European efforts to define a contact-tracing protocol aimed at making it easier for authorities to detect cases of COVID-19 appear to be having a rather vivid disagreement.
One of the efforts is the Pan-European Privacy-Preserving Proximity Tracing (PEPP-PT) group, a Germany-based effort to develop a contact-tracing protocol. The other is the Decentralized Privacy-Preserving Proximity Tracing protocol, DP-3T, a Switzerland-based effort.
The Register has received correspondence from a DP-3T developer describing PEPP-PT as “a horrible privacy-invasive solution”.
At least two PEPP-PT participants are worried enough about it to have withdrawn from the effort.
CISPA has withdrawn from PEPP-PT. We will continue our work on #DP3T, a decentralised, open source framework for contact tracing based on privacy by design #CoronaApp.— Cas Cremers (@CasCremers) April 18, 2020
DP-3T alphas are public for testing and feedback.https://t.co/TCyUfa9b0i
I am personally disassociating from PEPP-PT. While I do believe strongly in the core ideas (international, privacy-preserving), I can't stand behind something I don't know what it stands for. Right now, PEPP-PT is not open enough, and it is not transparent enough. 1/3— Marcel Salathé (@marcelsalathe) April 17, 2020
Possible reasons for the discomfort, as outlined by cryptography researcher Nadim Kobeissi, are that PEPP-PT is yet to reveal substantial details of its proposed scheme, appears not to have many truly active participants and advocates centralised access to some data.
But a PEPP-PT partner, France’s National Institute for Research in Digital Science and Technology Inria has popped up a brief paper [PDF] that says the whole decentralised distribution of information about who has COVID-19 has more downsides than centralised control of that data in the hands of health authorities. Inria’s even given its plans a new acronym to remember: the ROBust and privacy-presERving proximity Tracing protocol - aka ROBERT.
As The Register reported last week, the European Commission has published a toolbox to inform the development of contact-tracing apps across the bloc. That document [PDF] considers PEPP-PT as a possible model.
Which makes the European fight over this stuff quite pleasing in some ways! ®