In brief

  • A team of European privacy experts has proposed a decentralized Bluetooth-based system for coronavirus contact tracing.
  • The protocol aims to preserve user privacy and prevent misuse of data after the pandemic passes.
  • Other experts have questioned whether decentralized contact tracing is any more secure than centralized alternatives.

Switzerland's Federal Office of Public Health (FOPH), has confirmed that it's working with a group of prominent European privacy experts to develop a decentralized coronavirus contact tracing app by May 11. 

The app will use the Decentralized Privacy-Preserving Proximity Tracing (DP-PPT, or DP3T) protocol, which has been designed by around 25 academics from research institutions across Europe, including the Swiss Federal Institute of Technology, ETH Zurich and Belgian KU Leuven. According to the project’s whitepaper, the DP-PPT protocol enables Bluetooth-based coronavirus contact tracing without compromising users’ privacy, and would would also prevent governments from misusing the data after the global pandemic dies down.

Preserving privacy with on-device processing

Unlike many centralized apps that global authorities rolled out en masse to help fight the coronavirus, DP-PPT doesn’t have a centralized “focal point” that’s vulnerable to hacker attacks or abuse. Instead, contact data collected by the protocol will be processed on each user’s device separately.

“Our protocol is demonstrative of the fact that privacy-preserving approaches to proximity tracing are possible, and that countries or organizations do not need to accept methods that support risk and misuse,” said Carmela Troncoso, a professor at the Swiss Federal Institute of Technology. “Where the law requires strict necessity and proportionality, and societal support is behind proximity tracing, this decentralized design provides an abuse-resistant way to carry it out.”

Per the whitepaper, if a person using the app is diagnosed with the coronavirus, a health authority would sanction the upload of an ephemeral Bluetooth identifier (EphID) from their device. This data would then be sent to other devices, which will locally compute whether they were in close proximity to an infected person at some point in the past.

That means there’s no need to create a centralized pseudonymized ID system that could put users’ privacy at risk and potentially be used for purposes other than public health.

The dangers of centralized coronavirus tracking

“One of the major concerns around centralization is that the system can be expanded, that states can reconstruct a social graph of who-has-been-close-to-who, and may then expand profiling and other provisions on that basis,” noted Michael Veale, a doctor at University College London.

According to Veale, under a centralized contact tracing model, users’ data can potentially be used by law enforcement and intelligence for non-public health purposes. Moreover, Veale also noted that centralized data collection is not actually necessary, since “data protection by design obliges the minimization of data to that which is necessary for the purpose.”

Is decentralization the solution?

Another somewhat similar project was recently criticized for its approach to coronavirus tracing, which implements both decentralized and centralized methods. Called Pan-European Privacy-Preserving Proximity Tracing (PEPP-PT), it’s being developed by another group of scientists led by Fraunhofer Institute for Telecommunications.

According to Hans-Christian Boos, one of PEPP-PT’s initiators, decentralization is not a “be-all-end-all” solution in terms of privacy protection. He noted that instead of one entity having all the data in one place, decentralized apps are sending information to everyone—which introduces a whole new set of potential attack vectors for hackers.

“We will offer both solutions, depending on who wants to use what, and we’ll make them operable. But I’m telling you that both solutions have their merits. I know that in the crypto community there is a lot of people who want decentralization — and I can tell you that in the health community there’s a lot of people who hate decentralization because they’re afraid that too many people have information about infected people,” Boos told TechCrunch.

He added that if users assume that someone could hack a centralized service, then they also should accept the fact that decentralized ones are not impervious to attacks either, and could be exploited via spoofing and router attacks, for example.

“I think there has to be choice because if we are trying to build an international standard we should try and not be part of a religious war,” Boos concluded.

The debate between the two sides has grown heated in recent days, with ETH Zürich, KU Leuven, EPFL, and German cybersecurity institute CISPA quitting Boos’s PEPP-PT consortium; Kenny Patterson, Professor of Computer Science at ETH Zurich, commented that"Our relentless focus from now on is #DP3T."

UCL lecturer and DP-PPT backer Michael Veale accused PEPP-PT of failing “to publish any documents or protocol, as they promised [...] to governments and the press,” while a group of MEPs has demanded Boos explain why "PEPP-PT has so far not been transparent on the functioning of the contact-tracing apps it is developing," and why the project's code hasn't been open-sourced for scrutiny.

It looks like the debate isn't going to be resolved any time soon.