Phantom “exposure notifications” sent out by the NHS Covid-19 tracing app have distressed users who have installed it on their iOS and Android devices. Alerts informing possible exposure to a COVID-19 case appear on users’ phones, but tapping on these notifications only makes them disappear – and opening the app itself displays no information related to the alert.
Apple and Google still have not fixed the glitch. Currently, the app has over 16 million downloads in England and Wales.
National Health Service (NHS) officials claim the notifications are not a cause for concern, as these are “default messages” that indicate the app is “on and working.” An FAQ page on the NHS website tackling the issue said these “default notifications” cannot be turned off and informed that important messages will always be visible from inside the app.
The Department of Health and Social Care (DHSC) pointed its fingers at Apple and Google for the phantom notifications, claiming that these are designed “to alert the user that the app and API are sharing information” following MailOnline’s scrutiny on the matter. “NHS Covid-19 app users only need to self-isolate if they get a notification directly from the app advising them to do,” DHSC said in a statement.
Furthermore, the DHSC said users should only self-isolate when this message shows up: “The app has detected that you have been in contact with someone who has coronavirus. Please stay at home and self-isolate to keep yourself and others safe.”
Meanwhile, Apple and Google declined to comment on the issue.
The NHS Covid-19 app used in England and Wales was based on Apple and Google’s free software blueprint. Other countries, including Scotland and Northern Ireland, used the tech giants’ blueprint and encountered the same problems with their respective coronavirus tracking apps.
The Protect Scotland app also had the same ghost notification problem, albeit only limited to iOS devices. The app’s “How it Works” page outlined: “Users with Apple devices may receive weekly notifications referring to COVID-19 exposure logging. These messages are auto-generated by Apple iOS and do not form any part of operation of the Protect Scotland app.” The page noted that these notifications were “not a close contact alert” and did not call for one to self-isolate.
The Northern Ireland Department of Health told MailOnline the phantom notifications also plagued its StopCOVID NI tracking app. However, a spokesperson said the notifications were no longer an “active problem” as the app has been updated.
More than 1.4 million people have downloaded the Protect Scotland app, while more than 400,000 people have installed the StopCOVID NI app on their mobile phones.
Some users took to social media to criticize the phantom notifications over the confusion they caused. In one instance, a user had received several notifications that prompted them to self-isolate for 14 days out of caution but found the NHS FAQ page after 48 hours later. Had they not found the page, it could have led to a pointless quarantine period.
Two cybersecurity experts have warned about the risk of phantom notifications plaguing the coronavirus tracking apps.
ESET cybersecurity specialist Jake Moore told MailOnline that unreliable notifications would prompt users to “disbelieve any future genuine notification, resulting in a disruption of the real use of the app.” Moore believed the notifications were “test alerts” to check various iOS and Android devices, but it may be hard to find the actual reason for the glitches in the apps as the developers refuse to comment on the matter.
KnowBe4 security awareness advocate Javvad Malik emphasized the importance of considering user experience, especially with notifications. “When apps or software provide too many notifications … then users will very likely ignore them. Similarly, notifications shouldn’t alarm people, especially when it comes to sensitive issues like exposure to COVID-19,” he said.
Phantom notifications are just the tip of the iceberg as issues have appeared in other tracking apps worldwide.
Singapore’s TraceTogether app caused headaches as it drained phone batteries and often required restarting the mobile phone. South Korea’s Sel-Quarantine Safety Protection app had major security flaws that potentially compromised user data. Australia’s COVIDSafe app had a security bug outside attackers could exploit if they come within the mobile phone’s Bluetooth range.