Digital tracing, privacy and trust: the New Normalcy in Europe

Technology against a pandemic

In the wake of earlier developments in some Asian countries, the idea of adopting contact tracing technology to curb the spread of the coronavirus in Europe became known to the public. At the end of March, the model-based study of a research group led by Professor Christophe Fraser, Big Data Institute at Oxford University, contributed to strengthen this possibility. Researchers came to the conclusion that “the epidemic can be stopped if contact tracing is sufficiently fast, sufficiently efficient and happens at scale”. In particular, Christophe Fraser stated that “our models show we can stop the epidemic if approximately 60% of the population use the app, and even with lower numbers of app users, we still estimate a reduction in the number of coronavirus cases and deaths.”

In the European context – where privacy has to be guaranteed and protected by default – after an initial focus on data location, the attention converged on Bluetooth. A technology suitable to exchange information between different devices via a low range radio frequency, Bluetooth is used to emit and detect unidirectional signals (beacons) that could be used to determine close proximity between users carrying mobile devices (smartphones). This system does not require the use of GPS and, in principle, it can protect people’s privacy by relying on anonymous tracing of contacts. It seemed a quite good choice. At stake was the key outstanding issue to choose between two technical architectures for data storage and matching: a centralized system and a decentralized one. What is the difference, in a nutshell? In the centralized approach, data is collected into a single national “centre”, while in the decentralized approach each device stores data within it. Also, where does the matching between data from different users take place? Both systems use a backend server to exchange information. A debate involving developers, governments, privacy experts and epidemiologists heated up.

At the beginning of April, the European Commission officially took the floor on the topic and in Press Release called for a common coordinated approach among all Member States for the development of a useful technology to counter the spread of the virus, in full respect of the EU data protection standards.

In the same days, the first European cross-border initiative in the scenario of ‘tracing applications’ development was officially launched, the Pan-European Privacy-Preserving Proximity Tracing (PEPP-PT). Created to assist national initiatives by supplying “ready-to-use”, well-tested, and properly assessed mechanisms and standards, as well as support for interoperability, outreach, and operation when needed, the PEPP-PT consortium initially involved 8 European countries and about 130 researchers.

Very quickly, a team of researchers led by Professor Carmela Troncoso published the Decentralized Privacy-Preserving Proximity Tracing protocol proposal (DP-3T), involving a decentralized data collection, based on a close collaboration between computer scientists and epidemiologists. The reference to the DP-3T approach quickly disappeared from the PEPP-PT website, undermining the initiative.

Christian Boos, founder of Arago GmbH, frontman of PEPP-PT and member of the Digital Council of the German Federal Government: “For quite a while, we have been discussing what the security architecture or the system should be: if it should be a centralised architecture or if it should be a decentralised one. But the discussion is so focused on security, while the goal is to allow the best management of the pandemic with the best possible privacy. Therefore, if we look at the security architecture – centralised or decentralised – on a technical side this discussion is about 30 years old. And it was never solved, as the two options clearly have advantages and disadvantages. A decentralised system has the big advantage of not needing a trusted entity. In a centralised or similar approach you need someone to trust. The public debate is very harmful, because in the end it’s about trust. Both systems are privacy-preserving. The real questions are: “do you trust the government at all or don’t you trust the government?” and “What system serves better in terms of managing this pandemic?.”

As Google and Apple entered the scene and announced a new collaboration in adopting, on their respective mobile operating systems, a solution similar to the one proposed by DP-3T, the debate about centralized or decentralized model got hotter and hotter. It soon became clear that centralized protocol-based apps would not be able to run continuously on many devices, making them ineffective.

Michael Veale, Lecturer in Digital Rights and Regulation at University College London in the Faculty of Laws and member of the DP-3T group: “We do not make claims about how effective any Bluetooth contact tracing app could be. This is the first time something like this has been done in this context, at this scale, so our understanding is strictly limited by our models. We are hopeful it could be useful, but it will require the absolute trust of individuals that their data cannot be misused — trust centralised systems cannot provide.”

Privacy and technical issues

The arguments put forward by the promoters of the PEPP-PT consortium revealed unconvincing and insurmountable technical problems, widespread lack of transparency with partners and criticisms from the cryptographers community quickly pulled the initiative out of the scene. This turning point helped to bring attention back to some key points of using tracing technology: the real reasons why it should be used and the possible consequences for the future of European privacy. There are so many unknowns about the virus and its spread in the near future that we can only speculate that tracing technology might be useful. Carmela Troncoso, (EPFL) said during a webinar: «The app has two goals: one of them is a notification that you have been in contact with a positive person, the other one is to give information to the epidemiologists to gather more information about the disease. Mainly in this case directed to modify policy. The DP-3T has purpose limitation by design. The most aggregated data we can provide is for each at risk person how long they were around people that are infected and how long they were around people that were not infected and what is the distance. That allows epidemiologists to actually understand whether these “two meters 15 centimeters” is actually arbitrary or not. If actually the disease is spreading because of contact or close proximity or not. Because we really don’t know».

The uncertainty of the New Normalcy

While uncertainty has become part of our daily lives, discussions like the one still ongoing on contact tracing technologies are crucial to guide citizens in choosing their future. Across Europe we have seen computer scientists, cryptographers, journalists, philosophers and activists taking part in a debate that, at times, has been about what we want to be, the world we want to live in. While in mid-April it seemed obvious that many countries in Europe would choose to develop an application based on the protocols provided by the PEPP-PT consortium, today we are turning in a completely different direction. The long and complex discussion heating up throughout Europe have further slowed down the decision-making process, affecting society. By now, many of the governments that were initially inclined towards a centralized protocol turned their attention to a decentralized approach. However, the end of the story seems a long way off.

Interesting enough, in Italy, the company chosen by the government to develop the “Immuni” app – Bending Spoons– was already in contact with Christian Boos’ Arago even before the world knew of the existence of the PEPP-PT. But after a few weeks, it moved to the decentralized model proposed by Apple and Google. And now the use of ‘electronic bracelets for kids’ is even contemplated at schools or at the beach. At the end of April, the German government declared that it would adopt a decentralised approach to digital contact tracing.

In France, Apple has been accused of trying to influence technical standards for public health tools. The government insists on keeping contact data in a central database (for the authorities to track suspected coronavirus cases) while Apple and Google prefer data to be stored on the phones themselves, out of government reach, saying this would better protect the privacy of users. In Great Britain, after criticism of the first app based on a centralized protocol, there has been an intense speculation on the need to “move to a different model”, after piloting it in the Isle of Wight and learning lessons from other countries”.

The issue remains that of the app’s continuous operation on a system such as iOS. In early May, Apple and Google released the first version of the API on which developers can work on a functional contact tracing app. The two companies have created a framework base which provides a decentralized protocol for contact tracing. Therefore, the Apple/Google proposal appears to meet the requirements of the European Commission, but many believe that it is likely that the API will remain and not be dismantled in the future.

Jürgen “Tante” Geuter is an independent theorist working on the intersection of technology, politics and the social, who is particularly active in the debate of these months: “If you build infrastructures, they will be reused. This specific app can be discontinued, but Google and Apple will integrate a decentralized approach. This is an infrastructure that we will have to live with. That is a very political decision.”

The willingness to deal with the spread of COVID-19 and to return to normal social life as soon as possible comes up against the uncertainty of something completely new. Researchers move with caution. Why have many European governments acted with great haste?

Paolo Attivissimo, IT journalist and consultant. “I think there are two basic reasons. The first is political. Technology is something that is easily introduced and responds to the need to be seen to do something. There is a security problem, in this case of health, and at the political level it is necessary showing that something is being done. The second aspect is the fact that this is the first pandemic in the age of ubiquitous smartphones. We now have such a widespread use of smartphones and a habit of using them that at least we can justify trying. It is an experiment. In fact, having no precedent, none of us knows whether this system is effective and so we try. The reasonable assumption is: if we could track people when they come into contact with another positive person, then we could do more automated contact tracing and thus prevent the spread of the disease. There is a risk that a whole complex operation will be carried out without any result other than allowing violations of privacy, abuses that could very well have been avoided.”

Bringing the debate back to its fundamentals seems to be a necessity. On the one hand, the possible usefulness (to be verified) of an unprecedented instrument. On the other hand, the risk of the scenarios to which a rash choice could lead.

The European Commission, after releasing the recommendations on the development of a tracing app, in a last-week statement said that “EU citizens must be able to receive alerts of a possible infection in a secure and protected way, wherever they are in the EU, and whatever app they are using”. It also reaffirmed the stance that Europeans shouldn’t be forced to install and use contract tracing applications. The EU Members States in the eHealth Network, with the support of the European Commission, adopted interoperability guidelines for approved contact tracing mobile applications in the EU, first follow-up action envisaged by the Union toolbox for the use of mobile apps to support contact tracing in response to the coronavirus pandemic presented in April.

On 17 April, the European Parliament adopted a resolution, stressing that any digital measures against the pandemic must be in full compliance with data protection and privacy legislation. It should be made clear how apps are expected to help minimise infection, how they are working and what commercial interests the developers have. Their use should not be obligatory and they should be dismissed once the pandemic is over. The potential risk of abuse should be clearly limited and the generated data – anonymised – should not be stored in centralised databases.

The use of contact tracing apps wasdiscussed in the European Parliament on 14 May at the plenary session. The debate focused on the risks linked to possible misuses of tracing apps when implementing some measures meant to relax the lockdown (for instance the controversial ‘immunity passports’ to move around boarders) and easily falling into some kind of ‘surveillance’

After all these weeks, some issues are still to be clarified. The inventors of Bluetooth technology themselves – Jaap Haartsen and Sven Mattisson – warned about the effectiveness of a system based on it. The radio signal can be lost under certain conditions and has never been synonymous of accuracy. This brings us back to the starting point: an application cannot be considered just a panacea against the coronavirus. Digital contact tracing cannot yet effectively replace “human” contact tracing, quite the contrary.