Governments are focussing on mobile apps as the way forward in the Covid-19 pandemic – but this solution is only as good as the people who are being trusted with the data. Fortunately, one favoured approach enables a decentralised solution.
In its struggle to control the spread of the coronavirus, German health authorities have been lauded for its extensive use of contact tracing. When a person tests positive for Covid-19, everyone that person who has had contact with are called by an employee of the German health department and are then kindly asked to quarantine at home for two weeks.
But this process is labour intensive and requires a lot of people to make it work considering the infection rate of this virus. As society transitions into the next phase of pandemic mitigation, new solutions are required. Among the favoured tools are the so-called “corona apps” as a way to takeover some of the work in contact tracing. For the past weeks, the government’s approach has drawn criticism from security experts, including us, around our virtual water cooler.
Previously, the German government put its stock in a centralised network. This would have collected the data from app users' mobile devices and drawn on it from a server when a patient tested positive. In South Korea, which has also been praised for its effective contact tracing, uses a system that relies on a combination of CCTV data as well as payment data. These kinds of overarching surveillance measures that identify people are not in compliance with Europe's GDPR regulations.
The alternative approach would rely on a rarely used technology that already exists on mobile devices called Bluetooth Low Energy (BLE). As the name implies, everything runs over bluetooth and data only leaves an individual's phone when necessary – such as having to inform people they've been in contact with someone who has tested positive for the virus.
"The technology to run this on a decentralised network of individual mobile devices already exists and we know that it is a reliable way to exchange data without sacrificing privacy," says polypoly CEO and founder Thorsten Dittmar. "We're encouraged to see the German government change its favoured approach to a decentralised infrastructure."
German officials are now touting the benefit of Bluetooth Low Energy, which allows phones – regardless of operating system – to make a note of other phones that they have been near for a certain amount of time. This note is in the form of a “key” exchange from any phones that they encounter for the last two weeks.
When a person tests positive, the patient can then give permission via an app to release the keys and broadcast information to the contacts. Neither telephone number exchange or centralised servers are necessary. All the information that is required is stored on the phone.
As European infrastructure providers race to develop a home-grown solution, the Swiss-based DP3T (Decentralised Privacy-Preserving Proximity Tracing) has emerged as a leader with a concept that complies with GDPR and is designed for privacy. The technology developed by the Federal Institutes of Technology in Lausanne and Zurich plan on releasing the program as an open source protocol on May 11, 2020.
Apps built with DP3T have the advantage that not only is the data privately secured on an individual's device, but it also means that apps using DP3T can also communicate with each other. This is key to reaching the critical mass of users in order to provide effective coverage for a contact-tracing app to properly function. Oxford University's Big Data Institute has said that 60 percent of a population would have to use an app in order for it to be effective.
“These corona apps will be a revival for decentralised network technology, which is really already the basis of essential Internet services such as e-mail, and we also need a plurality of these decentralised apps," adds Dittmar. "As citizens – especially in the larger context of Europe – we are simply too diverse for one app to have a chance of reaching that critical 60 percent coverage."
In Europe, even if each app was released by the country's government for that population, it takes for granted the interconnectivity of European citizens. A decentralised solution would also ensure that more Europeans are protected by these solutions. However, there are already private entities that are developing apps, so the need to incorporate several stakeholders is key to success – and DP3T accommodates a selection of solutions while serving the population.
So a prerequisite for this is that all apps interact with each other and this can be guaranteed through a state certification process.
"If the will is there, this is something that can be implemented at extremely short notice," says Dittmar.
Decentralisation is key to data sovereignty – that is enabling people to control their own digital footprint. Once that privacy is restored, there is the potential to completely change the online landscape and so-called dataconomy.
This is a small, but important step in creating a shift in how data is shared – and with whom. The best possible solution is still in development but it already shares ideas that polypoly has stood for and we are encouraged by what we see.