Test and Trace – Safety, Security and Data Storage Concerns

Overview,

28th May 2020 the UK government introduced the manual element to its test and trace scheme.

Following an individual testing positive for Covid-19, the aim of the scheme is to identify other persons, family members, work colleagues, a friendly milkman who the test subject has had contact with, in the two days prior to the start of their symptoms. These individuals will be contacted and given strong worded advice to self-isolate for 14 days regardless of if they are symptomatic or not!?

It will also be the case that any family members or others that live with you must isolate themselves for the remainder of the period from when your symptoms began.

What is classed as contact?

  • face-to-face contact with someone - less than 1 metre away
  • spending more than 15 minutes in the company of a person within 2 metres
  • travelling in a car or small vehicle with someone or close to them on a plane
  • if you work in – or have recently visited – a setting with other people (for example, a GP surgery, a school, or a workplace)

How will you be contacted?

From gov.uk website, the tracers will contact via” text message, email or phone those who have had a positive result.

Those individuals “will be sent a link to the NHS test and trace website and asked to create a confidential account where you can record details about your recent close contacts. If you do not have internet access or if you don’t complete the online process, one of our contact tracers will phone you to gather this information from you”.

The minimum information that will be sought from the individuals who have been tested is name, date of birth, address, email address and phone number. The tracing website and human tracers will then seek to ascertain names, email addresses, addresses and contact numbers from those you have had contact with.

Alarm bells are ringing here already!! As previously talked about in other FAST LANE SECURE articles (all available in the News section of the website www.fastlanesecure.com) the pandemic has given rise to an increase in Covid-19, Phishing, Smishing and Vishing scams.

These types of scams all start with contact from an unknown source seeking personal information and asking you to click on a link!!

Taking this a step further, how can the unknowing member of general public, if they receive contact out of the blue stating that they have had an encounter with an individual who can’t be named due to data protection reasons but has tested positive for Covid-19 and as a result must self- isolate for 14 days be certain this is legitimate!

This system opens itself to the simplest of abuses, the groundwork has already been done for any unscrupulous fraudster wishing to take advantage.

How can you be sure that you are giving your information to a Contact Tracer and not a Fraudster? How do you prove otherwise before clicking on a link and typing in your personal information??

As far as I can see, and I stand to be corrected, the only guidance provided by the government is that a Contact Tracer will:

  • only contact you from 0300 013 5000

and

  • A text message will be received from NHS

Both of which can be easily spoofed by any established fraudsters!

I also had to seek this information out from gov.uk website, will most of society including the most vulnerable seek out this information? Will they be aware that having been asked and provided names, addresses, dates or birth, contact numbers and email address for themselves and others that a Contact Tracer will not go on to:

  • ask you to download any software to your PC or ask you to hand over control of your PC, smartphone, or tablet to anyone else
  • ask for your social media identities or login details, or those of your contacts
  • ask you to access any website that does not belong to the government or NHS
  • ask you to make any form of payment or purchase a product of any kind
  • ask you to dial a premium rate number to speak to us (for example, those starting 09 or 087)
  • ask for any details about your bank account
  • ask you for any passwords or PINs, or ask you to set up any passwords or PINs over the phone

In all likelihood with ministers stating it is our ‘civic duty’ to provide this information many will do so thinking it is for the greater good. Having already provided fraudsters with names, addresses, dates of birth, phone numbers and email addresses, they are already awash with data that can be easily monetised on the criminal underground.

Who are the Contact Tracers?

The government has apparently recruited 25,000 contact tracers from different warps of life, some with previous experience and some without. These tracers will work from home initially and be given access, via a data base, to the details of individuals who have tested positive for Covid-19 and also those who have had contact.

There are many questions that require answers when it comes to those who are handling our personal data, the first 3 that spring to mind about the contact tracers themselves is:

  1. What checks have been made on those individuals?
  2. What checks have been made on those within their household?
  3. What level security clearance do they hold?

In the UK there are 3 security levels,

  • Counter Terrorist Check (CTC): is carried out if an individual is working in proximity to public figures, or requires unescorted access to certain military, civil, industrial, or commercial establishments assessed to be at particular risk from terrorist attack
  • Security Check (SC): determines that a person’s character and personal circumstances are such that they can be trusted to work in a position that involves long-term, frequent, and uncontrolled access to SECRET assets
  • Developed Vetting: (DV) in addition to SC, this detailed check is appropriate when an individual has long term, frequent and uncontrolled access to ‘Top Secret’ information. There is also Enhanced DV.

I have been cleared at SC level, this process took 8 weeks, and this was at a time when the country wasn’t plagued by a pandemic. How can an already overburdened civil service be in a position to fully conduct 25,0000 security checks in 8 weeks!? Has some of this been outsourced?

It seems at least some of it has, to a private company called SERCO.

SERCO have already hit the headlines and had to issue an apology having accidently shared almost 300 email addresses that belonged to newly recruited contact tracers.

We are however assured by government ministers that out personal information is in safe hands!!

Looking at the position from a digital perspective

We can be certain that the database storing the information will be secure and encrypted.

But if individuals are working from home, what consideration has been given to the home network that is being used to connect to the data base, is the connection secure, are there firewalls in place, are the devices that are being used encrypted, have anti-virus and anti-malware protection been installed and are up to date??

What other devices are present within the room that could be watching or listening?

 

How is the information that is collected going to be used and stored?

Who knows for certain, no guarantees have been afforded by the Government or Public Health England to the full extent of how your data will be used during the pandemic or after Covid-19.

Something we can be certain of though, documented within Public Health England’s privacy policy, that the data is to be stored by Amazon Web Services, yes that is the same company that provides consumer with online shopping and subscription services. It is also the case that data will be stored for up to 20 years.

Also bear in mind that apparently according to Public Health England that it is not an absolute right that your personal information will be destroyed, but they have been so kind to say that an individual would be able to ask for it to be deleted!

There are just too many holes and unanswered questions with this current scheme.

These are also going to be exacerbated when the track and trace app is released, but that will be for another article.

I have to accept, these are unprecedented times and the reasoning behind the scheme is for good, however I cannot sit here and advise you to provide your personal information and the personal information of others to a source which you cannot immediately identify as legitimate. A source that cannot fully commit to explaining exactly how that information is going to be used for between 5 and 20 years.

If you do choose to volunteer this information, make sure you do so with the greatest amount of caution possible.

If the caller or website goes further than what is suggested above and starts asking for bank details or passwords and the like, immediately terminate whichever method you are using and report it to the Police and Action Fraud.

What I do feel is a true civic duty is to make those in society who may be vulnerable or susceptible aware of the scams and tricks used by fraudsters and criminals to ensure they are not taken advantage of and do not fall victim.

Stay Cautious, Stay Safe.

 

 

https://www.gov.uk/guidance/nhs-test-and-trace-how-it-works

https://www.gov.uk/guidance/security-vetting-and-clearance

https://www.bbc.co.uk/news/uk-52732818 Serco Apologises

https://www.bbc.com/news/amp/uk-52829357 Contact Tracers

https://www.independent.co.uk/news/uk/politics/coronavirus-test-and-trace-system-data-record-law-nhs-a9537396.html