A row has broken out between two different groups of academics on whether a centralised or decentralised system of contact tracing solution is best for preserving privacy.
Contact tracing and privacy are not natural bedfellows. Most of us just shrug and assume that sacrificing our privacy during the Covid-19 crisis is a cross we must bear. But academics have been busy behind the scenes trying to come up with a contact tracing system in which users’ privacy is preserved. Now two schools of thought have emerged, and it boils down to the difference between centralised and decentralised contact tracing,
On the one side is PEPP-PT. The academics behind this have developed a method for using Bluetooth signals from users’ phones. The signals are not associated with the names of individuals, but rather with unique numbers. In this way, if someone associated with one number tests positive for Covid, it will be possible to tell what other phones have been in the proximity of that person during the period when they were contagious, but without declaring any individual’s identity.
The PEPP-PT system has its advocates. It was reported that the German government was rolling out an app that will build upon PEPP-PT. Meanwhile, in France and Germany another system, again building on this, but called ROBERT is gaining supporters.
One of the academics behind PEPP-PT is Christophe Fraser, who is Professor at the Nuffield Department of Medicine at University of Oxford. He is also working on a UK government contact tracing app via a unit called NHSX.
But PEPPA-PT has its critics. Some of the original academics behind it have resigned. A recent letter signed by 300 academics was highly critical of it.
The main problem with PEPP-PT, according to critics, is that the data collected is stored centrally, and that someone with access to the data could, with sufficient determination and technical nouse, deanonymise the data.
As Michael Veale, a lecturer in digital rights regulation at the UCL Faculty of Law, tweeted, “We don’t know if Bluetooth tracing will truly help fight Covid-19. Some epidemiologists say yes. But we know that centralising data is a recipe for misuse by law enforcement and police, at least in some countries where the rule of law is weak and power grabs are frequent.”
We don't know if Bluetooth tracing will truly help fight COVID-19. Some epidemiologists say yes. But we know that centralising data is a recipe for misuse by law enforcement and police, at least in some countries where the rule of law is weak and power grabs are frequent.
— Michael Veale (@mikarv) April 3, 2020
And that means a new approach, known as DP-3T is emerging for contact tracing. The main difference between this and PEPP-PT is that data relating to each individual is stored on their own phone.
That way it becomes much harder for a third party with less than privacy conscious motives to deanonymise the data.
Both Apple and Google, are looking at adopting an approach to contact tracing that has certain similarities with DP-3T.
But in a document published on GitHub, DP-3Y said: “DP-3T appreciates the endorsement of these two companies for our solution and is happy to work with both of them to implement our app on both platforms.
“But, we also strongly believe that Apple and Google should adopt our subsequent enhancements, detailed in later versions of our white paper, which increase user privacy. We also strongly encourage both companies to allow an external audit of their code to ensure its functionality corresponds to its specification.”
How this one will pan out remains to be seen, but the debate is actually of extreme importance to those who worry that in the battle against Covid-19 we may permanently reduce our privacy and send us one step closer to an Orwellian society.
Join our free-to-attend digital event, Last Thursday in Privacy, addressing data protection, privacy and security challenges including working from home, COVID-19, global regulations and more. Visit https://digital.privsec.info/.
We have been awarded the number 1 GDPR Blog in 2019 by Feedspot.
Privacy Culture: Data Privacy and Information Security Consulting, Culture & Behaviour, Training, and GDPR maturity, covered. https://www.privacyculture.com/