Contact-Tracing Apps Must Respect Privacy, Scientists WarnTrust Hinges on Transparency, 200 Top Scientists and Researchers Say in Open Letter
All digital contact-tracing apps for combating COVID-19 must be developed in an open and transparent manner, use Bluetooth, and allow users to opt in, 200 of the world's leading scientists and researchers have warned. In addition, the apps must prioritize privacy by design, only collect necessary data and remain voluntary, or else they risk making the new coronavirus outbreak even worse, these experts say.
Many nations around the world have introduced or announce plans to pursue contact-tracing apps to help contain the global the pandemic.
"The current COVID-19 crisis is unprecedented, and we need innovative ways of coming out of the current lockdowns," the scientists and researchers, who hail from more than 25 different countries, write in the open letter. "However, we are concerned that some 'solutions' to the crisis may, via mission creep, result in systems which would allow unprecedented surveillance of society at large."
Open letter signed by 300+ scientists in over 25+ countries -- 4 principles for open, transparent, and privacy-by-design contact tracing for COVID-19, and using decentralized designs to limit surveillance repurposing:https://t.co/5HD6LvnzrW— Cas Cremers (@CasCremers) April 20, 2020
"I've never seen a statement signed by so many academics," says Alan Woodward, a computer science professor at the University of Surrey who's one of the signatories. "I just hope government takes note."
Contact-tracing apps are meant to augment the laborious, manual process of tracking individuals who have tested positive for COVID-19, and then attempting to notify everyone with whom they may have come into contact after infection. Many public health officials say that together with robust blood-testing programs - which many countries still lack - contact-tracing is essential for helping to minimize the spread of the virus (see: Coronavirus: UK Government Promises App for Contact Tracing).
Some think contact-tracing apps can help, but the scientists and researchers warn that unless such proposals remain transparent, they risk making the pandemic worse.
"Not all governments are benign."
—University of Surrey's Alan Woodward
"Everyone accepts that extraordinary times can call for extraordinary measures but it has to be done transparently, with legal backing and with oversight. To do otherwise risks what start out as good intentions being misused in future," Woodward tells Information Security Media Group.
"The motivation is the desire that these apps are effective and that will happen only if people use them and that trust will happen only if people trust them. Unless you are transparent and open, people will assume nefarious uses - it could be an enormous 'own goal,'" he adds, meaning that untrusted, incorrectly rolled out efforts could actively undercut COVID-19 containment rather than bolstering it.
Already, Singapore and India have rolled out contact-tracing apps, and the U.S., U.K. and Australia are among the countries that have making plans to follow suit (see: Australia's Contact Tracing App May Be a Hard Sell).
The Singaporean and Indian initiatives rely on centralizing data and making it available to authorities whenever they choose. But the scientists warn that overly centralized approaches could be used by governments to conduct mass surveillance on their citizens, or similarly abused by foreign powers.
"One of the things I was most afraid of when it came to contact tracing was that governments would reject privacy-preserving solutions and demand the data," says cryptographer Matthew Green, an associate professor of computer science at Johns Hopkins University who is a co-signee on the open letter.
Fallout Over PEPP-PT
The open letter has been released in the wake of growing concern over a proposal from the Pan-European Privacy-Preserving Proximity Tracing group in Germany. The PEPP-PT proposal calls for a closed, proprietary standard for contact tracing that relies on storing data centrally.
As Kobeissi writes, the backers of PEPP-PT said they preferred to focus on conducting a privacy risk assessment, rather than debating centralized versus decentralized approaches. "Nevertheless, it is truly striking just to what degree the protocol specification describes a system that is centralized," he said.
See Page 6 of the PDF, and the quote 'server decrypts the temporary IDs' of the document for why this is the case! This is entirely unnecessary, and violates GDPR in many ways. 2/2— Ralf Sasse (@RalfSasse) April 17, 2020
Ralf Sasse, a senior scientist with the information security group at Swiss publish research university ETH Zurich, warned that the proposal would violate Europeans' privacy rights, as enshrined under the EU's General Data Protection Regulation.
On Friday, the European Parliament also said that COVID-19 contact-tracing apps must take a decentralized approach, and warned that "the generated data are not to be stored in centralized databases, which are prone to potential risk of abuse and loss of trust and may endanger uptake throughout the [EU]."
As concerns over PEPP-PT mounted, some scientists and researchers decided to publicly articulate principles by which anyone developing a contact-tracing app should ideally abide, resulting in the open letter.
"Everyone accepts that extraordinary times can call for extraordinary measures, but it has to be done transparently, with legal backing and with oversight. To do otherwise risks what start out as good intentions being misused in future," University of Surrey's Woodward says.
In the open letter, the researchers name four privacy-preserving decentralized methods that they say ascribe to their best-practice recommendations:
"All these teams are committed to working together to make their systems interoperate," according to the letter. "They aim to provide different decentralized privacy preserving methods which can be adapted by countries depending on their local situation. By working together they can ensure that using contact tracing in the effort to defeat COVID-19 can be done in a way that protects privacy."
A Model: Apple and Google
The group of scientists and researchers has also applauded an initiative announced earlier this month by Apple and Google, which are developing contact-tracing capabilities that will run on iOS and Android devices. By mid-May, they're promising to give APIs to public health officials to make it easier to build apps that interoperate with both of their mobile operating systems.
In the next few months, Apple and Google are hoping to update their respective iOS and Android operating systems to include, built in, "a broader Bluetooth-based contact tracing platform" to which users could opt in.
For anyone who opted in, whenever their device came within a specific range - for example, 10 feet - of a device used by another individual who had opted in, the devices would exchange a code unique to their device. If one of the device owners later tested positive for COVID-19, they could tell their app, which would flag their unique code via a cloud-based service that would lead to alerts being sent to other app users who may have been exposed.
"Privacy, transparency, and consent are of utmost importance in this effort, and we look forward to building this functionality in consultation with interested stakeholders," Apple and Google say in a joint statement. "We will openly publish information about our work for others to analyze."
In their open letter, the 200 scientists and researchers back Apple and Google's approach. "We applaud this initiative and caution against collecting private information on users. Some who seek to build centralized systems are pressuring Google and Apple to open up their systems to enable them to capture more data," they write.
Scientists: Use Bluetooth, Not GPS
In their letter, the researchers also call for all contact-tracing apps to be based on Bluetooth, rather than GPS, in part because using GPS results in more data getting processed and potentially centrally stored.
In addition, they say that whenever multiple approaches are available, teams must choose the most privacy-preserving approach. They also want to see privacy by design, rather than approaches based on storing sensitive data with a trusted third party, to ensure users' rights don't get violated.
"It is crucial that citizens trust the applications in order to produce sufficient uptake to make a difference in tackling the crisis," they write. "It is vital that, in coming out of the current crisis, we do not create a tool that enables large-scale data collection on the population, either now or at a later time."
Currently Singapore reports only 17 percent adoption of its official TraceTogether app, introduced on March 20.
To be effective, digital contact-tracing apps would ideally be adopted by at least 60 percent of users, according to researchers at Oxford University. Paper co-author Christophe Fraser from the university's Big Data Institute says that such an app, "if carefully implemented alongside other measures, has the potential to substantially reduce the number of new coronavirus cases, hospitalizations and ICU admissions."
Warning: Social Graph Could Be Abused
One major concern is that apps would collect enough data to allow others to see a "social graph" of everyone with whom the user has physically come into contact.
"With access to the social graph, a bad actor - state, private sector or hacker - could spy on citizens' real-world activities," the scientists warn. "Some countries are seeking to build systems which could enable them to access and process this social graph. On the other hand, highly decentralized systems have no distinct entity that can learn anything about the social graph. In such systems, matching between users who have the disease and those who do not is performed on the non-infected users' phones as anonymously as possible, whilst information about non-infected users is not revealed at all."
'There May Be Some Centralization'
Woodward says it's too soon to tell how privacy-respecting contact-tracing apps will develop, and to what extent they might be based on Apple and Google's proposals.
Even so, he suspects that best-practice approaches will look like the DP3T protocol. "There may be some centralization, but the principle of keeping this to the minimum of what is necessary for clinical use is important," he says. "Too much centralization and it becomes a tracking system. One of the reasons Apple and Google took their approach is that they wanted to support contact tracing, but didn't want their technology to act as a foundation for apps that could be used to track populations. Not all governments are benign."
At the same time, of course, governments remain the entities charged with safeguarding their populations, as best as possible, against COVID-19.