back to article UK's Ministry of Defence: We'll harvest and anonymise private COVID-19 apps' tracing data by handing it to 'behavioural science' arm

Worried about identifiable personal data from your coronavirus contact-tracing app making it into a British government database? Fear not! The Ministry of Defence is sanitising it all first. The bizarre and not-particularly-reassuring pledge came from the MoD last night as it announced that one of its units, called jHub, would …

  1. RuffianXion
    Facepalm

    Quelle Surprise!

    "The staff member who sent it put their email addresses in the CC section of the email, rather than the blind CC section" and we're expected to entrust our personal data to these numpties?

    1. Jellied Eel Silver badge

      Re: Quelle Surprise!

      ...and we're expected to entrust our personal data to these numpties?

      Bit late for that.. These numpties are trusted for a variety of things from prisons to nukes. Strangest part of this story to me was users being told not to contact the helpdesk for help. Other Serco customers & contractors may already be familiar with this process.

    2. Peter X

      Re: Quelle Surprise!

      It's worse though - apparently the people they've recruited haven't had proper training, haven't been told what questions they need to ask, haven't got the equipment (no, not sure what they need) to do the job.

      So, as per usual, Bojo's claims of it being a "world beating" system, and it "will be in place" by the beginning of next month seem... optimistic... if I'm being charitable.

      But I'm not feeling even slightly charitable, so I think I'll call it what it is, which is a crappy "system" that's been bodged together at the last minute to make it appear like the incompetent shower we have in office, are actually doing something. And even then, it needs a good slather of Boris-Brand-Waffle(TM) to make it possibly, vaguely, look like it might possibly work. Which it won't.*

      * Went a bit unexpectedly Charlie Brooker at the end there!

      1. HildyJ Silver badge
        FAIL

        Re: Quelle Surprise!

        If you can't trust the military, who can you trust?

        Uh, anybody else.

        Sounds like your MoD is run as well as our DoD.

        1. BrownishMonstr Bronze badge

          Re: Quelle Surprise!

          DoD? Department of the dead?

          1. Anonymous Coward
            Anonymous Coward

            Re: Quelle Surprise!

            I think the last D stands for Dotard, not sure. Anyone with contacts in North Korea?

            :)

        2. Jellied Eel Silver badge

          Re: Quelle Surprise!

          If you can't trust the military, who can you trust?

          Uh, anybody else.

          Well.. thanks to some.. interesting foreign policy, the military, security services & police have had decades of experience doing the Track & Trace* thing. So building up contact webs, traffic analysis etc etc to catch ne'er do-wells, preferably before things explode. And hopefully don't CC all their CI's telling them not to contact their helpdesk if they hear gunfire or doors being kicked in.

          *Parcelfarce(tm)?

      2. Rich 11 Silver badge

        Re: Quelle Surprise!

        * Went a bit unexpectedly Charlie Brooker at the end there!

        Given the target I think that's only to be expected. It's the supportable default status.

      3. Warm Braw Silver badge

        Re: Quelle Surprise!

        According to recent reports, the "people they've recruited" thought they'd been recruited for retail customer service jobs and the first time they realised they'd signed up for contact tracing was in shambolic video "training".

        It's also emerged today that contacts, assuming they're identified, will likely not be tested but merely asked to quarantine regardless. And that there's some sort of turf war between PHE's contact tracers and local authority public health staff.

        Meanwhile, the shelves are starting to look rather barer again in my local supermarkets - looks like the citizenry are already preparing for the government's "success".

        1. Doctor Syntax Silver badge

          Re: Quelle Surprise!

          "It's also emerged today that contacts, assuming they're identified, will likely not be tested but merely asked to quarantine regardless."

          They were saying that at the start, then there was a sort of vague mention of testing but the testing regime isn't going to be enough to keep up with it. If they have 18,000 tracers they each only need to trace 10 contacts plus false positives a day to eat up most of BoJo's 200,000 tests a day and leave an inadequate 20,000 for everything else.

        2. cantankerous swineherd Silver badge

          Re: Quelle Surprise!

          buy now for brexit

      4. JetSetJim Silver badge
        FAIL

        Re: Quelle Surprise!

        > - apparently the people they've recruited haven't had proper training, haven't been told what questions they need to ask, haven't got the equipment (no, not sure what they need) to do the job

        yes, but they've been recruited, so they've made good on their promise of 21k contact tracers in place in May. Just like they made their 100k test promise by mailing out 50k tests and counting that. Never mind the lack of knowledge of how to contact trace, lack of infrastructure to record the tracings, and all sorts of other "lack of"s

        1. Jellied Eel Silver badge

          Re: Quelle Surprise!

          ..and all sorts of other "lack of"s

          That's just public sector contracting. Do the minimum for maximum profit. Results may end up pointless, but as long as the contractual terms have been delivered, pay up, dear tax payer.

          On the plus* side, think of the benefits! TPTB will be able to run SimUK. Watch your subjects scurrying around in near real-time! Nudge them with some policies, and watch their behaviour change!

          On the minus side, Apple and Google can do the same thing, and flog the data or results to their customers for footfall analysis, direct marketing etc etc.

          *That was of course sarcasm. I'm unconvinced there are any pluses for Track & Trace, but much potential revenue from the data gathered by the most intrusive surveillance systems in our history. But it's for our own safety, so comply.. Because if you don't, you may find yourself barred by any establishment that checks for the app on entry. It really could end up like the good'ol Leper Laws.

    3. Fred Dibnah Silver badge

      Re: Quelle Surprise!

      Yes they’re numpties, but so are the people who write email software that makes CC the default instead of BCC.

      1. Anonymous Coward
        Anonymous Coward

        Re: Quelle Surprise!

        I use cc: in almost every email I send. I use bcc: maybe once a year.

        Think again.

        1. Fred Dibnah Silver badge

          Re: Quelle Surprise!

          Then obviously you don’t have to be concerned about sharing email addresses. Serco & other companies are (or should be) concerned, but having CC as the default copy line makes it inevitable that someone will make a mistake at some point.

          1. eldakka Silver badge

            Re: Quelle Surprise!

            Or maybe they should train their staff in how to use email?

            1. cantankerous swineherd Silver badge

              Re: Quelle Surprise!

              maybe they shouldn't use email.

          2. sabroni Silver badge

            Re: Quelle Surprise!

            Hmm. In my case cc used a lot, bcc hardly ever used. Seems like the security focused don't like that convenience.

            If you're sending out sensitive emails like this, why not automate the system rather than just using a dumb email client? Why use bcc at all when you can send multiple individual emails with a single valid cc? Why does the email you send to me need to come from an original mail that contains a list of all the recipients?

            The solution isn't to change normal email clients, it's to use a mail merge!

            1. Mike Pellatt

              Re: Quelle Surprise!

              Ha! I tried to use an Office 365 mailmerge into Outlook recently for a mail to a subset of my entire company.

              Turns out (after 30 mins work) it doesn't work if you want an attachment on the email.

              Back to Bcc: it was.

              1. JetSetJim Silver badge
                Windows

                Re: Quelle Surprise!

                In times yore, I wrote a VBA macro on a contacts spreadsheet to do just that. Yet another abuse of Excel

            2. Fred Dibnah Silver badge

              Re: Quelle Surprise!

              Most small companies don't have dedicated IT staff or a contracter to write or customise software for them, so they use standard email clients. They also *have* to be security-focussed and keep to the GDPR, yet they risk sharing email addresses almost every time they send an email.

              You could use mail-merge if you know how to set it up. Most people haven't a clue, and even the IT-savvy sometimes have problems with it.

          3. Doctor Syntax Silver badge

            Re: Quelle Surprise!

            "Then obviously you don’t have to be concerned about sharing email addresses."

            It depends on circumstances.

            A direct mail to a single person with CC to a small team or even a single individual known to the intended recipient wouldn't be a problem. Sending a BCC might be considered sneaky if the main recipient got to know about it.

            An email CCed to members of a group coordinated mostly be email (e.g. my local history group to the rest of the group) is also fine - it's the only way a new member of my history group can find out the others' addresses.

            A bulk email CCed to a lot of strangers is not fine. If the A/C only does bulk emails of that nature that once a year or so then there's nothing wrong with only using BCC so infrequently. But someone in an office job who needs to send out such emails (a) should know to use BCC, having been trained to to that, and (b) shouldn't be given an emailer that makes it too easy to get it wrong or too hard to get it right.

      2. logicalextreme

        Re: Quelle Surprise!

        The default's To: in mine.

      3. thondwe

        Re: Quelle Surprise!

        BCC should not be buried in the options - AND should be on any reply all menus AND CC should be limited to say 10 recipients I think some e-mail systems will do that - but the feature is only discovered when some numpty moans to the helpdesk when they can't send to more than the default of 100 users (e.g. mail all students in a year group, rather than post a message on the VLE!)?

        1. JetSetJim Silver badge

          Re: Quelle Surprise!

          If you have a database of people who should not see eachothers emails, a regular email client is not what you should be using

      4. Dr_N Silver badge
        Stop

        Re: Quelle Surprise!

        So are people who write software that looks up any "@<text>" (from the email body) in your contacts and add what it finds to your cc list.

      5. Cuddles Silver badge

        Re: Quelle Surprise!

        "so are the people who write email software that makes CC the default instead of BCC."

        I don't really agree. The problem is that not everyone needs to use email in the same way. Some of us don't ever have any reason to worry about sharing email addresses, so there's no reason to ever use BCC. Others deal with sensitve information and need to use it a lot. There just isn't a single default that is actually appropriate for everyone.

        Perhaps it would be better to err on the side of caution, since a bit of annoyance on my end is not as bad as having people keep accidentally splurging personal data around the place. But a better solution would be to make things more easily configurable. In Outlook, for example, as far as I can tell there is no way to make BCC the default. You can make it slightly more visible, but that's it. It really should be possible to configure your normal use case once, either individually or as a wider policy. BCC shouldn't need to always be the default for everyone, but it should be possible to make it so if that's your normal use.

  2. Anonymous Coward
    Anonymous Coward

    And in other news..

    The takeup of the App is so low that the Gubbermint has laid off 75% of it's so called army of 'Track and Tracers'

    Do the MOD think (and the rest of Whitehall) think that we are numpties?

    Don't answer that...

    1. Will Godfrey Silver badge
      Unhappy

      Re: And in other news..

      Judging by the, err... numpties that crowded out Devon today they would be quite correct in that assumption

    2. Flywheel Silver badge
      Facepalm

      Re: And in other news..

      So in the single brain-cell world of Boris and Chums, they achieved their target of recruiting thousands of T&Ts, but then laid 75% of them off and saved lots of money. That's a double result, eh Minister?

    3. John Brown (no body) Silver badge

      Re: And in other news..

      "The takeup of the App is so low"

      Which app is that? AFAIK, there is no officially released app in the UK for the contact tracers to work with yet.

  3. Barrie Shepherd

    With each revelation this APP is quickly becoming a dead APP - much like the parrot.

    1. Fred Flintstone Gold badge

      It has ceased to be..

      Ironically that reminds me more of the fantastic rib the Not The Nine O'Clock News crew pulled on the Pythons in the days of the "Life of Brian" controversy (which was IMHO indeed as idiotic as a clearly frustrated John Cleese was considering it).

  4. Doctor Syntax Silver badge

    "data from the third party COVID-19 apps"

    What third parties? Do their users know HMG is syphoning off their data? Even if it really is anonymised before it goes to NHSX are non-anonymised copes kept? And what about third party non-COVID-19 apps? This announcement seems to be taking the lid off a huge can of worms.

    1. scrubber
      Big Brother

      No such thing as "anonymised"

      "Even if it really is anonymised"

      It cannot be anonymised and work. Given access to even few data points GCHQ and/or Google could narrow down who the person is to a few hundred in the UK. With access to CCTV they could not only know who you are but track your movements for the past month and predict with a decent success rate where you are going to be next Tuesday at 3pm.

  5. Doctor Syntax Silver badge

    "wrote the National Cyber Security Centre’s technical gros fromage Ian Levy"

    That's the blog that's completely unreadable unless you allow a stack of javascript.

    So if I want to read what they have to say about security I have to disable my browser's security. It might simply be laziness or ineptitude but it's not reassuring. Under those circumstances I wouldn't trust their site so I wouldn't trust the content so I won't bother to read it.

    There seems to be absolutely nothing about this whole track and trace stuff that doesn't have a red flag waving over it.

    1. Anonymous Coward
      Anonymous Coward

      Actually, I have read it and Ian Levy's posts are sensible.

      That said, with all the politician's piling is it is highly unlikely that something sane will come of it.

  6. Marketing Hack Silver badge
    Black Helicopters

    "Ministry of Defence is sanitising it all first."

    Thus guaranteeing that the data from these Covid-19 apps will either be poorly and inadequately sanitized, or a copy of the unsanitized, original data will immediately be sent to the GCHQ/MI5/MI6. These agencies will in turn serve as a data pitstop before that same database moves on to your local constabulary, the NSA and various other of Britain's questionably motivated domestic and international partners.

    1. Arthur the cat Silver badge

      Re: "Ministry of Defence is sanitising it all first."

      You're misunderstanding the use of the verb. That's "sanitising" as in "we sanitised the enemy position with a Predator(*) drone strike".

      (*) Or whatever name they've given it to make it sound nicer. Something like Purring Pussycat drone.

    2. PhilBuk

      Re: "Ministry of Defence is sanitising it all first."

      Don't forget the copy in a USB stick left on the 8:20 from Waterloo.

  7. Jemma Silver badge

    To paraquote Gary and his demons

    "For the love of God, Bubonic Boris, fuck off forever."

    This couldn't be a worse idea, Bluetooth being on permanently, the data being blurted across practically the entire English speaking world and ending up in the hands of the military - yep, that'll end well - anyone else seeing a smartphoneological version of the SA80 story limping and twitching it's sorry hide in our general direction?

    "It's a very detailed map sir, see there's a little virion..."

    Or possibly

    "it's not the only thing that's very small around here, Boris, if a hungry cannibal cracked your head open there wouldn't be enough to cover a small water biscuit"

    Or maybe R&M...

    "Come home to your own extinction, come home to Simple Prick's"

    "Welcome.... To Asshattery Park..."

    1. Mr Humbug

      > nyone else seeing a smartphoneological version of the SA80 story limping and twitching it's sorry hide in our general direction?

      It will be fine once we've asked the Germans to fix it for us, as long as you don't try and hold the phone in your left hand

      1. Jellied Eel Silver badge

        It will be fine once we've asked the Germans to fix it for us, as long as you don't try and hold the phone in your left hand

        They're in the Army now, and left handers have always been a bit sinister..

  8. Anonymous Coward
    Anonymous Coward

    The MOD's 'Behaviorial Science' arm ?

    Is that the 77th Brigade perchance?

    1. Chris G Silver badge

      Re: The MOD's 'Behaviorial Science' arm ?

      The 77th Brigade site is interesting, it describes it's job in trendy modern marketing speak that basically boils down to more or less the same job that a Mr P. J. Goebbels was doing some eighty years ago.

      I wouldn't have trusted him either.

  9. Anonymous Coward
    Anonymous Coward

    Thailand had 1 new case today

    Currently only 90 people are in hospital with Covid 19.

    Quarantine works, demonstrably works, quantitatively works. They had a super-spreader event, a boxing match with 10,000 audience, that spread Corona Virus everywhere. They did the quarantine, hard, kept it going till the end, and now they're reaping the rewards.

    Keep the quarantine going. Reap the rewards.

    One last push and its done. Don't let the underminers undermine a successful working strategy.

    1. Telecide

      Re: Thailand had 1 new case today

      Having been to Thailand during the second half of March and witnessing their approach, it wasn't just quarantining (although it played a big part, including the forced quarantining of incoming visitors showing symptoms in a Bangkok hotel for 14 days, but would the UK allow a Thai-style State of Emergency, with 7pm curfews, etc?). They were also spraying the streets with disinfectant regularly, temperature testing everywhere and taking other measures long before the UK adopted them.

      Conversely, Taiwan (where I was in December) had no lock down like the UK. They were already all over the whole pandemic threat long before it happened (largely because of lessons learned from the 2003 SARS outbreak). They were identifying and publicising cases through an app very quickly, for example. My supplier out there has continued manufacture uninterrupted throughout and can't believe what's going on here. And he thought the Brexit process was a pain in the ass. Now things are embarrassing on a whole new level.

      There seems to be many ways of skinning a cat but unfortunately the UK is still not really sure of what a cat is, or how to deal with it other than "keep them separated" (cue music).

      1. Anonymous Coward
        Anonymous Coward

        Re: Thailand had 1 new case today

        I don't think the street sprays did anything, but they were cheap, so people did them anyway.

        Personally I would rank it:

        1) Masks

        2) No touching other people. No handshakes Boris, sack the people who said that was ok.

        3) No touching surfaces with hands that might end up on your face. Elbows to push lift buttons etc.

        4) Every surface wiped down with disinfectant, everytime, mitigation of 3).

        5) Hand washing is only a fix that fixes up mistakes in 2 & 3 & 4. It is not a primary fix. Do it anyway.

        6) Shoes off outside, don't drag floor contamination into the house. Do 5 after touching shoes.

        7) Spray downs when cases occurred. These were not the girly ones, these were guys in hazmat suits coming into places a case had been confirmed and spraying the crap out of everything in sight.

        8) Distancing, I think this is more a fixup for failures in 1) & 2) but do it anyway even if doing 1 & 2.

        And of course quarantine anyone with it. Quarantine any community that has community spread till you can get it back to contact tracing. The core stuff of containing epidemic.

        And although not part of the protocol, the humidifier + surfactant + water we did in the car. So that when we had to open the window to pay tolls etc. the car had a soapy humid atmosphere in it that any Corona Virus had to traverse.

        As a side note, lung surfactant makers are investigating their product against Covid / ARDS. This inability to clear your lungs of crap they think may be caused by the destroyed lung surfactant cells:

        https://www.oindpnews.com/2020/03/windtree-therapeutics-to-study-its-kl4-surfactant-for-covid-19/

        And Bill & Melinda has been testing it:

        https://www.clinicaltrials.gov/ct2/show/NCT04362059

        "A Clinical Trial of Nebulized Surfactant for the Treatment of Moderate to Severe COVID-19 (COVSurf)"

  10. cantankerous swineherd Silver badge

    help desk to noobs: go away.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2020