QUESTIONS have been raised over the privacy of Scotland's contact tracing app as official documents show Amazon has access to "personal information" including phone numbers, infection details and IP addresses.

It comes as privacy campaigners have called for increasing tranparency over the Test and Protect app to maintain public trust saying that Scotland is unable to control aspects of its functions as it partners with big tech firms.

While the Scottish Government says it will never track your identity or location, there  have also been concerns raised that for such apps to work on smartphones with the Android operating system — the most popular in the world — users must first turn on the device location setting, which enables GPS and could allow Google to determine their locations.

More than one million have signed up for the Protect Scotland app - around a quarter of the adult population of the nation.

The Scottish Government insist that individuals privacy "will be protected as it uses Bluetooth technology to anonymously alert users if they have been in close contact with someone who has tested positive for Covid-19 and advises them to self-isolate."

Users of the app who test positive will get a call from a contact tracer to confirm their details and who they have been in close contact with.

They say the app does not store details on an individual or their location but "uses encrypted, anonymised codes exchanged between smartphones to determine all close contacts".

Close contacts are defined as people who have been within two metres of someone who has tested positive for 15 minutes.

READ MORE: Test and Protect Scotland: Here’s what Scots think of new coronavirus tracking app

The Herald on Sunday can reveal that when people agree to the terms and conditions in using the app, they are also automatically agreeing to Amazon Web Services accessing "personal information".

The details are revealed in an associated privacy notice, that reveals that personal information "is shared with the third parties set out below"... including Amazon Web Services.

The Herald:

The document highlights that the "personal information" being a mobile phone number, estimated date of infection, an authorisation code, the IP address, the exposure notification and confirmation of app use will go to the NHS.

Included as a "party with whom personal information is shared" is Amazon Web Services "who host the app" under contract with the NHS.

It also states that none of the information is retained.

The Scottish Government, when told about the privacy notice insists Amazon does not get any personal information which they say is encoded.

"It may say that, but only NHS Education for Scotland has the data anything Amazon is getting is anonymised codes.

The Scottish Government has been asked why, then, the "personal information is shared" disclaimer is required.

The privacy notice links to "how we use your personal information" details which explains the purpose for having that information.

It states: "We will only use your personal information when the law allows us to do so and to the minimum extent possible."

It says mobile phone numbers are used to "send an authorisation code for exposure notifications to be provided to other app users" if an individual receives a positive Covid-19 test result.

But it also states that the app itself does not use your mobile phone number.

The estimated date of infection is used to "identify the relevant time period during which other app users could have been infected" if they were near someone who has received a positive COVID-19 test result. This is likely to be either the test date or the date of first symptoms.

It says the infectious time period is used to identify the relevant "random ID" from the app user’s device who have tested positive, to allow exposure notifications to be provided to those who could be at risk.

The Herald:

The IP address is used to "send information from your phone to the app server to allow exposure notifications to be provided to other app users and to collect metric data".

And exposure notifications are used to "inform you that you have been at risk of contracted the virus and to collect metric data".

A user's confirmation of the use of the app is also used "to collect metric data".

Amazon CloudWatch monitors the use of apps run on Amazon Web Services using metric data. The notice says that after the setup of the app on a device, the IP address is stripped off so the confirmation of use is anonymous.

Privacy campaigners have been concerned that Google's location requirements add to privacy and security concerns with virus-tracing apps.

Government officials and medical experts believe the apps can be a helpful complement to public health efforts to stem the pandemic.

READ MORE: NHS Scotland Test and Protect coronavirus app: What is it and how does it work?

But human rights groups and technologists have warned that aggressive data collection and security flaws in apps across the world put hundreds of millions of people at risk for stalking, scams, identity theft or oppressive government tracking.

Google has said apps using Bluetooth scanning signals to detect smartphones that come into close contact with one another — do not need to know the devices’ locations at all.

But since 2015, Google’s Android system has required users to enable location on their phones to scan for other Bluetooth devices because some apps may use Bluetooth to infer user location.

For instance, some apps use Bluetooth beacons in stores to help marketers understand which aisle a smartphone user may be in.

The concern is that once Android users turn on their location, Google can determine their locations, using Wi-Fi, mobile networks and Bluetooth beacons, through a setting called Google Location Accuracy, and use the data to improve location services.

Google has said that apps that did not have user permission could not gain access to a person’s Android device location.

It says that on Android 10 and earlier, the Exposure Notifications System uses the phone’s location setting and bluetooth but there were ways to manage your privacy.

According to Google it and Apple have "built in safeguards" to ensure that government contact tracing apps built with the Exposure Notifications System cannot infer your location.

The Scottish wing of the Open Rights Group which protects the digital rights of people in the UK including privacy and free speech online, said it was important that Scotland does all it can to produce "clear, transparent information" about their app to "maintain public trust".

That means documentation such as the source code, the Data Protection Impact Assessment, Equality and Human Rights Impact Assessments and clear communication of the principles behind the app should be "seen as a priority".

The Open Rights Group said it understood that these documents are imminent for publication and the reason for their failure to appear at launch was that the app was released faster than expected following a speedy approval from Apple and Google. The Scottish Government said that certain documents were published on Friday.

In an early analysis they had initially believed that there was no usable data available to Amazon, but was concerned that system designs mean that apps continue to run geolocation services.

The group's Scottish director Matthew Rice said: "We have to acknowledge that this app for better and worse is still firmly in the ecosystem of big tech firms and so Scotland is unable to control aspects of this development and the app’s functions.

"While certain factors are out of the control of the Scottish Government, what they can do, they have done well, but they must ensure to give clarity going forward and give all the transparency they can through supporting documents and clear communications to everyone in Scotland."

De-centralised apps have been favoured by privacy campaigners because the matching process takes place on users' smartphones rather on a central computer, providing a greater degree of anonymity.

In an analysis Mr Rice adds: "We have to remember that with this app we are living in the world created by Google and Apple, for better and worse. For better, because the de-centralised operation of the app is a core condition of the operation of the exposure notification – which England learned the hard way.

"And for worse because system design from these providers have been found to continue to run geolocation services for those devices running Android 10 or earlier operating systems.

"It is Google and Apple’s world, Protect Scotland is just operating in it as best as it can.

"Because of this it is vitally important that Scotland does what it can to produce clear transparent information to maintain public trust."

The European Data Protection Board, an independent body whose purpose is to ensure consistent application of the General Data Protection Regulation, set recommendations on clarity in the adoption of proximity tracing apps, which Mr Rice said "the Scottish Government would do well to follow".

These include recommendations that States adopting proximity tracing applications should adopt "meaningful safeguards" including a reference to the voluntary nature of the application, explicit limitations and on the further use of personal data and "clear identification" of the data controller.

"Much of that has been done with the privacy notice and will be clearer still with the DPIA (data protection impact assessment) publication.

The Herald:

"The app is a voluntary undertaking for the population, as it should be. That means relying on the trust of the Scottish public in the standards and governance of the application. "Ultimately we need to see that the app is here not as a permanent fixture in our lives, but as a temporary tool in fighting the spread of coronavirus and like the virus something that will eventually, be shut down and rid from our lives."

Irish company NearForm developed the base technology for the Scottish apps, which uses Bluetooth signals to anonymously alert smartphone users if they have been in close contact with someone who has since tested positive for coronavirus.

A Scottish Government spokesman said: “The Scottish Government takes the privacy of app users incredibly seriously. That is why a deliberate choice was made that Protect Scotland would use the privacy-first ‘decentralised’ Google/Apple Exposure Notification System, and why an ethical framework was adopted for the development of Protect Scotland.

"A number of privacy groups were engaged throughout the development of Protect Scotland, as were the Information Commissioners Office."

It said a "full Data Protection Impact Assessment" has now been published alongside a detailed explanation of how people’s data is used.

It has also made available the source code used to develop the Protect Scotland app.

“Whilst Amazon Web Services(AWS) do process some data, as set out in the Privacy Notice and the DPIA, this is done using an existing NHS Education for Scotland (NES) cloud storage account provided by AWS.

"Only NES control access to this and the data stored in the app backend is entirely anonymised codes. It complies to all NHS Scotland and GDPR data standards, in the same way that all other data that is handled by NHS Scotland and its contracted providers does. Users’ mobile number, test code (and the relevant date) and IP address are not stored by the app and they are not made visible by the app to anyone, including AWS.

“In NearForm and AWS, we are using trusted suppliers used by multiple governments, with all of our work complying with GDPR. We have also carried out a detailed security assessment, with advice from the UK National Cyber Security Centre.

“In addition, apps running on Android devices which use the Exposure Notifications System (ENS) are not permitted to request permission to use your device’s location. Google and Apple have built-in safeguards to ensure that government contact tracing apps built with ENS cannot infer your location.”

The Herald:

Protect.scot's 'how the app works' detail