A stark schism in the approach towards coronavirus contact-tracing apps is continuing to divide Europe. On one side of the divide is a consortium of academics and business stakeholders converging under the PEPP-PT (Pan-European Privacy-Preserving Proximity Tracing) umbrella. This group has created a so-called “privacy preserving” Covid-19 contact-tracing solution, that is currently being implemented by German and Italian governments. One of its members, Christophe Fraser, Professor at the Nuffield Department of Medicine at University of Oxford, is also involved with the development of the UK government’s NHSX app.
On the other side of the divide is DP-3T, a group of privacy-minded academics that has developed an entirely decentralised solution to coronavirus contact-tracing that retains data on handsets, rather than sending it to a centralised database run by, for example, a country’s health service. This is the main point of contention between the groups: centralisation vs decentralisation.
Also on team decentralise are Apple and Google. The two companies are partnering on the development of a decentralised system for contact-tracing. Even more instructively, the companies have said that only truly decentralised apps will be able to run continuously using bluetooth on Apple and Android handsets, meaning that for centralised apps to be able to run continuously, a phone would need to be left unlocked at all times.
Sign up to Emerging Threats, our weekly cyber security newsletter
PEPP-PT attracted criticism last week about its lack of transparency, and has even started to haemorrhage support because of it. Last week, associate professor at EPFL Marcel Salathé resigned from the initiative, and was quickly followed by research institutes KU Leuven, EPFL, ETH Zürich, and CISPA. All have defected to DP-3T. On Friday, during a press conference where PEPP-PT shared more details about the initiative, the group said it would publish further documentation on the technologies it was producing that day.
Yesterday, it published a set of documentation on Github on the “data protection and information security architecture” for the German implementation of PEPP-PT, which they have named NTK. The app works by using a smartphone’s Bluetooth Low Energy (BLE) feature to track the proximity of other phones. If an app user enters a diagnosis of Covid-19, the app runs through the phone’s list of contacts from the past three weeks, and assesses for each a “risk score” based on the degree and duration of proximity, as well as other population level epidemiological factors. To those deemed at risk, a push notification informs them of the need to self-isolate.
In terms of privacy, the app assigns each handset a persistent identifier (PUID) that is used to create ephemeral IDs (EBIDs) for the handset that change periodically. These are created by encrypting the PUID with a global broadcast key that is renewed periodically. After four weeks, the key is deleted. It’s the ephemeral EBIDs that are broadcast by the phone, and the EBIDs of other phones in close proximity that are recorded. Once a patient is diagnosed, with the patient’s consent and authorisation from a health authority, the app uploads all the EBIDs recorded over the prior three weeks to the server, along with time of contact, Bluetooth metadata and some other information. The backend server then uses the global broadcast keys to decrypt the EBIDs, revealing the PUID (and therefore the pseudonymised identity) of all the devices that were close to the infected person in the specified date range.
The DP-3T group were quick to publish a security and privacy analysis of PEPP-PT’s paper. The analysis notes a couple of major divergences in how the two systems operate. Most notably, on DP-3T, the risk calculation is performed on the app user’s handset, rather than by the server, meaning the data doesn’t need to leave the user’s phone. In terms of privacy concerns, DP-3T highlighted the potential for function creep and the learning of a user’s social graph of users in the NTK protocol.
DP-3T’s analysis asserts that because the backend user creates the ephemeral identifiers, the backend server can link any past or future identifier (EBID) with the permanent identifier (PUID). This means the backend server can identify any specific, pseudonymous individual. With a small amount of additional data – the group uses the example of CCTV footage or smart travel card data – the individual’s identity could be revealed. The group suggests that this means there is a high potential for function creep, and the transformation of a coronavirus contact-tracing tool into a surveillance tool. The paper even states that given a target EBID (e.g. one collected by law enforcement or at a passport control point), a specific user’s movements could be traced without access to the backend database.
The analysis also argues that the centralised design of NTK allows the the backend to learn the entire contact graph of an infected individual, as well as encounters between non-infected individuals. It argues that this contravenes the data minimisation principle of GDPR as the backend server has access to more information than it needs. It also points out that individuals in rich social graphs can be easily de-anonymised. The paper points to a recent study which finds that knowing a mere 1 per cent of the network around individuals would mean observing 46 per cent of all communications, and the ability to de-anonymise a large proportion of the population.
At a practical level, the group also pointed out that if Apple and Google stand firm on not allowing centralised apps to run in the background, the app would require peoples’ phones to be left unlocked at all times – thus leaving all the phone’s data insecure.
PEPP-PT’s paper doesn’t address the last concern, but with regards to former points, it seems to shrug them off as “out of scope adversarial models”. It notes that a malicious backend admin could “decrypt EBIDs”. However it would not necessarily have access to the “additional non-public information that could be used to de-anonymize pseudonyms”. The paper says that in any case this scenario is considered out of scope because it would apparently be detected immediately and break several contracts and laws.
The paper also admits that state level adversaries could de-anonymise users, but also rules this out as a possibility given that it would apparently “require several legal entities to collaborate in an unlawful manner” and “implies that existing social and legal norms are abrogated”. (However, it notes that paranoid users can change their pseudonym at any time by re-installing the app to evade the possibility of this kind of state surveillance).
Despite PEPP-PT’s assurances that these scenarios would be “out of scope”, a leaked UK government memo that discussed potentially giving ministers the ability to de-anonymise users of the NHSX contact-tracing app makes this seem not entirely far fetched. (The UK government denies this was ever on the table.)
Following the publishing of the privacy analysis of PEPP-PT, this afternoon nearly 300 leading academics signed an open letter warning that centralised contact-tracing apps are unnecessary, as well as more vulnerable to being “repurposed to enable unwarranted discrimination and surveillance”.