Concerns are growing over the privacy implications of a major scheme to develop COVID-19 contact-tracing apps in Europe and beyond.
The program in question—called Pan-European Privacy-Preserving Proximity Tracing (PEPP-PT)—provides technology that governments can use to build national coronavirus contact-tracing apps. Backed by a number of prominent European research institutions and academics, PEPP-PT is inspired by similar efforts in countries such as Singapore, and has a strong focus on the values Europe holds dear, particularly privacy.
Instead of recording people’s locations, the idea is to harness the Bluetooth functionality in smartphones to establish whether the user has come into contact with someone who subsequently tested positive for the coronavirus. The user can then be warned, so they can go into quarantine, without exposing their identity or movements to the government or companies.
In theory, the widespread use of such apps could replace the broad, indiscriminate lockdowns that are laying waste to economies around the world, while still respecting privacy rights. PEPP-PT claims to have seven governments already signed up to use its technology, with 40 more waiting in the wings.
But many technologists doubt PEPP-PT’s technology will be as privacy-preserving as the name suggests.
High-profile cybersecurity experts have in recent days walked away from the project, including those from respected European institutions such as the Swiss Federal Institute of Technology in Lausanne (EPFL) and the Catholic University of Leuven (KU Leuven) in Belgium.
I am personally disassociating from PEPP-PT. While I do believe strongly in the core ideas (international, privacy-preserving), I can't stand behind something I don't know what it stands for. Right now, PEPP-PT is not open enough, and it is not transparent enough. 1/3
— Marcel Salathé (@marcelsalathe) April 17, 2020
They, and around 300 more global experts in their field, on Monday issued a joint statement saying the Bluetooth-based approach to contact-tracing was, from a privacy standpoint, vastly preferable to tracking people’s location through technologies such as GPS—but some versions of the approach could still enable “a form of government or private sector surveillance that would catastrophically hamper trust in and acceptance of such an application by society at large.”
The letter did not name PEPP-PT by name—it is one of several contact-tracing app development efforts that are underway around the world—but the identities of some signatories made it clear that PEPP-PT was a target.
The core debate here is one of centralization versus decentralization. Will there be a centrally controlled database recording each occasion where the app’s users come into proximity with one another, and centralized servers pushing out notifications to the phones of those who may be at risk? Or will all the matching be done within the app on the users’ phones, with the central server acting only as a blind conduit between the devices?
Those who are turning against PEPP-PT heavily favor the latter, decentralized approach—as, for that matter, do Apple and Google, which earlier this month announced deep iOS and Android operating-system access for those building contact-tracing apps.
“It is vital that, in coming out of the current crisis, we do not create a tool that enables large-scale data collection on the population, either now or at a later time,” Monday’s joint letter read. “Thus, solutions which allow reconstructing invasive information about the population should be rejected without further discussion.”
Michael Veale, a digital rights lecturer at University College London, is one of those who have in the past week been loudly criticizing PEPP-PT over its management of anonymity and the fact that it has not opened up its code for inspection by others. Like others who have walked away from PEPP-PT, he is helping build a system called Decentralized Privacy-Preserving Proximity Tracing (DP-3T).
#DP3T entered as a candidate to so-called PEPP-PT in good faith, but it is now clear that powerful actors pushing centralised databases of Bluetooth contact tracing do not, and will not, act in good faith.
PEPP-PT is a Trojan horse.
— Michael Veale (@mikarv) April 16, 2020
“The centralized PEPP-PT allows a huge scope of function creep,” Veale told Fortune Monday. “The central server provides individuals’ identities, so there is no guarantee they are, and continue to be, random. Different groups can be ‘tagged’ to emit signals that they cannot spot, but third parties, such as law enforcement, might. In PEPP-PT, they assume that the central database only has fundamental rights at its heart. This is, frankly, a huge and technologically unnecessary risk for democratic societies and liberties.”
DP-3T was not originally intended to be a rival to PEPP-PT—indeed, the PEPP-PT team maintains that DP-3T and its decentralized approach remain a technical option for governments that are implementing PEPP-PT in their contact-tracing apps.
“We still like the DP-3T protocol,” said Hans-Christian Boos, CEO of German A.I. firm Arago and the founder of the PEPP-PT project, at a Friday virtual press conference that was partly aimed at addressing the emerging schism. “We also like a semi-centralized version. Our opinion is that countries need to be able to choose.”
According to Veale, two or three governments—he declined to specify which—are now on track to use DP-3T rather than PEPP-PT in their contact-tracing apps.
“The vision of PEPP-PT initially was as a forum to discuss shared issues, to ensure that systems can work across borders, and to challenge each other’s cryptographic ideas,” Veale said. “But it became what looks more like a vehicle for a narrow set of dogmatic interests, and there is a danger of an entity like DP-3T being attached to that, when we don’t know what we’re being attached to.”
At Friday’s press conference, PEPP-PT member Christophe Fraser—the senior group leader in pathogen dynamics at the University of Oxford’s Big Data Institute—said that for contact-tracing apps to work as intended, they need to be installed by at least 60% of the populace.
So, could the divergence in efforts hinder that level of uptake? Veale said it would not be a problem, as it was a matter of governments choosing which approach to take in their apps—not to have competing apps within any given country.
“The only way to get 60% voluntarily is if people have maximal trust in the system,” he said.
This is far from an obscure debate, because—as everyone involved seems to agree—viable contact-tracing apps will be a necessity. “There aren’t that many choices,” Fraser said Friday. “In front of a resurgent epidemic, the only other way out really is repeated and economically devastating lockdowns.”
But people would do well to keep an eye on what kind of contact-tracing system their governments are deploying.
More coronavirus coverage from Fortune:
—Saving a city: How Seattle’s corporate giants banded together to flatten the curve
—How Fortune 500 companies are utilizing their resources and expertise during the pandemic
—Inside the surreal “Mask Economy”: Price-gouging, bidding wars, and armed guards
—Researchers working on “contact tracing” say they welcome Apple and Google’s help
—How every sector of the S&P 500 has been impacted by the coronavirus selloff
—If you’ve been a little busy lately, here’s what’s going on with the 2020 election
—Looking for a travel refund? Here’s what airlines, hotels, and theme parks are offering
—PODCAST: COVID-19 might have upended the concept of the best companies of the year
—VIDEO: 401(k) withdrawal penalties waived for anyone hurt by COVID-19
Subscribe to Outbreak, a daily roundup of stories on the coronavirus pandemic and its impact on global business, delivered free to your inbox.
