Europe publishes draft rules for coronavirus contact-tracing app development, on a relaxed schedule

No phone numbers needed – but you’ll need Notifications and Bluetooth on all the time

The European Commission (EC) has published a document describing how it thinks member nations can best built a contact-tracing smartphone app to fight the COVID-19 pandemic.

Such apps have been adopted by Singapore and India. The UK, USA and Australia have all suggested they’ll soon follow suit. Apple and Google have weighed in, saying they’ll tune their mobile operating systems to help the apps operate, a crucial step as current apps use Bluetooth yet smartphones don’t allow the wireless protocol to operate constantly.

The apps are controversial as their explicit purpose is collecting data about users and then sharing it. But they’re also seen as a tool that will make it possible to loosen lockdowns because, by tracing encounters that lead to infections, they have the potential to make it possible to understand who needs to be in isolation and who can roam more freely.

Beware awkward moments next exit

Wanted: An exit strategy from the overt surveillance of smartphone contact tracing


Enter the EC with a 44-page guide to what such apps should do, how they should do it and when they might be deployed.

The document thinks such apps can do their job without recording users’ phone numbers. Instead, it suggests that apps broadcast “a temporary anonymous ID that permits establishing contact with other app users in proximity.” Apps will record that anonymous ID and, if any user that has been in proximity tests positive to coronavirus and consents to having their data shared, other devices that have hoovered up the anonymous ID will receive a notification. The document suggests users could optionally enter other contact data if they’d like more than a notification in case they receive worrying news.

The EC is not in a screaming rush. It suggested timeframe is to stage bi-weekly meetings that some time in May deliver a security recommendation and in June deliver data-sharing standards that help authorities to plan exit strategies.

There’s also a list of safeguards the EC believes the apps must include, namely:

  • App should be deactivated automatically and all remaining personal data and proximity data should be erased, as soon as the crisis is over.
  • App should be consent-based with full information of intended processing of data
  • Location data is not necessary nor recommended for the purpose of contact tracing apps, as their goal is not to follow the movements of individuals or to enforce prescriptions. Collecting an individual’s movements in the context of contact tracing apps would violate the principle of data minimisation and would create major security and privacy issues.
  • The app should ensure that no user knows the identity of any infected persons or of close contacts of infected persons
  • In order to enhance privacy and security, proximity data (close contacts) should be stored only on the device, and be deleted after the epidemiologically relevant period as recommended by ECDC (14-16 days). Only after a user has been confirmed infected, the proximity data of that user may be uploaded to the central server and/or the competent health authorities, depending on the system chosen by the Member State.
  • The ephemeral IDs transmitted between devices via BLE should be generated pseudorandomly and changed periodically. They should neither allow any user to identify the user of the specific device nor to associate multiple signals to the same device.
  • Pseudonyms should have no relation to long-lived personally identifiable information (PII).
  • The app should encrypt data as much as possible in order to enhance security and privacy

There’s also a call for independent review of the apps by technical experts, open-sourcing the apps, and a fair bit of commentary about such software being a complement to manual contact-tracing. The document also cites an Oxford study that suggests 60 percent of a national population will need to adopt the app for it to be effective.

The document is sufficiently prolix and careful to be almost a cliché of the European approach to administration! However it is also as comprehensive a statement of the potential pitfalls and requirements that your humble hack has yet seen on the subject. I suspect it will be more than influential in coming weeks.

One last thing: the document suggests that while Apple and Google have made a splash with their announcement of plans to assist contact-tracing apps, it appears that the precise details of what they’ll offer are hard to divine. The Register suggests this as the first item on the EC’s to-do list is “seek clarifications on the solution proposed by Google and Apple with regard to contact tracing functionality on Android and iOS in order to ensure that their initiative is compatible with the EU common approach.” ®

Narrower topics

Other stories you might like

  • Intel demands $625m in interest from Europe on overturned antitrust fine
    Chip giant still salty

    Having successfully appealed Europe's €1.06bn ($1.2bn) antitrust fine, Intel now wants €593m ($623.5m) in interest charges.

    In January, after years of contesting the fine, the x86 chip giant finally overturned the penalty, and was told it didn't have to pay up after all. The US tech titan isn't stopping there, however, and now says it is effectively seeking damages for being screwed around by Brussels.

    According to official documents [PDF] published on Monday, Intel has gone to the EU General Court for “payment of compensation and consequential interest for the damage sustained because of the European Commissions refusal to pay Intel default interest."

    Continue reading
  • Alibaba continues international expansion – adds two datacenters and a bank
    Bit barns in Saudi Arabia, all-digital bank in Singapore

    Alibaba's cloud business and financial services affiliate Ant Group has expanded further out of China this week, by opening a pair of datacenters in Saudia Arabia and a digital wholesale bank in Singapore.

    Alibaba Cloud and Saudi Telecom Company (STC) have opened two cloud services in Riyadh which will serve as a regional hub as part of a joint venture called the Saudi Cloud Computing Company (SCCC). STC confirmed the launch on Tuesday and the joint venture, SCCC, shared scenes from the launch.

    Other businesses playing a part in SCCC are eWTP Arabia Capital, the Saudi Company for Artificial Intelligence (SCAI), and the Saudi Information Technology Company (SITE).

    Continue reading
  • Qualcomm wins EU court battle against $1b antitrust fine
    Another setback for competition watchdog as ruling over exclusive chip deal with iPhone nullified

    The European Commission's competition enforcer is being handed another defeat, with the EU General Court nullifying a $1.04 billion (€997 million) antitrust fine against Qualcomm.

    The decision to reverse the fine is directed at the body's competition team, headed by Danish politico Margrethe Vestager, which the General Court said made "a number of procedural irregularities [which] affected Qualcomm's rights of defense and invalidate the Commission's analysis" of Qualcomm's conduct. 

    At issue in the original case was a series of payments Qualcomm made to Apple between 2011 and 2016, which the competition enforcer had claimed were made in order to guarantee the iPhone maker exclusively used Qualcomm chips.

    Continue reading

Biting the hand that feeds IT © 1998–2022