The European Commission (EC) has released a document outlining how it believes member countries can best create a smartphone app for tracing contacts to fight the COVID-19 pandemic.
These applications have been adopted by Singapore and India. The United Kingdom, the United States and Australia have all suggested that they will soon follow suit. Apple and Google have weighed in, saying they will adjust their mobile operating systems to help the apps run, a crucial step since current apps use Bluetooth but smartphones don’t allow wireless protocol to work all the time.
The applications are controversial because their explicit goal is to collect data about users and then share it. But they are also seen as a tool that will loosen the locks because, by retracing the encounters that lead to infections, they have the potential to help understand who should be isolated and who can move more freely.
Wanted: an exit strategy from open monitoring of smartphone contact tracking
Get into the CE with a 44-page guide on what these apps should do, how they should do it, and when they could be deployed.
The document believes that these applications can do their job without saving users’ phone numbers. Instead, he suggests that apps broadcast “a temporary anonymous identifier that allows contact with other app users nearby.” Applications will register this anonymous ID and, if a nearby user is positive for the coronavirus and consents to their data being shared, other devices that have retrieved the anonymous ID will receive a notification. The document suggests that users can potentially enter other contact information if they want more than a notification in case they receive disturbing news.
The EC is in no hurry. He suggested that the schedule is to organize bi-weekly meetings which, during the month of May, will provide a security recommendation and, in June, will provide data-sharing standards that will help authorities plan exit strategies.
There is also a list of guarantees that the EC considers that applications should include, namely:
- The app should be automatically deactivated and all remaining personal and proximity data should be erased as soon as the crisis is over.
- The application must be based on consent with full information on the planned data processing
- Location data is not necessary or recommended for the purpose of contact tracing applications, as its purpose is not to track the movements of individuals or to apply prescriptions. Collecting an individual’s movements in the context of contact search applications would violate the principle of data minimization and create major security and confidentiality problems.
- The application must ensure that no user knows the identity of the infected persons or the close contacts of the infected persons
- In order to improve confidentiality and security, proximity data (close contacts) should only be stored on the device and deleted after the relevant epidemiological period recommended by the ECDC (14-16 days). It is only after a user has been confirmed infected that the proximity data of this user can be uploaded to the central server and / or the competent health authorities, depending on the system chosen by the Member State.
- The ephemeral identifiers transmitted between the devices via BLE must be generated in a pseudo-random manner and modified periodically. They must not allow any user to identify the user of the specific device or to associate several signals with the same device.
- Pseudonyms should not be linked to personally identifiable long-term information (PII).
- Application should encrypt data as much as possible to improve security and privacy
There is also a call for independent review of applications by technical experts, open source applications and many comments on these software in addition to manual contact tracking. The document also cites a Oxford study this suggests that 60% of the national population will have to adopt the application for it to be effective.
The document is sufficiently long and careful to be almost a cliché of the European approach to the administration! However, this is also such a complete statement of the pitfalls and potential demands that your humble hack has not yet seen about it. I suspect it will be more than influencing in the weeks to come.
One last thing: the document suggests that although Apple and Google have caused a stir with their announcement of plans to help contact search applications, it seems that the precise details of what they will offer are hard to guess. The register suggests that the first item on the EC task list is “to seek clarification on the solution offered by Google and Apple regarding the contact search functionality on Android and iOS in order to ensure that their initiative is compatible with the common EU approach. “®
Webcast: Build the Next Generation of Your Business in the Public Cloud