Wide-ranging security flaws have been flagged in the Covid-19 contact-tracing app being piloted in the Isle of Wight.
The security researchers involved have warned the problems pose risks to users’ privacy and could be abused to prevent contagion alerts being sent.
GCHQ’s National Cyber Security Centre (NCSC) told the BBC it was already aware of most of the issues raised and is in the process of addressing them. But the researchers suggest a more fundamental rethink is required.
Specifically, they call for new legal protections to prevent officials using the data for purposes other than identifying those at risk of being infected, or holding on to it indefinitely.
In addition, they suggest the NHS considers shifting from its current “centralised” model – where contact-matching happens on a computer server – to a “decentralised” version – where the matching instead happens on people’s phones.