The UK’s contact-tracing mobile phone app includes code that could allow authorities access to a user’s detailed location data and to send information to Microsoft Corp and Alphabet Inc’s Google, according to an initial technical analysis carried out by Privacy International.

Like governments around the world, the UK is developing a voluntary mobile app that uses Bluetooth technology to trace possible infections of the coronavirus, alerting users when they may have been near someone infectious. Authorities say the tools will help track and contain any resurgent outbreaks of the virus once lockdown measures lift.

But the UK’s app, which rolled out for trial on the Isle of Wight on May 7, has faced questions from privacy experts who say its system gathers too much information about users.

The NHS says on its website "it will not be able to track an individual’s location”, but the app includes mandatory permission requests to collect both GPS and network-based location information, according to Christopher Weatherhead, a technology lead at Privacy International, which carried out analysis on both Android and iOS versions of the app.

The permissions are necessary for the Bluetooth technology to function, the privacy group said, adding that it didn’t believe the app was currently using location data. But the researchers expressed concern this could easily change with future software updates given the permission would have already be granted.

"This would mean additional, very accurate data about the users’ location could be collected without additional consent,” Weatherhead said in a report obtained by Bloomberg.

Representatives for the NHS, Google and Microsoft didn’t immediately respond to a request for comment.

The NHS granted Privacy International early access to the app, whose researchers used an internal version of an app-auditing platform called Exodus Privacy and other tools to carry out an initial analysis. It said it still plans to do more in-depth testing of the app.

The group’s findings show the app also includes code for Google Firebase Analytics and Microsoft Appcenter Analytics trackers, which collect data about the user. Based on an initial analysis, the app sends Microsoft data about a user’s interaction on the app, though not the actual content, Weatherhead said, adding the extent of the information sent to the companies is still unclear.

Privacy International also said its cursory testing suggests that only those with modern smartphones will be able to run the app, likely excluding those who can only afford cheaper devices. Researchers have said a majority of the population needs to download a contact-tracing app for authorities to successfully map the virus.

The UK’s app has been built for the NHS by VMware Pivotal Labs, a software development consultancy that’s part of VMware Inc. Several other organisations are actively helping the NHS to develop and test the app.

 - Bloomberg