NHSX App vs Lost Cousins

An unfortunate comparison in this week's newsletter. The NHSX app is coming in for HUGE criticism in the professional IT press due to the way it stores user data and passes it on to the central server. NHSX claim this means they get benefits of being able to analyse user data. The huge downside is that the storing and collecting of this user data means that it generates concern amongst the potential users and thus lowers the numbers of users.

It also creates a massively lucrative database as a target for hackers. Given the very low IT spend within NHS security just isn't taken seriously enough. Indeed in their own initial trial the roll out has been halted as it didn't pass the Isle of Wight's NHS own security and medical safety thresholds before they allowed the app on user devices. It takes some degree of incompetence for an in-house App trial to fail to pass a security hurdle in your own organisation.

The rest of the world (and LostCousins) treats the user data as anonymous only exchanging keys not sending user data back to a central server. eg: as the article says Lost Cousins users only see anonymous initials until both parties agree to be contacted. The rest of the world's contact tracing apps are using the same anonymous token idea and using that instead of storing personal data. Indeed both Apple and Google have announced that the next updates of their OS (iOS & Android respectively) will block this sharing of personal data by default unless the user specifically opts in so that Apps cannot just harvest location data and other contact info and pass it on.

So Lost Cousins is doing the security correctly, NHSX - not so much.