Germany on Sunday pulled an about-face regarding the best way to use smart phones to trace people’s contacts with those infected by COVID-19, embracing a decentralized Bluetooth-based approach instead of the more invasive location tracking proposed in other approaches.
The Bluetooth approach – which keeps data local on people’s phones instead of being stored on a centralized database that could be used for mass state surveillance or to track people – is supported by Apple, Google and other European countries, Reuters reported.
Apple and Google first announced their contact tracing collaboration two weeks ago, on 10 April. Instead of “contact tracing,” though, they’re calling it an Exposure Notification system.
As the companies have explained in an FAQ about their approach, it will come in two phases, both of which will use Bluetooth technology on mobile devices to aid in contact tracing efforts.
The first phase will be an API that works across iOS and Android devices for public health agencies to integrate into their own apps. That’s due in May. The second phase, due in coming months, will be introduced at devices’ operating system levels to ensure broad adoption – a key element in the success of contact tracing.
It will be done on a strictly opt-in basis. After the operating system updates and a user has opted in, the Exposure Notification system will start pinging the Bluetooth beacons of nearby devices. Preliminarily, users won’t have to install an app to get those notifications. But if a match is detected that shows a user has come into contact with somebody who’s infected, the user will be notified.
If they haven’t already downloaded the official app, they’ll be prompted to do so and will be advised on what to do next, such as take steps to get tested or self-quarantine. “Only public health authorities will have access to this technology and their apps must meet specific criteria around privacy, security, and data control,” according to the FAQ.
If a user tests positive for COVID-19, they’ll be able to work with their health authority to report the diagnosis within the app. Then, with their consent, their beacons will be added to the list of devices belonging to people who’ve tested positive. Users’ identities won’t be shared with other users, with Google or with Apple.
CNET has done a deep dive on the measures that Google and Apple are taking to protect people’s privacy with this approach. for its part, Google provided this video and graphic to explain the basics of the system:
As Google and Apple tell it, the system – which will run on either Apple’s iOS or Google’s Android operating systems – requires explicit user consent. It collects neither users’ personally identifiable information (PII) nor their location data.
The list of people you’ve been in contact with never leaves your phone.
The system relies on smart phone beaconing: the use of a phone’s built-in radios and Bluetooth to constantly ping other devices with a long, unique string that identifies a device: what the companies say is a string of random numbers that aren’t tied to a user’s identity and which change every 10-20 minutes to protect users from being tracked. Servers relay a device’s last 14 days of IDs to other devices that then look for a match, searching for devices that came within six feet of each other for a given amount of time.
If the app detects that a user has come into contact with somebody who’s tested positive for COVID-19, the system will tell them what day it happened, how long the contact lasted, and the Bluetooth signal strength of that contact. That’s the full extent of the information that will be shared about the contact.
On Friday, Apple and Google said in a press briefing that besides relying on Bluetooth instead of location data, and on top of regularly changing the identifying IDs, they’ve also added a new layer of encryption for the tracing data. The extra encryption layer will make it tougher to identify those who’ve tested positive for COVID-19 and will also encrypt data to make it harder to use as a digital fingerprint if it’s exposed.
“Nein” to centralized data storage
As Reuters tells it, as late as Friday, Germany was backing a different approach to contact tracing called Pan-European Privacy-Preserving Proximity Tracing (PEPP-PT). That approach relies on tracking contacts by monitoring the proximity of their phones.
In fact, Germany was leading that initiative, which had the support of seven European countries as of last week.
That support went on to melt after 300 scientists published an open letter expressing concerns about PEPP-PT last Monday (20 April). They argued that PEPP-PT lacks transparency and that its centralized storage of data might be exploited by governments for discriminatory practices or invasive state surveillance.
We are concerned that some ‘solutions’ to the crisis may, via mission creep, result in systems which would allow unprecedented surveillance of society at large.
The scientists came out in support of an alternative standard, called DP-3T, that they claimed is more privacy-preserving. At least three of the European countries that initially supported a contact-tracing app that relies on location data and centralized data storage had switched to supporting DP-3T as of Friday.
On Friday, German Chancellery Minister Helge Braun and Health Minister Jens Spahn said in a joint statement that the country would dump its own, home-grown approach to contract tracing, which would have given health authorities central control over the tracing data.
A senior government source told Reuters that it was Apple’s refusal to tweak settings on its iPhones – a change that would have been required to adopt PEPP-PT – that forced Germany to change course.
In a joint statement, Braun and Spahn said Germany would now adopt a “strongly decentralized” approach:
This app should be voluntary, meet data protection standards and guarantee a high level of IT security. The main epidemiological goal is to recognize and break chains of infection as soon as possible.
Apple and Google plan to collaborate with other initiatives, like the Swiss-led DP-3T, that similarly use a decentralized system that stores data on individual devices instead of in a centralized database.
Latest Naked Security podcast
Click-and-drag on the soundwaves below to skip to any point in the podcast. You can also listen directly on Soundcloud.