Woman in mask using tablet on street showing the debate over centralized or decentralized tracking for contact tracing app

Centralized or Decentralized, All Tracking Apps Fall Foul of the Same Vulnerability – User Error

Although “there’s no clear evidence that use of contact tracing apps will help us contain the spread of COVID-19, according to digital rights NGO, Access Now, governments around the globe have nonetheless decided that’s what they are going to try.

So-called track and trace apps are in various stages of deployment in different countries – Privacy International has done an impressive job keeping on top of the dozens of different developments – but the biggest debate that has emerged is centralized versus decentralized tracking.

There are several ways a smartphone can track someone’s location, but for the purposes of fighting the COVID-19 pandemic, Bluetooth technology has come out on top. Yet despite this consensus, there are several different ways of tracking and storing the data needed to assess the spread of the virus.

Essentially, centralized tracking would see all the data uploaded to a centralized database and notifications to users managed from there, whereas with decentralized tracking, the data remains on the users’ own device.

MEP Birgit Sippel, who firmly supports a decentralized approach, said however that “currently, there is a serious lack of clarity on how these apps would function and what their added value would be.”

“Any potential app would have to be voluntary and have data protection, data minimization and privacy built-in by design. Non-users must not face any disadvantages, such as being denied access to shops or transport systems, as a result of their free choice. Apps would have to be used for the sole purpose of contact tracing, with no access for commercial players or law enforcement authorities to the data,” she said.

These privacy guidelines are broadly supported by many EU institutions including the  European Data Protection Supervisor, the European Data Protection Board, a European Parliament plenary resolution, as well as the Council of Europe’s data protection “Convention 108” committee.

Most European countries, including front runner Germany, have opted for the more privacy-protecting decentralized approach of doing “proximity matching” directly on people’s own phones.

Controversially however, the UK Government has begun testing of a centralized app. “They did this without explaining how they will minimize privacy risks,” said the Open Rights Group (ORG) which has made a legal request for a Data Protection Impact Assessment.

As well as the data protection concerns raised by the centralized database, this approach also risks being incompatible with other apps developed around the continent.

“A fragmented and uncoordinated approach to contact tracing apps risks hampering the effectiveness of measures aimed at combating the COVID-19 crisis, whilst also causing adverse effects to the single market and to fundamental rights and freedoms,” warns the European Commission’s “common EU toolbox” – something it felt it was necessary to publish as member states started to take wildly differing approaches.

EPP MEP Axel Voss went even further calling for “a single European app, which is in line with our data protection standards.”

“We must minimize the risk of fragmentation, as these apps will be used across the EU as soon as the European borders are open again,” he said. Indeed, the Commission toolbox insists that apps should be interoperable.

Downloading the app should also be voluntary according to the toolbox. However the World Health Organization and Oxford University researchers both say that in order to be effective, any app would have to be used by at least 60% of the population. In other words, says Access Now, “these apps cannot be helpful unless people trust that they are not a vector for harmful surveillance and therefore feel free to put them to use.”

It’s worth noting that “voluntary” doesn’t just mean “not legally required”. For example if employers start insisting that a person’s job depends on them installing the app, it can hardly be considered truly voluntary.

Whether or not people will feel comfortable downloading an app will strongly depend on how secure they feel it is, not just in terms of where their data is stored and who can legally access it, but also how long it is stored for. The risks do not just occur at the time the data is collected, but continue as long as it is stored and continues to be a potential target for malicious actors.

Again the Commission toolbox wants specific technical requirements for encryption, communications security, user authentication, and so on to be overseen by ENISA, Europe’s cybersecurity agency.

Louis-James Davis CEO of cybersecurity company VST Enterprises said that hacking should be a major concern whether data is centralized or decentralized.

“The issues surrounding a hack and the manipulation of data from a rogue state is a major security issue and concern, given all of what we know about the interference with election results. Such manipulation could further damage the country with the perceived threat of a second or third wave of the virus forcing the country into tough lockdown measures again and creating economic hardship,” he said.

Meanwhile with decentralized apps, “each phone or smart device handset are themselves subject to a wider brute force attack using Bluetooth hacks and malware,” he added.

But even the most privacy-protecting, secure app will not prevent the spread of COVID-19 if people don’t use them diligently – and many will have legitimate reasons for not wanting to leave an app switched on on their phone all the time. Some people do not have smartphones at all. Many will stop using an app if they perceive it is preventing them from accessing other services such public transport.

And all that is assuming they will even work as designed. There are inherent differences between Bluetooth proximity tracking and the likelihood of catching the virus. Bluetooth can detect signals through walls, floors and glass, cases where COVID-19 transmission is impossible. It is therefore likely that apps will record a number of false positives. If the data is stored on an individual’s own device that may allow them to make a more informed assessment of the likelihood of infection in a way that a notification from a centralized database may not.

The speed at which people receive notifications is also important. If someone is not notified that they may have come in contact with COVID-19 for several days, they may well feel that the damage has already been done.

A fragmented approach to contact tracing apps will hamper the effectiveness of measures when European borders open up. #privacy #respectdata Click to Tweet

Using the technology at our disposal to help prevent the spread of COVID-19 is a no-brainer. But overreliance on fallible apps, that in themselves pose risks, is not the solution either. The virus is spread by humans and it is the actions of human beings, not technology, that will determine how, when and if, it is overcome.

 

EU Policy Correspondent at CPO Magazine