Germany has turned the construction of a central COVID-19 app for tracing contacts upside down – and will instead adopt a decentralized architecture, Reuters reported on Sunday, citing a joint statement by Chancellor Minister Helge Braun and Health Minister Jens Spahn.
In Europe, there has been a struggle in the past few weeks between different groups working for a centralized and decentralized infrastructure to get apps that are accelerated by governments and that use Bluetooth-based smartphone proximity as a proxy for the risk of infection – hoping to support public health response to the coronavirus by automating contact tracking.
Centralized approaches proposed in the region would store and process pseudonymized proximity data on a server that is controlled by a national agency, such as a health service. However, concerns have been raised that authorities can take up the social chart of citizens, with data protection experts warning of the risk of malfunctions and even of government surveillance.
In contrast, a decentralized contact tracking infrastructure means that short-lived IDs are stored locally on the device – and are only uploaded with a user permission after a confirmed COVID-19 diagnosis. A relay server is used to send infected IDs so that devices can compute locally when there is a risk that requires notification. Social graph data is therefore not centralized.
The federal government's change in policy is a major blow to the homemade standardization efforts called PEPP-PT, which had aggressively supported centralization – while claiming to maintain privacy because location data was not collected. It quickly became difficult to propose a centralized architecture for tracking coronavirus contacts, led by the German Fraunhofer Institute, and to call the federal government an important early promoter, although PEPP-PT later said it would also support decentralized protocols.
As we reported earlier, efforts by European data protection professionals – including a group of scientists who developed a decentralized protocol called DP-3T – to argue that the P2P architecture really protects privacy have been heavily criticized. Concerns about lack of transparency have also been raised regarding who is behind PEPP-PT and the protocols they claim, without a code being released for review.
The European Commission, In the meantime, the use of decentralization technologies has also been recommended in order to strengthen trust in such apps and to promote wider acceptance.
MEPs have also warned regional governments not to centralize proximity data during the coronavirus crisis.
But it was Apple and Google jumped into the fight earlier this month by announcing shared support for decentralized contact tracking, which was the bigger blow – with no prospect of lifting technical restrictions at the platform level. iOS limits background access to Bluetooth for privacy and security reasons, so national apps that don't meet this decentralized standard won't benefit from the API Support – and will likely be far less usable, will drain the battery and only work if it is active.
Still, PEPP-PT told journalists just over a week ago that it had fruitful discussions with Apple and Google about changes to their approach to centralized protocols.
In particular, the technology giants have never confirmed this claim. The principle of decentralization for the cross-platform API for public health apps and system-wide tracing of contacts, which is due to be released next month, has since doubled.
At the time of writing, PEPP-PT spokesman Hans-Christian Boos had not responded to a request for comment on the federal government's withdrawal of support.
Boos previously claimed that PEPP-PT had around 40 governments that would join the standard. In recent days, however, the dynamic in Europe has developed in the other direction. A number of academic institutions that originally supported PEPP-PT have also withdrawn support.
In a statement emailed to theinformationsuperhighway, the DP-3T project welcomed Germany's about-face. "DP-3T is very pleased to see that Germany is taking a decentralized approach to contact tracking and we look forward to the next steps to implement such a technique while maintaining privacy," said the group.
With Berlin's withdrawal, France and the UK remain the two most important regional supporters of central apps for tracking coronavirus contacts. And while the German turnaround is certainly a blow to the centralized warehouse in Europe, the French government appears to have solid support, at least for the time being.
In collaboration with the German Fraunhofer Institute and others, France has developed a central protocol for tracking coronavirus contacts called ROBERT.
In a statement published on Sunday, France's data protection officer, CNIL, was not actively concerned with centralizing pseudonymized proximity IDs – EU law does not fundamentally prohibit such a system – although the watchdog emphasized the need to minimize the risk to people identified.
It's noteworthy that French digital minister Cédric O has put a lot of public pressure on Apple due to Bluetooth restrictions – and Bloomberg announced last week that Apple's policies are blocking the virus tracker.
Yesterday, O also tweeted to defend the use of the planned "Stop Covid" app.
"Oui l & # 39; application #StopCovid est utile". Volontaire, anonymous, transparente et temporaire, elle apporte les guarantees the protection of the freedom of the individual. À la disposition des acteurs sanitaires, elle les aidera dans la lutte contre le # COVID19 https://t.co/12xYG5Z8ZC
– Cédric O (@cedric_o), April 26, 2020
We asked the French digital ministry to comment on Germany's decision to switch to a decentralized approach, but at the time of writing, the department had not responded.
In a press release today, the government highlights the CNIL's view that its approach complies with data protection regulations and is committed to publishing a data protection impact assessment before launching the app.
As France advances, it is unclear how the country will prevent its app from being ignored or abandoned by smartphone users whose use is irritating to them. (Although it is worth noting that Google Android The platform has a significant market share in the market, with approximately 80% versus 20% for iOS per cantar.)
Tomorrow's debate in the French parliament will include discussion about contacts for tracking apps.
We have also contacted the UK NHSX, which has developed a COVID-19 contact tracking app for the UK market, and will update this report with every response.
In a blog post on Friday, the UK's digital transformation department said it was working "with Apple and Google on their welcome support for tracking apps around the world," a PR line that raised controversy over centralized and decentralized app – completely bypasses infrastructures.
The UK has previously been reported to be planning to centralize proximity data, which also raises questions about the effectiveness of its proposed app, as iOS restricts background access to Bluetooth.
"As part of our commitment to transparency, we will publish key security and privacy designs along with the source code so privacy professionals can" look under the hood "and help us ensure that security is absolutely world class," said Matthew Gould and NHSX from the NHSX Dr. Geraint Lewis added in the statement.