List of trusted third parties

[marksteward]

Hope it's OK to create this because it's getting hard to keep track of. None of these will be new to managing health data but might be soft spots.

Apps:

• Google Firebase (registration, notifications)
• Cloudflare (API proxy, sees IP addresses)
• Microsoft AppCenter (analytics)
• Microsoft Azure (CR)
• AWS/Azure (Cloudfoundry prod API)
• AWS/Azure (proposed web application/notification UI)
• Github (source, workflows)
• Zuhlke Engineering Ltd (app)

Websites:

• Google Analytics (on static pages)
• Microsoft powerBI (FAQ, support)
• Microsoft Azure (static assets)
• Amazon (Cloudfront/S3)

Gaps in knowledge:

• dev/staging environments
• CI/github runners
• app publishing (is this all internal?)

[marksteward]

These are used in the workflows: https://github.com/fleskesvor/create-release/tree/feature/support-target-commitish https://github.com/c-hive/gha-remove-artifacts/tree/v1

[jayaddison]

Perhaps it's worth including the third-parties that host application build-time dependencies in here too?

From what I've seen so far:

Android: build.gradle references a Maven repository hosted at https://plugins.gradle.org iOS: Package.resolved references a git repository hosted at https://github.com/apple

(there may be others build dependencies listed elsewhere; I'm not really much of a smartphone app developer)

Android appears to be built via a Dockerfile (and there's a similar publish action Dockerfile, too). I'm less familiar with iOS.

[timb-machine]

@jayaddison, see issue #18. I need to go through the current code base mind, the initial list was taken from unpacking the APK.

[jayaddison]

Thanks @timb-machine - it was a slightly asinine/pedantic distinction for me to make; there are the packaged dependencies themselves (i.e. the BoM you reference) and then there's where those dependencies are retrieved from at build time (which could be considered a trusted third-party, depending on whether build-time and run-time are considered separately)

[timb-machine]

See https://github.com/timb-machine/nhsx-contact-tracing-app/blob/0620089be79f036db7d68e33f7a3b299ac61ca57/advocacy/nhsx-briefing/KA-01030.

[marksteward]

Saving a click:

The NHS is leading the development of the NHS COVID-19 app. We’ve engaged a range of experts in designing the app. Members of the development team include product managers, product designers, and software developers who work for VMware Pivotal Labs; software developers from Zuhlke; and user researchers, content writers, and interaction designers from the NHS Business Services Authority. As the Government’s lead technical authority on cyber security, the National Cyber Security Centre has also supported in an advisory role.

We’ve been consulting on our plans with the Information Commissioner and the Centre for Data Ethics and Innovation, as well as with representatives from Understanding Patient Data and volunteers who provided a patient and public perspective. We set up an ethics advisory board for the app which includes members of the National Data Guardian’s Panel and is chaired by Professor Sir Jonathan Montgomery from University College London who previously headed the Nuffield Council on Bioethics.