Apple, Google and the UK Department for Health have still not fixed a glitch in the NHS Covid-19 app, which is resulting in thousands of users receiving phantom ‘exposure notifications’.
The alerts have been popping up on both iOS and Android devices since last week, with the title: ‘Possible COVID-19 exposure’, ‘COVID-19 EXPOSURE LOGGING’ or ‘COVID-19 Exposure Notifications’.
The notifications appear to be triggered by the NHS Covid-19 app, but tapping on the notification causes it to disappear, and when you open the app itself there is no reference to the alert.
Despite being highly disconcerting, the NHS claims the notifications do not indicate that you have been in close contact with someone who has tested positive for the coronavirus.
Instead, it claims, they are ‘default messages’ from Google and Apple that are ‘just to remind you that the functionality is on and working’.
Apple and Google have so far neglected to explain why the notifications are appearing, and what triggers them.
The only official guidance comes from an obscure FAQ sheet on the NHS website, which also explains that the notifications cannot be turned off.
Reports of the issue have flooded social media, with many decrying the worrying feature.
So far, the NHS COVID-19 app has been downloaded more than 16 million times in England and Wales.
Pictured, one of the phantom notifications which was received by an iOS user earlier today. Despite being highly disconcerting, the notifications do not indicate you have been in close contact with someone who has tested positive for the coronavirus
Apple and Google have so far neglected to explain why they are still happening and what triggers them, despite the issue being first reported last week. App users can not turn off the alerts
When MailOnline asked the Department of Health and Social Care about the feature, it blamed Apple and Google for the phantom notifications, claiming they are designed to alert the user that the app and API are sharing information.
It added that any important messages from the NHS COVID-19 app will always be visible when you open the app.
‘NHS Covid-19 app users only need to self-isolate if they get a notification directly from the app advising them to do so,’ DHSC said in a statement to MailOnline.
Apple and Google both declined to comment on the issue.
The NHS COVID-19 app is based on the software blueprint laid out for free by Apple and Google, which is also used by Covid apps in dozens of countries around the world, including those of Scotland and Northern Ireland.
The ‘Protect Scotland’ app is also susceptible to the ghost notifications, according to a ‘How It Works’ sheet, but only for Apple devices.
‘Apps users with Apple devices may receive weekly notifications referring to COVID-19 Exposure Logging,’ it reads.
‘These messages are autogenerated by Apple iOS and do not form any part of operation of the Protect Scotland app.
‘They are not a close contact alert and do not require you to self-isolate.’
Northern Ireland’s Department of Health told MailOnline that the phantom notifications was an issue that plagued the country’s app, called StopCOVID NI.
However, this is no longer an ‘active problem’ as the app has been updated to run on the most recent API, a spokesperson told MailOnline.
Currently, more than 1.4million people have downloaded the Scottish app and more than 400,000 have the Northern Irish app, called StopCOVID NI.
The ‘Protect Scotland’ app is also susceptible to the ghost notifications, according to a ‘ How It Works ‘ sheet, but only for Apple devices. It looks like this image, according to the official website
Despite these claims, it is clear that the so-called ‘default notifications’ are causing a huge amount of confusion among app users.
One anonymous source told MailOnline that they had received several of the phantom notifications, but had no further contact from either the Government’s track and trace system or the app itself.
Out of an abundance of caution, the Android user decided to self-isolate to ensure they would not spread the virus.
It was not until 48 hours later that the user found the NHS FAQ sheet online, and realised this was unnecessary.
Had this not happened, it could have led to two weeks of pointless quarantine.
Jake Moore, cybersecurity specialist at ESET told MailOnline that unreliable notifications are at risk of following the same path as the fable of ‘The Boy Who Cried Wolf’.
‘If the device receives too many false positives, the owner will soon disbelieve any future genuine notification, resulting in a disruption of the real use of the app,’ he said.
‘Causing unnecessary self-isolation could potentially increase the cost to the government, too.
‘It is possible that the notifications within the app are test alerts to check response times, or other factors surrounding the devices, but without comment from the app developers, it may be difficult to know the full reason behind it.’
Reports of the issues have flooded social media over the last week, with many decrying the worrying feature
Sophie Barley voiced her displeasure at the app’s misleading notifications. ‘I do wish this Covid-19 app would stop sending ‘Possible Covid Exposure’ notifications and then not saying anything else. I am dramatic and paranoid enough as it is’
Users are voicing their frustration that the notifications pop up but when clicked on simply vanish, with no explanation offered
Twitter is littered with people having similar experiences.
Rosie Hedger tweeted that she had received a false alarm notification from the app.
Sophie Barley echoed this sentiment: ‘I do wish this Covid-19 app would stop sending “Possible Covid Exposure” notifications and then not saying anything else. I am dramatic and paranoid enough as it is.’
Javvad Malik, security awareness advocate at KnowBe4, a cybersecurity firm, said: ‘It’s important for tech developers to take into consideration the user experience.
‘This is especially true for notifications. We see that when apps or software provide too many notifications, or the notifications all look the same, then users will very likely ignore them.
‘Similarly, notifications shouldn’t unnecessarily alarm people, especially when it comes to sensitive issues like exposure to COVID-19.’
Officials abandoned the NHS’s attempt at making its own app in June when they realised it didn’t work on iPhones
According to DHSC, a true notification will read: ‘The app has detected that you have been in contact with someone who has coronavirus. Please stay at home and self-isolate to keep yourself and others safe.’
Messages from the NHS COVID-19 app will not ‘disappear’ when you click them, and you will be able to see the advice for you within the app when you open it.
The app has been besieged with issues since its conception at the very start of lockdown.
Matt Hancock initially hailed it as the single biggest tool in the fight against Covid-19, and the NHS began building its own version.
The original NHS app was earmarked for release in mid-May but was scrapped due to a number of flaws, including draining batteries and spotting just four per cent of contacts on iPhones.
After a disastrous trial on the Isle of Wight, the NHSX app was abandoned in June at a cost of £12million.
After an embarrassing U-turn and adopting the Google and Apple version, Matt Hancock has repeatedly deflected blame for the inability to launch an app.
Apple and Google has recently announced a separate system for regions that do not have the resources to develop a full blown app.
This system, called Exposure Notifications Express, will not require health authorities to build their own app, and it is hoped this simplified version will encourage uptake of track-and-trace protocols.
Public Health Authorities will have to authorise the system before it goes live in a specific region, and the tech giants say it is designed to work in conjunction with, not replace, existing track-and-trace apps.
The NHS Test and Trace app will tell people their local area risk level (left) and will warn people if they have been in contact with someone who tests positive or if they report symptoms themselves (right)
How the NHS Covid-19 app works and the reasons behind some of its flaws
The NHS contact tracing coronavirus app , called NHS Covid-19, is based on a piece of software, an API, built by tech giants Apple and Google, who came together in an unprecedented alliance at the start of the pandemic.
It works via Bluetooth, which is fitted to almost every smartphone in the world, and involves a notification system to alert people if they have been in close proximity with someone diagnosed with Covid-19.
Apple and Google let the NHS determine what it deems to be suitable exposure for a a person to be considered at risk for infection.
The NHS set the limit as within 2m for 15 minutes.
However, Apple and Google have openly said the app is not perfect, due to the fact Bluetooth is being used for something it was never designed for.
Therefore, phones with the app installed can struggle to tell exactly how far away another device is.
Although the threshold is set at 2 metres, it emerged in early trials that people as far away as 4m were told thought by the technology to be less than 2m away.
Officials say that about 30 per cent of people told to self-isolate may have been more than two metres away from a positive case.
However, they claim most of these cases will be at a distance of 2.1m or 2.2 m, with 4m being a rarity.
Apple and Google have been aware of this issue since the inception of the project and have recently revealed they have used hundreds of different devices to help calibrate the system.
It is claimed the NHS app is more accurate than other contact tracing apps around the world which also use the Apple and Google API.
All the technology for the app is done in the phone itself, and no external servers are used, helping protect user data.
No location or personal data is sent to Apple, Google or the NHS and all interactions between phones are anonymous.
The randomised and untraceable links are only stored for two weeks on the phone itself before being permanently deleted.
A person can also choose to wipe their data clean, either in the app’s settings or by deleting the app.
In a conference call this week, representatives from both Google and Apple said the app is not intended to replace manual tracing, but to enhance it.
They added that, in the tests done in-house during development, 30 per cent of the exposure notifications that were triggered were not picked up by manual contact tracing.
For a person to receive am infection notification via the app, both they and the infected person must both have had the app at the time of their interaction.
During this interaction, on a bus for example, the phones acknowledge the device has met the 2m/15 min criteria.
The devices then automatically exchange anonymous ‘keys’ with each other via Bluetooth. The keys randomise and change approximately every 15 minutes.
If a person then receives a positive test, they receive a unique PIN from the NHS and input this in the app.
Once they have done this, all the anonymised keys from the phone of the infected person are added to a cloud database.
Every app is constantly checking in with the same cloud database to see is any of the ‘keys’ it has come into contact with match the keys of positive tests.
If a person’s phone finds a match, that person then receives a notification informing them they have been exposed and may be infected.
The app then provides that person with detailed information from the NHS on the next steps.
The mobile data needed for the app to work is being allowed free of charge in the UK by network carriers and it is believed the app has negligible impact on battery life.