Contact-tracing or contact sport? Defections and accusations emerge among European COVID-chasing app efforts

Debate seems to centre over where data needs to reside to get the job done

European efforts to define a contact-tracing protocol aimed at making it easier for authorities to detect cases of COVID-19 appear to be having a rather vivid disagreement.

One of the efforts is the Pan-European Privacy-Preserving Proximity Tracing (PEPP-PT) group, a Germany-based effort to develop a contact-tracing protocol. The other is the Decentralized Privacy-Preserving Proximity Tracing protocol, DP-3T, a Switzerland-based effort.

The Register has received correspondence from a DP-3T developer describing PEPP-PT as “a horrible privacy-invasive solution”.

At least two PEPP-PT participants are worried enough about it to have withdrawn from the effort.

Possible reasons for the discomfort, as outlined by cryptography researcher Nadim Kobeissi, are that PEPP-PT is yet to reveal substantial details of its proposed scheme, appears not to have many truly active participants and advocates centralised access to some data.

But a PEPP-PT partner, France’s National Institute for Research in Digital Science and Technology Inria has popped up a brief paper [PDF] that says the whole decentralised distribution of information about who has COVID-19 has more downsides than centralised control of that data in the hands of health authorities. Inria’s even given its plans a new acronym to remember: the ROBust and privacy-presERving proximity Tracing protocol - aka ROBERT.

As The Register reported last week, the European Commission has published a toolbox to inform the development of contact-tracing apps across the bloc. That document [PDF] considers PEPP-PT as a possible model.

A little perspective, too: The Register has read the privacy policy for India’s national contact-tracing app “Aarogya Setu”. That document says the app collects users’ age, gender, phone number, profession and name. It tracks users with GPS and Bluetooth. And while that information is not uploaded to the government until a positive COVID test, “All personal information collected from you … at the time of registration will be retained for as long as your account remains in existence and for such period thereafter as required under any law for the time being in force.”

Which makes the European fight over this stuff quite pleasing in some ways! ®

Biting the hand that feeds IT © 1998–2020