Globally, several organizations are working on solutions to fight the COVID-19 pandemic, and there has been an uptick in the development of contact tracing apps. Last week, the European Parliament demanded that contact tracing apps store data in a decentralized manner. It recommended that a common EU approach is essential for the use of contact tracing apps.
But the issue of decentralization has become a contentious topic with a pan European initiative making decentralization optional and some universities withdrawing.
One of the reasons for the EU parliament’s demand is that people may be reluctant to adopt contact tracing apps if there’s insufficient data privacy.
With the urgent need for solutions, governments as well as private entities are scrambling to develop contact tracing apps. In the U.S., Google and Apple are collaborating to create a Bluetooth-based contact tracing solution embedded in operating systems — Android and iOS. The companies plan to release APIs that enable interoperability between Android and iOS devices using apps from public health authorities.
However, the biggest concern here is the privacy of data. Bluetooth is used for logging the proximity of other devices – it does not retain GPS locations – and stores the anonymized data on the phone. So at this point, it is a decentralized solution. The issue is what happens to the data to notify at-risk users and health authorities. We believe this is unclear at this stage.
The EU parliament stated that any applications developed by government authorities may not be obligatory to use, and the data must not be stored on centralized databases.
Pan European initiative departing from decentralization requirement
A European coalition of technologists and scientists have come together to work on contact tracing proximity technology, which complies with the privacy rules in the region. It’s supported by both universities and commercial firms such as Vodafone. The Pan-European Privacy-Preserving Proximity Tracing (PEPP-PT) is developing standards for Bluetooth-based proximity tracking.
However, despite the EU parliament demand for decentralization, its website states, “PEPP-PT currently considers two privacy-preserving approaches: “centralized” and “decentralized”.
According to Techcrunch, the group has demanded that Google and Apple make changes to the API they are developing to remove the decentralization requirement. With the Apple-Google solution data is stored on the phone. And only if someone tests positive is data uploaded to the cloud (potentially centralized) for 14 days, and the infected person has to consent.
This is relevant because the Apple-Google solution could be permanently enabled on the phone for tracking in the background. Both platforms have restrictions on the use of Bluetooth for other purposes.
It has also been reported that several academics have withdrawn from the EU PEPP-PT initiative which claims to have support from several governments. A quick comparison of the members at April 1st and today shows the following universities have dropped out: Ellis Alicante, ETH Zurich, ISI Foundation (Italy) and KU Leuven (Netherlands).
But the last three have been working on a particular technical approach to contract tracing, DP-3T, and the PEPP-PT initiative removed reference to it on their website.
Academics are concerned
Additionally, academics from across the globe have concerns about whether enough will be done to protect the privacy of app users.
In a joint statement, hundreds of academics suggested that contact tracing apps must only be used to support public health measures, and the system should not collect any information which does not help this goal.
The solution should be transparent, and all components must be available for public review. Since there are multiple initiatives around the globe, the most privacy-preserving option should be chosen.
Additionally, the statement recommends that the use of contact tracing apps must be voluntary, and users must have the ability to delete their account and all data when the current crisis is over.
The four recommendations do not mention decentralization specifically. However, the statement references decentralization several times and only provides links to decentralized approaches:
Among other blockchain initiatives, Evernym, ID2020, uPort, Microsoft, ConsenSys Health and 64 other organizations have come together for the COVID Credentials initiative (CCI). The group aims to develop ‘immunity passports’ using digital identities and check the spread of coronavirus.
The Baseline protocol, founded by ConsenSys, Microsoft and EY, said its exploring contact tracing. IoT blockchain platform Nodle.io has launched a contact tracing app that uses Bluetooth to communicate with nearby devices.