Wide-ranging security flaws have been discovered in the coronavirus contact-tracing app being piloted in the Isle of Wight. The security researchers involved have warned the problems pose risks to users’ privacy and could be abused to prevent contagion alerts being sent. GCHQ’s National Cyber Security Centre (NCSC) has acknowledged the issues, promising to fix some and review others. But the researchers suggest a more fundamental rethink is required. Specifically, they call for new legal protections to prevent officials using the data for purposes other than identifying those at risk of being infected, or holding on to it indefinitely.