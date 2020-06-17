More than 300 academics from institutions in 27 countries have published a letter this Monday to warn about the danger of a centralized contagion tracking app: “We are concerned that some solutions to this crisis may result in systems that allow unprecedented mass surveillance of society ”, they write. This fear would lead, they add, to less people downloading it or using it, which would render that effort useless. The letter arrives in the middle of a battle between European governments and institutions over the app model used to overcome the crisis.

The technological solution for the day we go out is an app that helps track infections. A major problem with the coronavirus has been the ability to infect those affected without symptoms. This app would let you know who a person has been with who later turns positive. It works via bluetooth: our phones would send and receive codes every few minutes. If someone is infected, upon confirming their positive, the system would allow those close to them in recent days to be warned to quarantine.

This system has basically two formats: centralized and decentralized. The basic difference is the knowledge of the population that has who controls the server. In the centralized one, the authorities can know how to trace identities, so you have to trust that they only use it to combat Covid-19. In the decentralized, the most important operations take place on the mobile, which only users have access to.

In Europe, a consortium called PEPP-PT (Pan-European Proximity Tracking to Preserve Privacy) emerged in early April, supported by dozens of institutions. This was its initial intention: “We support centralized and decentralized proposals and each country will choose the one that suits its legislation. Everything we provide will be based on voluntary participation, it will be anonymous, it will not use personal data or geolocation, it will operate in compliance with the European Data Protection Regulation and it will have been certified and verified by professionals ”.

Since the appearance of that website, little else was known about the activity of PEPP-PT. Among those proposals, the website announced that there was an initiative called DP-3T. With a team of more than 20 professionals in eight European institutions and led by a Spanish engineer, Carmela Troncoso, DP-3T was advancing in its work of creating a decentralized protocol. His intention was, as Troncoso explained in an interview in EL PAÍS, to offer an alternative that respects privacy in the certainty that there would be a contagion tracking app.

On Friday, April 10, Apple and Google unveiled their work to help with contagion tracking. His effort was going to go in the direction of DP-3T, that is to say towards a decentralized model.

Nerves begin

In PEPP-PT, meanwhile, nothing happened. Some governments, such as the Spanish, had joined an initiative that seemed to propose something acceptable to the entire continent. For its part, DP-3T continued with its work, with the code posted in the GitHub online repository for analysis by the community. Until last Wednesday. That day the mention of DP-3T was silently removed from the PEPP-PT official website. Nerves began.

What was left in PEPP-PT? Just something supposedly centralized that no one had seen. Suspicions and suspicions circulated in all directions. The only public figure represented in PEPP-PT was Hans-Christian Boos, a German businessman and adviser to the federal government. But nobody was clear about his role or who helped him in his work.

On Friday PEPP-PT organized two video calls on Zoom. Boos made one for journalists. Two researchers from the Fraunhofer Institute did the other. They discussed ongoing tests, an upcoming implementation, conversations with Apple and Google. That day in the afternoon they would post something on GitHub, they said. Everything seemed suddenly more advanced than anyone believed. But Friday afternoon only a simple pdf appeared, which they immediately deleted. Chaos and doubts grew. Several institutions and scientists began to unlink his name from the project.

In the PEPP-PT members category there are now some institutions and a host of companies, such as Bending Spoons, which is developing the app in Italy, or Hering, the public relations company that helped Volkswagen in its diesel fiasco.

Until Saturday at noon, when the ROBERT protocol was published. Behind ROBERT there were two French and German institutions: Inria and Fraunhofer. But no investigator name, which is rare in the scientific community. During the day, some Inria members showed their surprise that their institution was associated with something that only a group had done.

ROBERT comes from ROBust and privacy-presERving proximity Tracing protocol. There the two sides in the battle became clear. The next day, Sunday, DP-3T published a criticism of ROBERT’s lack of privacy by design. And some institutions began to disassociate their name from the project.

This Monday, the investigators’ letter was published. Governments must decide whose side they are on. Germany, France and Italy say they have launched projects with private companies that would use PEPP-PT. Other governments that have not transcended would already be working with DP-3T. Still others, like Spain, look with apparent strangeness at what is happening and what may lead to a new bewildering European conflict. Poland has already created its app similar to the one used in Singapore, which in turn is similar to PEPP-PT.

In addition, Apple and Google are in the middle. The ROBERT version pretends that the presumed anonymized codes are given by the authorities, which is a flagrant contradiction and still not resolved. In the decentralized proposal, which Apple and Google follow, those codes would be created on the phone, so that no one, not even the Government, would know who they belong to. From the ROBERT proposal they say instead that those codes will also be held by Apple and Google.

Be that as it may, if Apple does not allow codes not to be created locally on the mobile, ROBERT has a serious problem. Its operating system does not allow to use bluetooth “from behind”, when the phone is not active. Robert’s apps should work with the screen always unlocked, with the danger that this poses if the phone is stolen and battery problems. Governments are in alleged talks with Apple to resolve it. For now, without response.

The war of the tracking app is served. Some governments believe that they cannot miss outbreaks of infections and should be the first to know and transmit possible infections. Epidemiologists linked to DP-3T believe that it is enough that people know their danger and act accordingly. The researchers believe that few will download it if there are no guarantees of good use. The consequences of creating a system that allows you to define with certainty who you’ve been with is potentially dangerous.

“One of the goals of these apps should be respect for privacy. It is necessary because it favors the security of all, by protecting personal data that can be used in the wrong or even malicious way ”, explains Manuel Carro, director of Imdea Software (Madrid) and one of the Spanish signatories of the letter. “But, in addition, otherwise the contact tracking apps would not have the necessary acceptance to be effective: we would lose an opportunity to continue stopping this pandemic and to trust what well-thought-out technology can do. Spain should look at alternatives that comply with European data privacy standards and that are supported largely by the scientific community, “he adds.

“The most important thing is that the fundamental rights of citizens are respected, and that the impact on society of the use of this app is positive. This can only be achieved through a decentralized system, “says Manuela Battaglini, an expert lawyer in privacy. “The government should move away from a centralized option that could lead to the introduction of a permanent surveillance system in our country,” he adds.