Nearly half (48%) of the UK public surveyed about the NHSX COVID-19 tracing app do not trust the UK government to keep their information safe from hackers. This is according to a study carried out by Censuswide on behalf of Anomali, a leader in intelligence-driven cybersecurity solutions. The nation-wide survey, released today, examined consumer attitudes to the proposed tracing app, particularly their confidence and wider trust in the government to appropriately and justly handle the data collected for the scheme.
Other major findings from the report include:
- Around 43% of respondents were concerned that the app would give cyber criminals the opportunity to send smishing messages or phishing emails.
- Yet, only half (52%) felt they were savvy enough to differentiate between a legitimate email or text message and a phishing/smishing message.
- A further third of respondents (33%) are concerned that the app might allow the government to track their whereabouts.
- Over a third of respondents (36%) are concerned that the app might allow the government to collect data on them.
According to the NHS website: “Contact tracing is a tried and tested method used to slow down the spread of infectious diseases. The NHS COVID-19 App automates the process of contact tracing. Its goal is to reduce the transmission of the virus by alerting people who may have been exposed to the infection so they can take action to protect themselves, the people they care about and the NHS.”
The first phase of the initiative was piloted in the Isle of Wight earlier this month for testing before proposing a national launch. This study set out to gauge the trade-off between privacy and the “greater good” and what people’s comfort levels are when it comes to the government tracking them. Though many demonstrated concerns over the government tracking them via the app and even more respondents unsure about the government being able to keep their information safe from hackers, there was also apprehension about being targeted by opportunistic cybercriminals; and rightly so.
“At this stage, nobody knows where to get the NHSX app from, so it can be reasonably expected that consumers will be faced with floods of emails with bogus links to convincing looking domains to download the app from,” Jamie Stone, head of EMEA at Anomali, posited.
He explained that the link will simply be a web page that will ask people for more personal information than the genuine app and the information could be used in future attacks against the individual.
Stone also warned over an increase in people being targeted by mobile phone communications.
“There is also the danger of smishing attacks; similar to a phishing attack, but the phish is done via SMS message,” he said. “Due to the smaller screen real estate, people will be less able to check the veracity of the link so will be more trusting and might click it.”
With thousands more domain registries for COVID-19 noted by Anomali over the past few months, the public will have to be extra vigilant when it comes to what they download or click.
“It’s tough to predict the increase in the volume of attacks we’ll see. However, we’re already seeing thousands of rogue and spoof COVID-19 domains being registered and used in attacks,” Stone explained. “Global interest around the virus, and each nation’s track-and-trace apps, means that attackers will likely use many of these domains to host phishing attacks via both email and SMS. People using COVID tracking apps need to be extremely vigilant and aware, ensuring that they’ve installed official government apps and that they are interacting with authentic messages from the agencies.”
The survey was carried out between 7th and 11th May by Censuswide among 1000 UK consumers.
Anomali® delivers intelligence-driven cybersecurity solutions. Our solutions include Anomali ThreatStream®, Anomali Match™, and Anomali Lens™. Private enterprises and public organizations use Anomali to harness threat data, information, and intelligence to make effective cybersecurity decisions and detect and respond to threats. Anomali customers include more than 2,300 global organizations, many of the Global 2000 and Fortune 500, and large government and defense organizations around the world. Founded in 2013, it is backed by leading venture firms including GV, Paladin Capital Group, Institutional Venture Partners, and General Catalyst. Learn more at www.anomali.com.
Commenting on the news, Paul Bischoff, privacy advocate, Comparitech.com, stated:
Surveillance creep is a big concern with contact tracing apps. Once we start to allow surveillance into our lives, it’s difficult to remove it later. In China for instance, it appears state-controlled tracing apps are going to become an permanent fixture of everyday life. Eventually, intrusions into our daily lives that would have been met with public outcry a few years ago now seem acceptable. Businesses and governments could abuse the data for their own gains, and hackers could breach the data and steal it. Surveillance also has a chilling effect on freedoms of movement and assembly.
Javvad Malik, security awareness advocate at KnowBe4, added:
Even with the advancements of artificial intelligence and processing power to identify people from biometrics, it is far from reliable technology. It is why trained human operators will be needed in conjunction with such software for the foreseeable future in order to eliminate false positives or false negatives.
One of the biggest challenges with this kind of software is they rely on quite basic pattern matching which can be bypassed quite easily with shadows, tattoos and so forth. We’ve seen issues with facial recognition before in misidentifying people of colour or minorities. This is often due to lack of diversity in the development and testing teams, which is why it’s important that any organisations developing such technologies ensures there is appropriate diversity and have a strong code of ethics to dictate what is or isn’t appropriate development practices.
Also commenting on the news, Chris Hauk, Consumer Privacy Champion at Pixel Privacy, said:
While I believe U.K. users do have valid concerns about the government tracking their movements through the NHSX Covid-19 contact-tracing app (it’s the government, that’s what governments do), the main issue at this point in time is the risk of cyber criminals being able to take advantage of the current confusion over the availability and features of the NHSX app. These bad actors will do their best to muddy the waters by sending phishing emails claiming to include a link to the official NHSX app, but instead linking to malicious apps and malware designed to steal the users’ important personal information.
U.K. users need to stay alert and treat any such communication purporting to be from the NHS as they would with any unsolicited email or text communications. Do not click any links in any such communications.
Finally, Niamh Muldoon, Senior Director of Trust and Security EMEA at OneLogin, concluded:
This report highlights the lack of public trust in the government and the desperate need for cybersecurity education, since over half of respondents did not feel they could not confidently differentiate between a legitimate and fraudulent communication and just under half fear that COVID-19 tracing apps would lead to cyber-attacks.
But, from a privacy perspective once the UK Government can provide individuals with privacy trust assurance, I see this technology as a great enabler to tackle coronavirus pandemic. Privacy trust assurance means that data is only being used for the purpose that it is collected, in this case to track virus infection, and that the individuals’ data is being protected as it is collected, purposed and stored by the app and appropriate security controls are applied; for example, access control technologies and encryption.