In response to the COVID-19 pandemic, NHSX—the digital innovation unit of the UK’s National Health Service—developed a mobile contact tracing app to support the nation’s public health strategy. Ensuring user privacy and system security was foundational to the app’s design, and the National Cyber Security Centre (NCSC) played a key role in shaping the technical architecture. This article explores the privacy-first, secure-by-design approach that underpinned the app’s development.
Decentralized vs. Centralized Models
The NHS app adopted a centralized model for data collection and analysis, diverging from many international counterparts that used decentralized frameworks. While this decision drew criticism from privacy advocates, it enabled public health authorities to gain broader epidemiological insights.
In a centralized model:
- Temporary IDs (ephemeral Bluetooth identifiers) are uploaded to a server when a user is diagnosed with COVID-19.
- The server performs the matching and notifies other potentially exposed users.
This approach contrasts with decentralized models like the Apple-Google Exposure Notification System (ENS), where all matching happens on-device, limiting the data available to health authorities.
Key Privacy and Security Principles
The app design was informed by five guiding principles:
- Data Minimization: Only the minimum necessary data was collected. Identifiable personal data such as name or precise location was not required.
- Anonymity and Ephemerality: Users were identified by rotating, anonymous Bluetooth identifiers, refreshed frequently to prevent tracking.
- Security by Design: End-to-end encryption and secure storage of keys and metadata ensured robust protection of user data.
- Transparency and Public Scrutiny: The source code and technical documentation were published for public review.
- Time-limited Data Retention: Data was retained only for as long as necessary for public health purposes and then deleted.
Technical Architecture Overview
The app’s architecture included the following components:
- Mobile App: Captures Bluetooth proximity events and stores them locally.
- Backend Server: Receives temporary IDs from infected users and distributes them to other devices for risk calculation.
- Risk Scoring Engine: Calculates the likelihood of exposure based on signal strength, duration, and other epidemiological parameters.
To ensure privacy, no GPS data was collected, and Bluetooth identifiers were pseudonymous and regularly rotated.
Cryptographic Mechanisms
The cryptographic architecture of the app included:
- Key Derivation Functions (KDFs) to generate unique Bluetooth identifiers.
- Secure Transmission Protocols (HTTPS) for all communications between the app and backend.
- Digital Signatures to validate server messages and prevent spoofing.
These cryptographic safeguards were essential to ensure data integrity and protect against common threats like replay attacks and data injection.
Addressing Common Threats
The NCSC threat model covered several key risks:
- Re-identification Attacks: Mitigated by rotating Bluetooth identifiers.
- Spoofing and Relay Attacks: Prevented through cryptographic validation of messages.
- Denial of Service (DoS): Rate limiting and anomaly detection mechanisms were used to resist abuse.
- Server-side Compromise: Access controls, audit logs, and secure coding practices were implemented to reduce insider threats.
Lessons for Future App Development
The NHS contact tracing app highlights the importance of embedding privacy by design and security by default principles from the outset of development. While the centralized approach provided epidemiological value, the trade-offs underscore the need for continuous dialogue between developers, public health experts, and privacy advocates.
As digital contact tracing evolves, it is crucial for developers and security professionals to build upon this foundation with more transparent, interoperable, and user-consent-driven architectures.
We love to share our knowledge on current technologies. Our motto is ‘Do our best so that we can’t blame ourselves for anything“.