Over the last days, there was a lot of fuss about the European version of a Corona tracing app and the ever-escalating dissent between the (now often former) members of PEPP-PT, the umbrella organisation for Pan-European Privacy-Preserving Proximity Tracing. If you’re wondering what the whole discussion is all about, the following will bring you up to date with a quick overview.
PEPP-PT aimed at providing a solution for privacy-preserving Corona tracing apps based on proximity tracing. There are several approaches how such systems can be designed and these approaches have widely varying privacy properties. A broad variety of prestigious research institutes and universities joined PEPP-PT, e.g., CISPA, ETH Zürich or EPFL. However, many of those institutions, including all of the aforementioned, have now pulled out of PEPP-PT. In addition, more than 300 scientists in over 25 countries have signed an open letter calling for transparent, decentralized proximity tracing, both of which they do not see in PEPP-PT (anymore).
There are two very valid main reasons for the dissent. First, PEPP-PT is highly opaque and the motives of its leadership unclear at best. The second reason lies in the technical design of the solution seemingly favored by PEPP-PT and its critical privacy properties. PEPP-PT seems to favor a centralized approach, while most researchers emphasize the necessity of a decentralized approach.
In a nutshell and rather simplified, one can describe the main difference between the approaches as follows. In the centralized approach, an infected user sends to a central server the identifiers of all other participants she has encountered during a given time before she learned of the infection. In the decentralized approach, upon learning of her infection, the infected participant only sends her own identifier to a central server and all other participants get a list of identifiers of infected participants from the server. Additionally, while both approaches use temporary identifiers, in the centralized approach, the server creates those identifiers and is able to trace all participants (infected or not) over time. Furthermore, the PEPP-PT design allows third parties to trace participants even without access to the central server’s database. Finally, the centralized approach allows for analyzing which participants where in the vicinity of which other participants regardless of whether they are infected or not. You can find a more comprehensive security and privacy analysis of the proposed design here by DP-3T on github.
Hardly surprising, the highly questionable PEPP-PT design has raised red flags with the involved researchers. It is indeed hard to understand why such an inherently flawed design should be adopted given that other, more privacy-preserving options (like DP-3T) promising comparable performance exist. Last but not least, given that the server collects personal information to an extent that far exceeds necessity, it is very questionable whether the proposed centralized approach is compliant with the GDPR requirements regarding data minimization.