European researchers are raising alarms over the direction of contact tracing in the EU amid concerns countries such as France and Germany could choose a centralized system that puts personal privacy at risk.
The group of academics, organizations and companies helping develop the underlying technology for a number of EU nations, known as the European Privacy-Preserving Proximity Tracing (PEPP-PT) consortium, faced a wave of criticism over the weekend from researchers.
Prestigious research universities such as ETH Zurich, the Swiss Federal Institute of Technology Lausanne (EPFL) and KU Leuven, among others – which had formed the Decentralized Privacy-Preserving Proximity Tracing (DP3T) initiative – pulled out of the consortium over what they called a lack of transparency and commitment to offering a decentralized contact tracing solution.
See also: Decentralized Protocol Removed From EU Contact Tracing Website Without Notice
“We left because we can’t be part of an organization that is not transparent on how decisions are made, on their design and on their code,” Carmela Troncoso, a tenure track Assistant Professor at Swiss Federal Institute of Technology Lausanne and who was helping head negotiations around the DP3T proposal within the consortium, told CoinDesk in a direct message.
Contact tracing is the process by which health authorities track the spread of viruses, identifying who has been in contact with infected individuals and should therefore be quarantined. Countries are executing this process through location tracking of cell phones, facial recognition, digital health passes that restrict movement and Bluetooth proximity tracing.
Google and Apple have announced a plan to update their mobile operating systems to allow Bluetooth tracing. That project has been criticized on privacy grounds for leaving out many people who don’t have the right type of smartphones and for being unworkable in the absence of widespread testing. A lack of testing would hamper any contact tracing methods because it would be difficult to tell who was actually sick, given many COVID-19 carriers are asymptomatic. At that point, it’s less contact tracing and purely tracing.
We're not focusing on decentralization just because on principle we think it would be better to have this privacy preserving app. It's really that we need to be able to convince the general public.
The PEPP-PT was convened to offer privacy-respecting proposals that would align with the newly instituted General Data Protection Regulation (GDPR), which ensures greater privacy and data protection for EU citizens than is currently enforced in the U.S.
The departures come after the PEPP-PT removed any mention of the decentralized protocol proposal DP3T from its website on Thursday, inciting confusion and frustration amid the DP3T team, who were not told beforehand.
In response to a request for comment, the PEPP-PT said this was bad communication on its part and it deeply regretted any offense.
In an email sent Friday evening to Hans-Christian Boos, one of the heads of PEPP-PT, Kenneth Paterson, who is a professor at the Applied Cryptography Group at the ETH Zurich Computer Science Department and is working on DP3T, asked that he “remove all mention of ETH Zurich and the ETH Zurich logo from the PEPP-PT website and from all other materials associated with PEPP-PT forthwith.”
See also: For Contact Tracing to Work, Americans Will Have to Trust Google and Apple
In the same email Paterson said ETH Zurich’s goals seem to be better aligned with the DP3T initiative.
“Today’s sequence of events left my confidence in PEPP-PT badly shaken. PEPP-PT promised a release of documents today. They released a single one, for five minutes. This has gone beyond a joke and descended into farce,” Paterson told CoinDesk in an email Friday evening.
Paterson is referencing a short PDF that was uploaded briefly to PEPP-PT’s GitHub but then removed.
Multiple cryptographers who reviewed the PDF said they couldn’t comment on the privacy or security protections because the document was so vague, with one likening it to the first draft of a college freshman’s essay written shortly before deadline.
The next day, PEPP-PT released a full slate of documents and a more detailed version of its protocol.
“Countries and their app developers should be able to choose an option that best fits their pandemic management needs. All models offered or under discussion by PEPP-PT are privacy enforcing,” said a PEPP-PT public relations official when CoinDesk asked whether an alternative to the decentralized method had been decided upon.
A decentralized approach means a government agency couldn’t abuse that trust even if it wanted to.
The official said the PEPP-PT system has many components and countries will have decentralized and centralized data transfer models for their app developers to choose from.
Critics have long said a centralized approach could be abused, even as multiple countries have said they plan to build apps on the PEPP-PT protocol.
“We now have a lot of governments interacting,” PEPP-PT’s Boos told journalists on a call Friday, according to TechCrunch. “Some governments are publicly declaring that their local applications will be built on top of the principles of PEPP-PT and also the various protocols supplied inside this initiative.”
In Bluetooth contact tracing, devices that come close to each other share pseudonymized IDs. The difference between a centralized and decentralized approach amounts to where that data is stored – on the trusted server of a government or state health organization or locally on a person’s device, with a server only relaying the information when needed.
In a centralized scenario, users are expected to trust that any state or security agency would not abuse information stored on a server. To privacy advocates, laws like GDPR are not enough for a sensitive national system. They want privacy by design. A decentralized approach means a government agency couldn’t abuse that trust even if it wanted to because there would be no centralized repository of data.
See also: Europe Debates COVID-19 Contact Tracing That Respects Privacy
“The server generates the pseudonyms at the setup phase, sends them to the client over transport layer security, and permanently stores them on the server in a relational database linked to the user’s info,” said a cryptographer, Nadim Kobeissi, who runs applied cryptography consultancy firm Symbolic Software, after reviewing the PEPP-PT’s protocol documentation.
“How can that possibly ever be privacy preserving? I mean, why even bother building a set of measures around that if that’s how you’re starting off? Why begin with such a mountain of a handicap?”
INRIA, the French national research institute for the digital sciences and a founding member of PEPP-PT, is working on a centralized approach, which it published on GitHub over the weekend. It argues that the centralized vs. decentralized debate is “misleading” and that a “fully decentralized” approach is not realistic for proximity tracing.”
Advocates of a centralized approach say privacy can be protected under such a model, and that data can be better analyzed and lead to better epidemiological models.
But Monday morning, a group of over 300 academics from more than 25 countries published a joint statement recommending decentralized approaches be adopted when it comes to contact tracing applications.
James Larus, Dean of the School of Computer and Communications Science at the Swiss Federal Institute of Technology Lausanne, who helped craft the statement, said it clearly refers to the PEPP-PT proposal and the slight variant issued by INRIA (ROBERT), “both of which are centralized proposals that require a high degree of trust in the centralized server, with the clear potential for ‘mission creep’ where the system gets repurposed for surveillance.”
Such systems can “catastrophically hamper trust in and acceptance of such an application by society at large” and thereby harm the effectiveness of any COVID-19 app, which is dependent on how many people use it.
“People have to believe they’re not going to be losing their privacy,” said Larus. “It’s voluntary to use these apps. We’re not focusing on decentralization just because on principle we think it would be better to have this privacy-preserving app. It’s really that we need to be able to convince the general public.”