Coming out of my contact tracing app-free weekend to note that the privacy impact assessment has been published. It says the app doesn’t have trackers in it. Except we found it does.

Privacy Impact assessment here: https://faq.covid19.nhs.uk/DPIA%20COVID-19%20App%20PILOT%20LIVE%20RELEASE%20Isle%20of%20Wight%20Version%201.0.pdf

We found Microsoft and Google trackers in the app. https://privacyinternational.org/long-read/3752/coronavirus-tracking-uk-what-we-know-so-far

I told them four weeks ago that we’d do this analysis. I told the ethics board only an idiot would include a third party tracker in an app vying for the trust of 60m people and we weren’t expecting to find any. And yet here we are.

We can’t afford default measures of data exploitation in these urgent times. We all deserve better.

The PIA later says that Microsoft will get data. And Google Firebase is also used. So why the promise at the front that this won’t be the case?

Here’s the mention of Microsoft getting data but avoiding term ‘tracker’.

And all the other services used. To be clear, listing this is good practice.

Page 18 has a list of how they do metrics.

And to be clear it matches what we initially found: that postcode was entered and a session ID.

Language, timing, and transparency matters. In the details they explain themselves but only in a PIA, published after the start of the trials. Be clear to users — not just DP experts who read PIAs.

When the story of this affair is written, only an amateur would paint it as a ‘privacy vs pandemic’ narrative. Rather, it’s small failure after small failure amounting to a rise of confusion and to a loss of public trust.

Ok so unlike all the good people in the NHS, including those working around the clock, including at NHSX, I’m going back to my weekend, and trying to avoid all this app stuff because it just makes me angry.