Germany has U-turned on building a centralized COVID-19 contacts tracing app -- and will instead adopt a decentralized architecture, Reuters reported Sunday, citing a joint statement by chancellery minister Helge Braun and health minister Jens Spahn.
In Europe in recent weeks, a battle has raged between different groups backing centralized vs decentralized infrastructure for apps being fast-tracked by governments which will use Bluetooth-based smartphone proximity as a proxy for infection risk -- in the hopes of supporting the public health response to the coronavirus by automating some contacts tracing.
Centralized approaches that have been proposed in the region would see pseudonymized proximity data stored and processed on a server controlled by a national authority, such as a healthcare service. However concerns have been raised about allowing authorities to scoop up citizens' social graph, with privacy experts warning of the risk of function creep and even state surveillance.
Decentralized contacts tracing infrastructure, by contrast, means ephemeral IDs are stored locally on device -- and only uploaded with a user's permission after a confirmed COVID-19 diagnosis. A relay server is used to broadcast infected IDs -- enabling devices to locally compute if there's a risk that requires notification. So social graph data is not centralized.
The change of tack by the German government marks a major blow to a homegrown standardization effort, called PEPP-PT, that had been aggressively backing centralization -- while claiming to 'preserve privacy' on account of not tracking location data. It quickly scrambled to propose a centralized architecture for tracking coronavirus contacts, led by Germany's Fraunhofer Institute, and claiming the German government as a major early backer, despite PEPP-PT later saying it would support decentralized protocols too.
As we reported earlier, the effort faced strident criticism from European privacy experts -- including a group of academics developing a decentralized protocol called DP-3T -- who argue p2p architecture is truly privacy preserving. Concerns were also raised about a lack of transparency around who is behind PEPP-PT and the protocols they claimed to support, with no code published for review.
The European Commission, meanwhile, has also recommended the use of decentralization technologies to help boost trust in such apps in order to encourage wider adoption.
EU parliamentarians have also warned regional governments against trying to centralize proximity data during the coronavirus crisis.
But it was Apple and Google jumping into the fray earlier this month by announcing joint support for decentralized contacts tracing that was the bigger blow -- with no prospect of platform-level technical restrictions being lifted. iOS limits background access to Bluetooth for privacy and security reasons, so national apps that do not meet this decentralized standard won't benefit from API support -- and will likely be far less usable, draining battery and functioning only if actively running.
Nonetheless PEPP-PT told journalists just over a week ago that it was engaged in fruitful discussions with Apple and Google about making changes to their approach to accommodate centralized protocols.
Notably, the tech giants never confirmed that claim. They have only since doubled down on the principle of decentralization for the cross-platform API for public health apps -- and system-wide contacts tracing which is due to launch next month.
At the time of writing PEPP-PT's spokesman, Hans-Christian Boos, had not responded to a request for comment on the German government withdrawing support.
Boos previously claimed PEPP-PT had around 40 governments lining up to join the standard. However in recent days the momentum in Europe has been going in the other direction. A number of academic institutions that had initially backed PEPP-PT have also withdrawn support.
In a statement emailed to TechCrunch, the DP-3T project welcomed Germany's U-turn. "DP-3T is very happy to see that Germany is adopting a decentralized approach to contact tracing and we look forward to its next steps implementing such a technique in a privacy preserving manner," the group told us.
Berlin's withdrawal leaves France and the UK the two main regional backers of centralized apps for coronavirus contacts tracing. And while the German U-turn is certainly a hammer blow for the centralized camp in Europe the French government appears solid in its support -- at least for now.
France has been developing a centralized coronavirus contacts tracing protocol, called ROBERT, working with Germany's Fraunhofer Institute and others.
In an opinion issued Sunday, France's data protection watchdog, the CNIL, did not take active issue with centralizing pseudonymized proximity IDs -- saying EU law does not in principle forbid such a system -- although the watchdog emphasized the need to minimize the risk of individuals being re-identified.
It's notable that France's digital minister, Cédric O, has been applying high profile public pressure to Apple over Bluetooth restrictions -- telling Bloomberg last week that Apple's policy is a blocker to the virus tracker.
Yesterday O was also tweeting to defend the utility of the planned 'Stop Covid' app.
« Oui l'application #StopCovid est utile ». Volontaire, anonyme, transparente et temporaire, elle apporte les garanties de protection des libertés individuelles. À la disposition des acteurs sanitaires, elle les aidera dans la lutte contre le #COVID19 https://t.co/12xYG5Z8ZC
— Cédric O (@cedric_o) April 26, 2020
We reached out to France's digital ministry for comment on Germany's decision to switch to a decentralized approach but at the time of writing the department had not responded.
In a press release today the government highlights the CNIL view that its approach is compliant with data protection rules, and commits to publishing a data protection impact assessment ahead of launching the app.
If France presses ahead it's not clear how the country will avoid its app being ignored or abandoned by smartphone users who find it irritating to use. (Although it's worth noting that Google's Android platform has a substantial marketshare in the market, with circa 80% vs 20% for iOS, per Kantar.)
A debate in the French parliament tomorrow is due to include discussion of contacts tracing apps.
We've also reached out to the UK's NHSX -- which has been developing a COVID-19 contacts tracing app for the UK market -- and will update this report with any response.
In a blog post Friday the UK public healthcare unit's digital transformation division said it's "working with Apple and Google on their welcome support for tracing apps around the world", a PR line that entirely sidesteps the controversy around centralized vs decentralized app infrastructures.
The UK has previously been reported to be planning to centralize proximity data -- raising questions about the efficacy of its planned app too, given iOS restrictions on background access to Bluetooth.
"As part of our commitment to transparency, we will be publishing the key security and privacy designs alongside the source code so privacy experts can 'look under the bonnet' and help us ensure the security is absolutely world class," the NHSX's Matthew Gould and Dr Geraint Lewis added in the statement.
Update: The NHSX still hasn't responded to the questions we sent it this morning about how the app will function but a spokesperson has now told the BBC it intends to push ahead with a centralized approach -- and is planning to make use of a workaround to mitigate iOS restrictions by waking up the app in the background every time the phone detects another device running the same software.
Per the BBC: "It then executes some code before returning to a dormant state. This all happens at speed, but there is still an energy impact. By contrast, Apple's own solution allows the matching to be done without the app having to wake up at all."
When we followed up with NHSX's press office to ask why we hadn't received a response to our questions we were CC'd into another email to additional comms staff, one of whom responded to the group email without realizing our email address was included in the thread -- writing: "I thought a line hadn’t been cleared? I checked the NHSEI process earlier and one hadn’t been through there."
Update 2: The NHSX has now emailed the following statement, attributed to a spokesperson: "Engineers have met several core challenges for the app to meet public health needs and support detection of contact events sufficiently well, including when the app is in the background, without excessively affecting battery life. This has been achieved using standard Google and Apple published API while adhering to the Bluetooth Low Energy Standard 4.0 and above.”
The NHSX spokesman also pointed to a line in the BBC report which claims Apple does not oppose the NHSX's own effort -- and has supported the UK team -- but still believes its own solution is much more power-efficient.