Researchers in Europe Condemn Centralized COVID-19 Tracking Approach
Two camps have emerged within the open-source COVID-19 tracking space in Europe. One solution, DP-3T, offers privacy-preserving benefits for citizens and is backed by over 300 scientists around the world. The other, PEPP-PT, is centralized and risks being repurposed for commercial uses or worse.
- Open-source researchers are working to create a privacy-preserving COVID-19 tracking protocol.
- Two camps have emerged representing centralized and decentralized approaches to the same issue.
- The centralized approach has been condemned by the research community after failing to provide credible documentation.
Share this article
As nations throughout Europe wrestle with how to contain the spread of COVID-19, several research units have been developing tracking solutions to help detect ill citizens. Not all of these solutions, however, offer equitable privacy measures for users.
One offering could even spell the end of privacy rights for Europeans.
Top Researchers Condemn PEPP-PT
The Pan-European Privacy-Preserving Proximity Tracing Initiative (PEPP-PT) was announced on Apr. 1, 2020.
Researchers in Europe were assembled to develop software that would notify citizens if they had been in contact with someone who had tested positive for COVID-19. If detected, users would be advised that they should quarantine themselves.
Phone apps could then be built on top of this software and leverage devices’ Bluetooth signals. Researchers call it contact tracing and it is the same method that Google and Apple will use in their tracking solution.
It is distinct from facial recognition software or so-called digital COVID-19 “immunity passports.” More importantly, it is much more challenging to repurpose certain Bluetooth-based contact tracing solutions for commercial purposes or mass surveillance.
Concerns over repurposing such software are at the heart of an emerging controversy within the European open-source research community.
One of the core tenets of the PEPP-PT had included mention of another protocol called DP-3T.
In short, DP-3T offers many of the same tracking benefits plus decentralization. Data would be stored locally on the users’ device rather than in a central server or cloud. The Google and Apple COVID-19 tracking solution closely resembles DP-3T too.
This benefit is two-fold.
In the first, a decentralized tracking protocol is far more secure from digital piracy. Though malicious agents could access some data, the prize would only be limited to a few users. A centralized server that stores a continent’s worth of citizen’s movements, for instance, is far more attractive for hackers.
Secondly, a decentralized solution would have limited applications once COVID-19 has run its course, and tracking technologies are no longer needed. The primary threat of a centralized solution is that of repurposing valuable data for reasons beyond curbing a viral illness.
It is for these two reasons that researchers have championed a decentralized approach. They claim that this method is safer and more ethical.
On Apr. 16, 2020, PEPP-PT had, however, removed any earlier mention of using DP-3T.
Meanwhile, PEPP-PT had already earned the attention of various governments and sizeable European research institutes, like Fraunhofer and Inria. Critically, there has been little in the way of transparency as to how PEPP-PT and relevant research groups are progressing.
#DP3T entered as a candidate to so-called PEPP-PT in good faith, but it is now clear that powerful actors pushing centralised databases of Bluetooth contact tracing do not, and will not, act in good faith.
PEPP-PT is a Trojan horse.
— Michael Veale (@mikarv) April 16, 2020
Though discussions are actively populating DP-3T’s GitHub page and source code, PEPP-PT has done little to demonstrate a similar level of transparency. On Apr. 17, 2020, the project did publish a PDF document outlining its COVID-19 tracking solution on GitHub, only to remove it shortly after.
Nadim Kobeissi, a cryptographer and former Inria researcher, mirrored a copy of the “hastily written” proposal on his blog.
In an interview with Crypto Briefing, Kobeissi described the document as a “freshman-level attempt” at a safe tracking protocol. Further, the document does not appear to fall in line with Europe’s GDPR mandate.
The concerns around PEPP-PT’s proposed COVID-19 solution, the opacity of the project thus far, and the high stakes have led many members of the initiative to drop support. Logos from the Swiss Federal Institute of Technology Lausanne (EPFL), KU Leuven, ETH Zürich, and others have all been removed from the PEPP-PT site.
ETH Zurich yesterday notified PEPP-PT that it is withdrawing from the PEPP-PT consortium with immediate effect. Our relentless focus from now on is #DP3T.
— kennyog (@kennyog) April 18, 2020
Dr. Kenneth Paterson, a lead cryptographer at ETH Zürich, told Crypto Briefing that the institution “kindly withdrew” due to the centralization concerns. Paterson said:
“The centralized solution poses two key problems. It neglects data minimization, which means that the only data collected would be that which is needed for the application. It also fails to acknowledge the potential for repurposing.”
On Apr. 17., the European Parliament also voted in favor of a decentralized COVID-19 tracking approach that minimized data collection.
Today, Paterson followed this up with a joint statement from roughly 300 researchers across 25 countries that condemns protocols that fail to uphold user privacy and security.
The document concludes that all of the researchers represented will also be fully committed to developing ethical COVID-19 tracking services.
Crypto Briefing has reached out to Hans-Christian Boos for commentary on PEPP-PT. He has not yet responded at the time of press.