

This is intended to cover contact with asymptomatic virus carriers because of course if you suspect you have coronavirus you should be self-isolating. It is therefore very much after the fact.

There are problems with this setup of course. It relies on people installing the app, reporting on it accurately, it is subject to the limitations of bluetooth and it probably needs 50%+ of the population using it to be truly effective. It would also be far more effective if mass testing was available because the yellow alerts could easily be misdiagnoses.

It has protections in place via the anonymity of its data, so hopefully no vigilantes will be inclined to beat you up in the turnip aisle of Tescos because they think you might have given them coronavirus.

Some security researchers still have reservations, but maybe this is the best we can hope for.