EU coronavirus-tracing app suffers setback
April 23, 2020As the COVID-19 crisis rages, governments around the world are pinning much of their hopes on virus-tracking technologies aimed at identifying potential spreaders of the disease and interrupting chains of new infections.
So far, however, many European health authorities are still largely dependent on traditional means of communication, such as telephone, email and even postal letters, although digital means have already proven to be far superior in fighting the spreading virus.
Early adopters of the technology have been South Korea, Singapore and — first and foremost — China, where a government-mandated smartphone app is said to have contributed to bringing local outbreaks of new infections quickly under control.
But the tracking tools used in the Asian countries are a far cry from what European populations and governments expect in terms of protecting the privacy of data, and the public is alarmed by reports that technology that could be used for dystopian snooping on citizens during and after the pandemic.
Since early March, IT specialist and German government adviser Chris Boos has been grappling with the question of whether contact tracing of virus carriers can be done while maintaining strict EU privacy rules, asking himself repeatedly: "Is this possible only in the way the Chinese did it?"
PEPP technology
From the very beginning, Boos has been joined in his thoughts by Thomas Wiegand, the head of the Heinrich-Hertz-Institute for Telecommunication (HHI), which is part of the German Fraunhofer science organization.
The German government supported their efforts, and a few days later a project known as the Pan European Privacy-Protecting Proximity Tracing (PEPP-PT) was born.
The project includes about 130 scientists from all over Europe, who are working to develop a digital technology capable of tracing infections with mobile phone applications. The PEPP-PT protocol is intended to use proximity-tracking Bluetooth technology to map contacts between infected individuals anonymously and without identifying their physical locations.
"PEPP-PT is not limited to Europe, but can be used worldwide," Boos told DW, adding it had always been the designers' goal to make the protocol available for other countries. "PEPP-PT is a basic technological standard that only requires adaptation to the needs of local health authorities."
The key element of the protocol is that the design entails local processing of contact tracing on the user's device, regardless of what type of smartphone and individual apps are being used. There's no requirement for pseudonymized IDs to be centralized, where the pooled data would pose a privacy risk.
'Mission creep'
The German government and science community was originally planning to launch the new standard as early as mid-April, after the Easter holidays. But Health Minister Jens Spahn said on April 17 that the rollout would have to be pushed back by three to four weeks "for it [PEPP-PT] to be really good."
The delay is widely seen as a result of widening splits within the PEPP-PT consortium over how the EU's sweeping data protection laws can best be preserved in view of the needs of epidemiologists seeking to track infections.
Some project participants, including the Helmholtz Center for Information Security (CISPA), have withdrawn their support, while about 280 scientists from more than 25 countries published an open letter urging governments not to abuse PEPP-PT by spying on their people.
"We are concerned that some 'solutions' to the crisis may, via mission creep, result in systems which would allow unprecedented surveillance of society at large," they wrote.
The details of their criticism are highly technical but revolve around whether sensitive data would be kept safely on devices or stored on a central server in a way that might allow a bad actor to reconstruct the record of where and when a given person has met other people.
Centralized vs. decentralized data storage
While PEPP-PT officials said they were committed to guaranteeing the privacy of users and data protection at all times, the critics are questioning the assertion after it became known that the governments of Germany and France would prefer centralized data pots.
The rift is threatening to split Europe after Spain and Switzerland announced they would now back a decentralized contact-tracing protocol called DP-3T pioneered by Swiss researchers and aligned with a technology alliance between Apple and Alphabet's Google.
"I very much regret the dispute, and find it utterly irresponsible," says Boos. "It's not the job of tech experts to tell governments how to manage the pandemic epidemiologically. Our job is to provide viable solutions that work across platforms," he told DW.
Julian Teicke even says a "war of faith" has broken out between the two camps as they are "no longer talking to each other." The CEO of Berlin insurance tech firm WeFox is involved in a German-based coronavirus app-tracing project called GesundGemeinsam (Healthy Together), which wants to use the PEPP-PT standard.
"Any app has to be loved by the users, and we know how to design such a platform," he told DW, adding the launch of his own app was depending on a government decision, which unfortunately was still pending.
Two elephants in the room
At the moment, US tech giants Google and Apple are also waiting in the wings for the PEPP-PT protocol to launch. Both have said they are collaborating with the project consortium to ensure the technology works safely on their systems.
The companies said they'd prefer decentralized storage of data on smartphones over centralized data pots. The critical scientists as well as the EU Parliament have welcomed the respective company announcements, but Boos still disagrees.
"I think Google and Apple should also allow freedom of choice [between centralized and decentralized storage]," he says, as he saw "positive signs" for this during talks held recently. Boos argues it's crucial for epidemiologists to base their modeling of the pandemic on "centrally available data."
The view is echoed by Julian Teicke, who says that storing data on individual smartphones only isn't decentralized at all. "Basically it says that Google and Apple will be the only players having access to individual ID identities…giving those companies even more power."
The way forward
Precious time has already been lost over the privacy dispute in Europe, and more may be consumed as two different systems would have to be made compatible with each other.
The confusion it has created may also lead to potential users being more reluctant to voluntarily download any contact-tracing apps out of fear for their private data. That would be a major blow to all virus-fighting efforts, says Boos.
"The more people use a tracking app, the less sweeping the measures like social distancing and lockdowns would have to be," he's convinced. Although he still believes in a contact-tracing standard that meets European privacy rules, he's warning about the failure to do so.
"There is a danger that at one point there might be someone coming up and saying 'why aren't we following the Chinese example because it's working, and let's stop all this talk about privacy.'"
Such a development, he adds, would be as much a catastrophe as Europe's failure to eventually agree on a viable contact-tracing technology.