Pan-European group plans cross-border contact-tracing app – and promises GDPR compliance
As India joins the list of nations offering Bluetooth-enabled virus-visit-visualisers
A European consortium based in Switzerland plans to this week launch an opt-in location-detecting app to expedite contact-tracing those who have encountered coronavirus carriers.
The new group, named Pan-European Privacy-Preserving Proximity Tracing (PEPP-PT), promises a GDPR-compliant app that sounds a lot like Singapore’s TraceTogether service, but also offers considerable detail on how the service is designed to preserve privacy.
As outlined in an explainer: “All procedures, mechanisms, standards and code at PEPP-PT is continuously monitored by our security team. In parallel national national cyber security agencies and national data protection agencies inspect all of the above line-by-line on a regular basis and sign. We have always asked and continue to motivate security activities to get in touch to review and improve our code or procedures. “
The group has also published a manifesto [PDF] in which it says contact-tracing is essential to avoid economic and social collapse.
“The only possibility to achieving these goals is to track physical proximity interaction and immediately isolate infected cases, and quarantine their contacts,” the manifesto says. “This is the way everybody – relatively short term – can return to almost normal social and economic life.”
While noting the existence of other contact-tracing efforts, the manifesto criticises their privacy approaches and the epidemiological utility of the data they collect.
PEPP-PT wants to do better and has promised it will deliver: “well-tested proximity-tracking technologies; secure data anonymization; trustworthy mechanisms to enable contact between user and health-officials in a data protection conforming environment; APIs that can provide anonymized contact chains as well as risk-scoring to other applications (e.g. for health resource management, private risk management, or the pandemic response systems ).”
“The reference implementation provides building blocks (under an open source license) for creating local CoronaFinder-Applications as well as secure and scalable backend services that can deal with hundreds of millions of registered devices per country.”
The proposed app would therefore use Bluetooth to record proximity with other users. Data generated by those contacts would be encrypted and stored only on a user’s device. Those records are never accessible. However if a user tests positive for coronavirus, they can be sent a one-time code that allows sharing of their proximity history. The group's protocols will work across borders, meaning individual nations can run its offerings but still share data to follow the virus on its travels.
German chancellor Angela Merkel is aware of the app and has said she’ll happily run it on her personal devices. More than 30 businesses and universities have joined the group, which is actively seeking more partners. PEPP-PT plans to share its work with
Other nations, meanwhile, continue to develop their own apps.
As explained in the Indian government’s announcement: “Once installed in a smart phone through an easy and user-friendly process, the app detects other devices with AarogyaSetu installed that come in the proximity of that phone. The app can then calculate the risk of infection based on sophisticated parameters if any of these contacts is tested positive.”
“The App’s design ensures privacy-first. The personal data collected by the App is encrypted using state-of-the-art technology and stays secure on the phone till it is needed for facilitating medical intervention.”
Australian state will install home surveillance hardware to make sure if you're in virus isolation, you stay thereREAD MORE
Digital India, the nation’s digital transformation agency, is the source of the app. The agency has promoted the app extensively, and it has already been downloaded over ten million times since its late Friday launch.
The agency has not, however, revealed the app’s inner workings. Google Play reveals that it has permission to pair with Bluetooth devices and adjust Bluetooth settings, plus full network access and the ability to prevent a device from sleeping. Google also advises that updates to the app could “automatically add additional capabilities” to permission groups already enabled.
Mobile apps that use location services to assist detection of coronavirus carriers, or enforce quarantine, have become quite common even in democracies. Singapore, Taiwan and Hong Kong have adopted the apps, while the UK has cleared legislative pathways to create one of its own. The Australian state of Western Australia has gone even further, giving itself the power to install surveillance kit in the homes of quarantine-absconders. ®