INSUBCONTINENT EXCLUSIVE:
A European coalition of techies and scientists drawn from at least eight countries, and led by Germany's Fraunhofer Heinrich Hertz
Institute for telecoms (HHI), is working on contacts-tracing proximity technology for COVID-19 that's designed to comply with the region's
However the coronavirus pandemic is applying pressure to the region's data protection model, as governments turn to data and mobile
technologies to seek help with tracking the spread of the virus, supporting their public health response and mitigating wider social and
economic impacts.
Scores of apps are popping up across Europe aimed at attacking coronavirus from different angles
European privacy not-for-profit, noyb, is keeping an updated list of approaches, both led by governments and private sector projects, to use
place.
In the UK the government has been quick to call in tech giants, including Google, Microsoft and Palantir, to help the National
Health Service determine where resources need to be sent during the pandemic
in aggregated and anonymized form.
The newly unveiled Pan-European Privacy-Preserving Proximity Tracing (PEPP-PT) project is a response to
described as 'a fully privacy-preserving approach' to COVID-19 contacts tracing.
The core idea is to leverage smartphone technology to help
their smartphones having been near enough to carry out a Bluetooth handshake
But the coalition behind the effort wants to steer developments in such a way that the EU response to COVID-19 doesn't drift towards
China-style state surveillance of citizens.
While, for the moment, strict quarantine measures remain in place across much of Europe there
may be less imperative for governments to rip up the best practice rulebook to intrude on citizens' privacy, given the majority of people
infections by some, with examples such as Singapore's TraceTogether app being eyed up by regional lawmakers.
Singapore does appear to have
had some success in keeping a second wave of infections from turning into a major outbreak, via an aggressive testing and contacts-tracing
But what a small island city-state with a population of less than 6M can do vs a trading bloc of 27 different nations whose collective
population exceeds 500M doesn't necessarily seem immediately comparable.
Europe isn't going to have a single coronavirus tracing app
It's already got a patchwork
Hence the people behind PEPP-PT offering a set of 'standards, technology, and services' to countries and developers to plug into to get a
'Enforcement of data protection, anonymization, GDPR [the EU's General Data Protection Regulation] compliance, and security' are baked in,
is the top-line claim.
'PEPP-PR was explicitly created to adhere to strong European privacy and data protection laws and principles,' the
group writes in an online manifesto
'The idea is to make the technology available to as many countries, managers of infectious disease responses, and developers as quickly and
as easily as possible.
'The technical mechanisms and standards provided by PEPP-PT fully protect privacy and leverage the possibilities and
features of digital technology to maximize speed and real-time capability of any national pandemic response.'
Hans-Christian Boos, one of
telling it: 'We collect no location data, no movement profiles, no contact information and no identifiable features of the end
individuals being identified
Two or more smartphones running an app that uses the tech and has Bluetooth enabled when they come into proximity would exchange their
the app subsequently be diagnosed with coronavirus their doctor would be able to ask them to transfer the contact list to a central server
The doctor would then be able to use the system to warn affected IDs they have had contact with a person who has since been diagnosed with
thus:
Mode 1 If a user is not tested or has tested negative, the anonymous proximity history remains encrypted on the user's phone and
cannot be viewed or transmitted by anybody
At any point in time, only the proximity history that could be relevant for virus transmission is saved, and earlier history is continuously
deleted.
Mode 2 If the user of phone A has been confirmed to be SARS-CoV-2 positive, the health authorities will contact user A and provide
a TAN code to the user that ensures potential malware cannot inject incorrect infection information into the PEPP-PT system
The user uses this TAN code to voluntarily provide information to the national trust service that permits the notification of PEPP-PT apps
recorded in the proximity history and hence potentially infected
Since this history contains anonymous identifiers, neither person can be aware of the other's identity.
Providing further detail of what
it envisages as 'Country-dependent trust service operation', it writes: 'The anonymous IDs contain encrypted mechanisms to identify the
country of each app that uses PEPP-PT
Using that information, anonymous IDs are handled in a country-specific manner.'
While on healthcare processing is suggests: 'A process for
how to inform and manage exposed contacts can be defined on a country by country basis.'
Among the other features of PEPP-PT's mechanisms
the group lists in its manifesto are:
Backend architecture and technology that can be deployed into local IT infrastructure and can
handle hundreds of millions of devices and users per country instantly.
Managing the partner network of national initiatives and providing
ensures scalability.
Certification Service to test and approve local implementations to be using the PEPP-PT mechanisms as advertised and
thus inheriting the privacy and security testing and approval PEPP-PT mechanisms offer.
Having a standardized approach that could be
centralized on a server that doctors can access there could be a risk of it leaking and being re-identified
And identification of individual device holders would be legally risky.
Europe's lead data regulator, the EDPS, recently made a point of
tweeting to warn an MEP (and former EC digital commissioner) against the legality of applying Singapore-style Bluetooth-powered contacts
Remember Singapore has a very specific legal regime on identification of device holder.'
Dear Mr
Commissioner, please be cautious comparing Singapoore examples with European situation
2020
A spokesman for the EDPS told us it's in contact with data protection agencies of the Member States involved in the PEPP-PT
project to collect 'relevant information'.
'The general principles presented by EDPB on 20 March, and by EDPS on 24 March are still
anonymization and aggregation should Member States want to use mobile location data for monitoring, containing or mitigating the spread of
At least in the first instance.
'When it is not possible to only process anonymous data, the ePrivacy Directive enables Member States to
introduce legislative measures to safeguard public security (Art
15),' the EDPB further noted.
'If measures allowing for the processing of non-anonymised location data are introduced, a Member State is
obliged to put in place adequate safeguards, such as providing individuals of electronic communication services the right to a judicial
unable to speak to him.
'The PEPP-PT system is being created by a multi-national European team,' the HHI writes in a press release about
'It is an anonymous and privacy-preserving digital contact tracing approach, which is in full compliance with GDPR and can also be used when
traveling between countries through an anonymous multi-country exchange mechanism
No personal data, no location, no Mac-Id of any user is stored or transmitted
PEPP-PT is designed to be incorporated in national corona mobile phone apps as a contact tracing functionality and allows for the
integration into the processes of national health services
The solution is offered to be shared openly with any country, given the commitment to achieve interoperability so that the anonymous
multi-country exchange mechanism remains functional.'
'PEPP-PT's international team consists of more than 130 members working across more
than seven European countries and includes scientists, technologists, and experts from well-known research institutions and companies,' it
adds.
'The result of the team's work will be owned by a non-profit organization so that the technology and standards are available to all
conforming to European norms and standards.'
The PEPP-PT says its technology-focused efforts are being financed through donations
everywhere they go, with Bluetooth enabled.
Without substantial penetration of regional smartphones it's questionable how much of an impact
this initiative, or any contacts tracing technology, could have
Although if such tech were able to break even some infection chains people might argue it's not wasted effort.
Notably, there are signs
app which last week racked up 750,000 downloads in the UK in 24 hours.
But, at the same time, contacts tracing apps are facing scepticism
over their ability to contribute to the fight against COVID-19
Not everyone carries a smartphone, nor knows how to download an app, for instance
There's plenty of people who would fall outside such a digital net.
Meanwhile, while there's clearly been a big scramble across the region,
at both government and grassroots level, to mobilize digital technology for a public health emergency cause there's arguably greater
