European countries have finally managed to agree a common approach to COVID-19 track and trace apps.
After weeks – months! – of guidance, discussion and recommendations from multiple sources, the European Commission announced that EU Member States had found “an interoperability solution for decentralized coronavirus infection tracing and warning apps” via the eHealth network on June 12.
The Commission said the move means that countries will be able to lift travel restrictions between states in time for citizens to take summer holidays. The new specifications cover the vast majority of tracing apps that were already – or are about to be – launched in the EU and the hope is that national apps will work seamlessly across borders.
“As we approach the travel season, it is important to ensure that Europeans can use the app from their own country wherever they are travelling in the EU. Contact tracing apps can be useful to limit the spread of coronavirus, especially as part of national strategies to lift confinement measures,” explained EU Internal Market Commissioner, Thierry Breton.
As expected, the solution follows the decentralized approach to data, but the Commission said it would continue to work with Member States that plan to use centralized tracing apps to ensure some level of interoperability.
The system will rely on a gateway service run by the European Commission – essentially “an interface to efficiently receive and pass on relevant information from national contact tracing apps and servers.”
“This will minimize the amount of data exchanged and thus reduce users’ data consumption. The proximity information shared between apps will be exchanged in an encrypted way that prevents the identification of an individual person, in line with the strict EU guidelines on data protection for apps,” said the Commission.
It will also mean that travelers don’t have to download several different national apps.
Most EU countries have decided to launch mobile apps that are based on a decentralized architecture. This means that information about users that were detected in proximity for a certain duration remain on the phone itself rather than sent to a centralized database. This is good news for the privacy-conscious.
However some countries have decided to go down the centralized route. Amnesty International warned that apps distributed by the governments of Bahrain and Kuwait are the most privacy-invasive, while both the UK and Norway were forced to do U-turns and adopt a decentralized approach following public criticism.
Allaying privacy concerns is important, as Health and Food Safety Commissioner Stella Kyriakides explained, getting public buy-in for the apps is crucial to their success. Estimates suggest that at least 60% of the population would need to use an app for it to be effective. “Digital technologies are crucial to alert our citizens about infection risks and break transmission chains as we reopen our societies and economies. I call on our citizens to use them, as these technologies can only be effective if we have a critical mass of users, with interoperability of the applications across EU borders. Data security, fundamental rights and privacy protection in these digital tools will be non-negotiable,” said Kyriakides.
Chair of the European Data Protection Board (EDPB), Andrea Jelinek, also welcomed “the Commission’s initiative to develop a pan-European and coordinated approach as this will help to ensure the same level of data protection for every European citizen, regardless of where he or she lives.”
The EDPB has issued several rounds of advice on how so-called track and trace apps should work and emphasized that they should only share data about individuals that have been diagnosed or tested positive when “triggered by a voluntary action of the user.”
The EDPB considers that the development of the apps should be made in an accountable way, documenting with a data protection impact assessment all the implemented privacy by design and privacy by default mechanisms. In addition, the source code should be made publicly available for the widest possible scrutiny by the scientific community.
The Bahrain, Kuwait and Norway apps actively track and upload people’s GPS coordinates to centralized servers, a potential security and privacy nightmare. These systems “go far beyond what is justified,” Claudio Guarnieri, head of Amnesty International’s security lab, said in a statement.
The European Commission’s toolbox also sets out Bluetooth specifications for tracking.
“Devices should have an interoperable way to broadcast and sense proximity with other
devices enabled with a contact tracing and exposure notification Bluetooth service following the Bluetooth Specification1 by Apple and Google,” it says.
Furthermore the “proximity identifier” should change about every 15 minutes to prevent wireless tracking of the device.
By contrast, the apps developed by Kuwait and Bahrain actively track and upload people’s GPS coordinates to centralized databases going “far beyond what is justified,” according to Claudio Guarnieri, head of Amnesty International’s security lab.
In the EU the Commission’s approach has been widely adopted that France’s StopCovid app looks like being the only hold out. Although it has been downloaded 1.7 million times since its roll out on 2 June, the app has been dogged by controversy and CNIL, the national data protection authority has confirmed that they are looking into the issue and would monitor the situation closely.