The European Commission has called for a pan-European approach to contact tracing apps that track the spread of coronavirus across borders. But what form such technology could take has stoked fierce debate in the continent’s privacy community and an intense rivalry between the two leading research groups.
A prominent European tech initiative, the Pan-European Privacy-Preserving Proximity Tracing (PEPP-PT), is developing technology that can be used to build contact tracing apps that use Bluetooth. The European Commission endorsed PEPP-PT’s framework in its guidelines for member states on adopting coronavirus tracking technology, as an initiative that “intends to support the development of national initiatives that pursue a fully privacy-preserving approach by providing ready-to-use, well-tested, and validated modules and tools”. Today it was reported that Italy plans to roll out an app from tech startup Bending Spoons, part of the PEPP-PT initiative. Another member of PEPP-PT is Christophe Fraser, Professor at the Nuffield Department of Medicine at University of Oxford, who has also been involved with working on the NHSX app in the UK.
However, the group has sparked outcry from Europe’s privacy community over its lack of transparency about the underlying technologies it’s creating. Although the group provides an overview of its app based technology on its website, it has yet to publish any source code or in-depth technological specs.
One of its greatest critics is another European project, DP3T, that has been working on a decentralised coronavirus contact tracing solution with an emphasis on privacy. Within this framework, no data is sent to a centralised body for processing and storage, and remains instead on the user’s phone. The two groups had initially been working closely together, and DP3T was mentioned prominently on PEPP-PT’s website. However, this mention was removed on Thursday, and at the same time PEPP-PT stopped communicating with DP3T.
(An older version of the website reads “At PEPP-PT we support centralized and decentralized approaches and each country chooses which is suitable for their legislation. The DP-3T approach is the project currently under review for a decentralized implementation of the crypto part of an end-to-end implementation.”)
Yesterday, Kenneth Paterson, professor in the Institute of Information Security at ETH Zurich where he leads the Applied Cryptography Group, and member of the DP3T project, told NS Tech: “The only rational inference I can draw is that PEPP-PT have decided to go for a centralised approach. This opens the gates to privacy hell: it could give governments the ability to build the “social graph” for everyone who downloads the app, i.e. they could trivially figure out who has been in close to proximity to whom, and when. To be useful in tracking Covid-19, the apps would have to be taken up by at least 60 per cent of the population (according to a paper published in Science the other week). This all then becomes a wet dream for the security services.”
On Friday morning, a prominent member of the PEPP-PT group, associate professor at EPFL Marcel Salathé, defected to DP3T, writing on Twitter “I am personally disassociating from PEPP-PT. While I do believe strongly in the core ideas (international, privacy-preserving), I can’t stand behind something I don’t know what it stands for. Right now, PEPP-PT is not open enough, and it is not transparent enough.”
“All of a sudden the website was changed without letting us know,” Salathé told NS Tech. “If people want to argue for centralized approaches, they should do that in the open, otherwise who knows who said what?”
So, is PEPP-PT a centralised or decentralised framework? In a press conference held over Zoom on Friday afternoon, it seemed to be a question the group was intent on skirting. Hans-Christian Boos, founder of artificial intelligence company Arago and leader of the PEPP-PT project, prevaricated: “We still like the DP3T protocol; we also like a semi-centralised version,” he said, adding “our opinion is that countries need to be able to choose”.
“On the call, he tried to obfuscate and imply that these approaches were equally private, which is absolutely not true,” says Paterson. The idea that PEPP-PT can interchangeably implement both centralised and decentralised systems is also unlikely. “Otherwise, they’ve magically solved the interoperability problem, where you can operate both systems at once in an app, but I don’t believe that they’ve done that,” adds Paterson.
The stage of development the technology is at also makes it difficult to believe the project hadn’t stumped for one approach over the other. Discussing timelines for the roll-out of PEPP-PT apps, Boos said: “We have supplied the application builders with the backend; We have supplied them with the sample code; We supplied them with protocols; We supplied them with standards of measurement. We have a working application that simply has no integration into a country’s health system, on Android and on iOS.”
Boos also expressed opposition towards Google and Apple’s collaborative effort to develop decentralised coronavirus contact tracing technology. “From a Pepp perspective, there’s a few points to discuss, because we want implementing choice in terms of model – decentralised or centralised…” he said. He added that Google and Apple were open in the discussions, so “there is no point in getting up in arms yet”. At present, Google and Apple have said that only truly decentralised coronavirus tracking apps will be able to run using Bluetooth in the background on their handsets. Boos suggested that if an agreement couldn’t be reached with the tech giants over the possibility of continuously running centralised apps using Bluetooth, “I’m very sure they’ll have many presidents and many government leaders who will explode in their faces”.
During the press conference, Boos addressed the issue of privacy. “There is a hot discussion in the crypto community about this,” he said, saying “we actually encourage this discussion”, however “we are afraid” because “we’re not talking about crypto here, we’re talking about pandemic management”. He said “As long as an underlying transport layer can ensure privacy, that’s good enough, because governments can choose whatever they want.”
He said seven governments saying their applications would be built on top of the principles of PEPP-PT. He added that the project is in conversation with the 40 more countries that are at various stages of on boarding.
Christiane Woopen, executive director of the Cologne Center for Ethics, Rights, Economics, and Social Sciences of Health (CERES) and member of the PEPP-PT consortium said “there are no personal data going to the state” , saying the tech wouldn’t enable governments to grab power that would outlast the crisis. However, PEPP-PT did not respond to a question from NS Tech about the probability that any companies might be able to access the data.
PEPP-PT said on the conference call they would release documentation about their technology and a list of countries they were working with this afternoon but have not yet done so.
We will update this article as more information is released.
Update (April 18): PEPP-PT didn’t release further documents or protocols on Friday, despite assurances that it would (although, oddly, it seems a PDF was uploaded was uploaded by the group to Github before being swiftly deleted). A group of MEPs yesterday evening signed a letter addressed to Boos asking him why the group had not so far been transparent on the functioning of the contact tracing apps its developing and has not yet released its full protocol.
PEPP-PT replied to a set of questions from NS Tech. In answer to whether the group planned to monetise the project it answered, “PEPP-PT is run as a non-profit. Currently everybody in the project is working pro-bono. We plan to start collecting donations to be able to pay people for their work. We will adopt strict guidelines on donation sources; our model will be the WHO. There is no monetization model at PEPP-PT”.
On the question of whether companies would be able to access the data processed by apps built on the PEPP-PT framework, the group responded, “Any server is operated by someone. This will be different in every country. But we are taking utmost care and will be fully transparent with procedures and code how we prevent operational influence and stealing of data.”
On the question of whether the solution is centralised or decentralised, the group said, “We offer both models – centralised and decentralised as both models have their pros and cons. In the end, each country has to pick which system it needs.” However, given the group hasn’t released protocols or code it’s unclear how this would work in practice.
Update (April 21): PEPP-PT uploaded documentation to Github on Sunday. Read more on the story here.