Interesting... could that mean the focus of the NHSX app is the central authorities "assessing the network" to develop epidemiological models, rather than providing a notification service to users that doesn't give out false positives?
There's fear of people trolling this service by maliciously marking themselves positive, potentially forcing others to self-isolate repeatedly, perhaps without pay.
Read the NCSC paper on the design. Malicious attacks by both trolls and APTs are considered and accounted for. It's an incredibly interesting design.
I wouldn't say it's better/worse than Apple/Google, but it did have the advantage of not building policy into the design. If the A/G policy is wrong/not enough, the whole thing delivers little value.
You're right in your assessment of the risk of trolling etc. There is a model already in place, but it's worth noting that it's got quite an interesting design.
In the "Google/Apple" decentralised approach, someone who is infected submits a list of their own historical identifiers, and this is broadcast to everyone to check against their own observation list.
All you can really do is, on the client side, count up the number of occurrences of "infected" identifiers, and trip a client-side threshold for "after X contact instances, alert the user". You could get fancy and make X tweakable by the health service via that routine check-in for a new infected person list.
This is basically calculating the risk to someone.
The issue with this approach is that you have to create an public(ish) "infected" register. And even if it's not officially public, it takes 2 minutes to extract the API keys needed to fetch it, and a further 2 minutes to write and post a cron script to check the list into a git repo hourly.
In the NHS approach, there's no big "infected list" you can look at, or publicise. If you spend time with someone, you can't get an identifier that will let you (forever more) determine if they test positive from the "infected list". This raises the privacy for someone who is infected. While some may think "well, I am not infected, they can lose privacy", the system only works if people feel willing to report symptoms or infection without repercussions. So privacy of the infected is important!
Since the "upload" you make if infected or experiencing symptoms is of a list of other users you (the suspected infected person) saw, this makes it possible to look at the "risk from" aspect of infection - the hypothesis is that you can give advice to the potentially exposed users, based on their risk from you. And that can include how many infected people you were exposed to.
When someone has symptoms and is told to isolate, some people they were in contact with might be told to as well. The NHS app approach will survey them regularly (daily?) about symptoms. This data is fed back in to determine, based on those you might have infected, whether you actually have the virus. When you have a meaningful sample, and none have symptoms after a certain date, this allows you to let people out of self-isolation sooner, at least in theory.
The final point that is relevant is that the NHS believes it is essential to gather "self reports" for an app to work - if we assume an approx. 5 day mean/median incubation period, and if the research suggesting someone is most infective a day or two before symptoms is true, this means at the first sign of symptoms, you need to isolate someone and those they may have infected. Waiting for a test + result would mean you're potentially leaving people in the community, unaware, at their "most infectious" day or two.
Clearly there's risks of "Sybil" attacks. But as per the NCSC paper, there's been quite a bit of thought put into this design. More than I think many realise.
There's fear of people trolling this service by maliciously marking themselves positive, potentially forcing others to self-isolate repeatedly, perhaps without pay.