Protect Scotland is the name given to our nation\u2019s new COVID-19 contact tracing application. I’ve researched this pretty thoroughly and as far as I can tell, from a data security, technical and privacy perspective the app gets a clean bill of health. I’ve downloaded the app myself and encourage everyone who can to do so.<\/p>\n
You can download the app from the Protect Scotland<\/a><\/u><\/span> website which has links for both iPhones and Androids.<\/p>\n How does it work?<\/b><\/p>\n The contact tracing app being recommended by our First Minister is based on a collaboration by Apple and Google<\/a><\/u><\/span>. This collaboration was necessary to ensure a reliable notification service is tied to the Bluetooth hardware on your phone in a way that allows it to consistently poll for the people around you. This lets it build a picture of who you\u2019ve come into contact with. It uses BLE (Bluetooth Low Energy) to ensure minimum impact on battery.<\/p>\n Now, assuming for simplicity that everyone has downloaded the app on a compatible device, the idea is that as you walk along the road and pass people, your phones are broadcasting an anonymous key, and collecting the keys of everyone else. This is all done locally, and nothing is sent over the internet.<\/p>\n If the app sees any given key for more than 15 consecutive minutes, it tallies that up as a \u201ccontact\u201d, and stores the key on your phone for two weeks. After two weeks, it ages out and is deleted. If a key disappears before hitting that 15 minute mark, it\u2019s never stored in the first place.<\/p>\n Assuming you later test positive for C19, the NHS give you a code to enter to your phone. When you do this, your phone notifies the NHS server, and uploads its \u201ccontacts\u201d \u2013 the list of keys it\u2019s stored as a result of the above process. The NHS will then send a notification to those devices. These people should then self isolate, or book a test themselves if they show symptoms.<\/p>\n Issues<\/b><\/p>\n Like all complex subjects, there are some nuances worth highlighting.<\/p>\n Frequently Asked Questions<\/strong><\/em><\/p>\n Is it private?<\/b><\/p>\n Yes. Nothing the NHS stores is identifiable. Also, there\u2019s no location data sent or associated with a key. So when the NHS notifies your \u201ccontacts\u201d after you test positive, it doesn\u2019t know who it\u2019s notifying, or where they are. So yes, it\u2019s written with privacy front and centre.<\/p>\n Why would I trust a government-built app on my phone!?<\/b><\/p>\n There\u2019s a number of really positive factors which will really help you overcome your inherent seditionist, insurrectional impulses here, never fear!<\/p>\n The app is open source. This means that you can read and review the source code that underpins the app, to see what it does and doesn\u2019t do. Here\u2019s the link: https:\/\/github.com\/NES-Digital-Service\/protect-scotland<\/a><\/u><\/span>. If, like me, you can\u2019t read or understand React Native and Typescript (which is how the app is written), then at least we can put some trust in the fact that others can and they will no doubt call out any bad behaviour they see.<\/p>\n<\/li>\n The app is decentralised. This means that nothing is stored by NHS servers by default. In fact, only if you enter an NHS-provided \u201ctested positive\u201d code to your app is anything sent at all. Even then, only the encrypted keys of your \u201ctracked contacts\u201d are sent.<\/p>\n<\/li>\n This is almost the same app that Northern Ireland deployed back in August. In fact, it\u2019s written by the same company (Nearform<\/a><\/u><\/span>), who have deployed variations of this decentralised app for Ireland, Northern Ireland and Gibraltar. So it’s had plenty of time to address criticism and incorporate improvements before the NHS brought them in for Protect Scotland.<\/p>\n<\/li>\n<\/ol>\n So you can retire the tinfoil hat! There\u2019s no evidence here of shenanigans.<\/p>\n Does it actually work?<\/b><\/p>\n There are mixed reports on this. An Oxford study<\/a><\/u><\/span> showed that, assuming that the contact tracing mechanism is reasonably accurate (more on that below), we need around 60% of the population to use a contact tracing app before we stop the pandemic completely. However, that same report notes that even if only as few as 15% use it, it still has a positive effect on reducing cases.<\/p>\n A few days after its launch, during the First Minister\u2019s COVID-19 briefing<\/a><\/u><\/span>, Nicola Sturgeon reported that the app has been downloaded 900,000 times. With Scotland\u2019s population estimated around 5.5M, that puts us at nearly 17%, which is pretty encouraging for an app which at that point had only been available for just over 4 days. That’s already over the threshold that the Oxford researchers suggest will make a difference.<\/p>\n\n
\n