(no title)

They use Bluetooth identifiers that last for 24 hours, which breaks Wifi/Bluetooth MAC rotation and allows 3rd parties to track users.

They require a connection to be established between each pair of devices and need to ping the same device again and again to check you are still in proximity. That's going to be alot of wakeups for each person you come into contact with.

They broadcast a country code in plaintext, so any international deployment would reveal the probable nationality of nearby users.

It requires NCSC / the NHS to hold a master key which they can use to reveal the identifier of any individual using the system. I think that poses a real risk of mission creep, where they start using contact tracing data for criminal investigations etc.

They also make a number of misleading claims about the decentralised solutions being deployed by Estonia, Germany, Switzerland, etc:

Claim 1: Decentralised systems without authenticated diagnosis reports can't manage malicious notifications. This is true, but all the proposed decentralised systems use authenticated diagnosis reports. Interestingly, its totally unclear how they plan to manage "anonymous" unauthenticated reports in their centralised systems. How do you distinguish between a supermarket worker or a nurse visiting homes who came into contact with a lot of people and a relay attack? Surely any centralised post-hoc verification is going to be highly invasive to individual privacy?

Claim 2: Decentralised systems introduce delays in the reporting of symptoms. This just isn't true.

Claim 3: Second Order Contact Tracing isn't possible in a decentralised system. Again, just not true. It is actually easier in a decentralised system than in a centralised one, where it carries much more difficult privacy trade-offs.