Like many others I have not signed up for the Government’s ‘Test and Trace’ app. My reasons for coming to the decision to have as little to do as possible with this questionable app are two fold. The first is I do not trust the government to use the data for the purpose that they claim they are going to use the data for, which is monitoring those who have been exposed to covid. This government has turned out to be far too authoritarian for the liking of either myself of many others and I’ve no inclination to help them become even more authoritarian and use this data for other purposes.

The second reason for not signing up for test and trace is that I have grave doubts about the competence of those who designed this app nor about the security of the data on this app. Her Majesty’s Government does not exactly have a stellar record when it comes to competence in creating IT projects and especially NHS IT projects. Also although some of the some of the higher government level infosec is good and effective and has been since World War II, other areas, including Test and Trace are proving to be security nightmares.

One thing that should worry those tempted to use Test and Trace is data sales to third parties which will be seen by many to be a major security hole. The Reclaim the Net organisation has found that NHS Test and Trace data is being sold to third parties and is being retained not for the short while that the data should be retained for, but is likely to be held for years.

Reclaim the Net said:

Collecting and selling personal data of online users, without any discernible benefit to them, has for many years been one of the most, if not the most lucrative businesses in the digital realm. Just look at what unchecked and shameless data collecting and ad selling has done for the trillion-dollar businesses like Google and Facebook.

So why would anyone be surprised that much smaller but equally thirsty companies, who happen to have government contracts in the era of coronavirus in the UK to “contact-trace” data they harvest from, say, restaurants and pubs – and their patrons, no doubt desperate to reclaim some semblance of normalcy in their lives, and so sign away any rights without ever properly reading the TOS – would now be selling that goldmine of personal data to third parties?

Even so, this is still something that should give pause to everyone involved or observing this go down, namely, that the UK NHS’s Test and Trace service, set up to track coronavirus cases and their contacts – would eventually stumble into this most feared yet expected controversy. Namely, that the system through its many subcontractors might devolve into a shady to say the least, scheme to collect and retain personal data of users, for monetary purposes.

Test and Trace, even if obviously technically challenged from the start, always maintained that its purpose was simply to serve society in the purest and most altruistic form: for the sake of curbing the spread of a virus.

Reclaim the Net then went onto give two examples of how the data from those who sign up for Test and Trace is being abused and sold.

Reclaim the Net added:

Take this example: hospitality and beauty industry facilities, like bars, restaurants, spas, hair salons, etc, have been allowed in the UK to collect QR barcodes to retain their customers personal details like names, physical addresses, and phone numbers, CCTV images – with Pub Track and Trace (PUBTT) being one of the “subcontractors.”

The NHS apparently told local businesses collecting all this personal data they could only retain it for 21 days, and “not use it for any purposes other than for NHS Test and Trace.”

And yet PUBTT makes it clear this data can be used to “make suggestions and recommendations to you about goods or services that may be of interest to you’ and shared with third parties including ‘service providers or regulatory bodies providing fraud prevention services or credit/background checks’.”

Another company involved, Ordamo, in the business of tracking restaurant patrons, is reported to be retaining the data they scoop up for a whopping 25 years.

There are a lot of people, a growing number if what I’ve seen online in the UK, who view the Test and Trace system as somewhat sinister. They see it as less of a system to monitor a virus and more a system to monitor the population. Maybe such sceptical people are correct. If what Reclaim the Net has uncovered is even a fraction of the dodgy behaviour that is going on with Test and Trace then those who are sceptical of it seem to be right in wanting nothing to do with Test and Trace. Selling data to those who do credit and background checks should not be a purpose of the Test and Trace system neither should this data be used for stuff like targeted advertising.

The NHS has failed to put in any safeguards to prevent information being shared with third parties and neither has it prevented Test and Trace contractors from retaining information for excessive periods of time. The NHS has a truly appalling record for specifying and managing IT contracts and projects. They once, in 2013, lost £10 Billion on an IT project that had to be abandoned along with all the public money that had been invested in it. The NHS is barely an entity that can be trusted to deliver healthcare (it’s not nicknamed the National Death Service for nothing) and its record when it comes to matters or IT or information security nearly always leaves a lot to be desired. Test and Trace joins the rest of the NHS’s IT projects that have shown that they are unfit for purpose at best, or dangerously insecure, like Test and Trace, at worst.