Offbeat

Legal

Academics: We hate to ask, but could governments kindly refrain from building giant data-slurping, contact-tracing coronavirus monsters?

Decentralise over Bluetooth, say 300 scholars


Hundreds of academics have warned governments around the world not to commission coronavirus contact-tracing apps that collect and store personal data on entire countries' populations.

Published today, the open letter has been signed by professors from 26 countries and urges governments to think about the dangers of building pools of data revealing precisely who you meet, when and where.

Referring to other countries' experiments with contact-tracing apps as a way of halting the spread of the infection, the academics said: "Though the effectiveness of contact tracing apps is controversial, we need to ensure that those implemented preserve the privacy of their users, thus safeguarding against many other issues."

The Register explained in broad terms how the apps work a few days ago. The problem is that there are two competing approaches for contact-tracing apps: a centralised one, where data from the population is concentrated at one hub for analysis; and a decentralised one, where apps tell the user if they have been in contact with someone who has COVID-19.

The academics fear that a centralised approach would either create an irresistible temptation for "mission creep", fuelling the worst authoritarian instincts of governments collecting population-scale social graph data – or simply create a hugely valuable store of that data ripe for criminals, spies and similar undesirables to hack into.

In the letter, the academics warned that the centralised approach could "catastrophically hamper trust in and acceptance of such an application by society at large." If people didn't trust a government-backed app for fear that data harvested from it could be abused for other purposes, they simply wouldn't use it or would find ways of spoofing the data.

On the flip side, trusting the population to input its own medical diagnoses into a decentralised app is a risky approach. Aside from those not wishing to declare their status, for whatever reason, what about those with mild symptoms who might think they've had a bad cold instead of the coronavirus?

"Research has demonstrated that solutions based on sharing geolocation (i.e., GPS) to discover contacts lack sufficient accuracy and also carry privacy risks because the GPS data is sent to a centralized location," said the letter. "For this reason, Bluetooth-based solutions for automated contact tracing are strongly preferred when available."

Google and Apple, two companies not known for their devotion to privacy, have jointly released a set of specs for a Bluetooth-based contact-tracing app. Singapore released, and later open-sourced, a Bluetooth-based app, having explicitly discounted GPS on practical grounds.

The letter, full details of which El Reg can't publish because our version has people's email addresses baked into it for media use, highlighted four consortia whose decentralised approaches it endorsed: the Western world's TCN Coalition; the Swiss-led DP-3T collective, which includes the co-founder of VMware as one of its advisors; and two American academic initiatives, PACT (MIT) and PACT (UW). Despite the similar names, the US organisations are not formally linked.

Trouble at t'monitoring mill

Meanwhile, a contact-tracing app creation collective originally billed as pan-European has started to wobble as it appears to back away from one decentralised approach.

The PEPP-PT project, a German-led initiative that started off backing both centralised and decentralised models for contract-tracing apps, seems to have fallen out big time with the project building its decentralised model, DP-3T.

Cryptography prof Kenny Paterson of DP-3T told The Register the first he knew about PEPP-PT's apparent change of tack was when its organisers stopped talking to him last week, adding that other institutions had seen this and began socially distancing themselves from PEPP-PT as a result: "There was a leaking away of support over the weekend from the international community at the same time as we were getting [today's] letter ready."

Other academics expressed surprise and discomfort last week to El Reg about PEPP-PT's new direction. ®

Send us news
77 Comments

Billions lost to fraud and error during UK's pandemic spending spree

Watchdog orders a rethink in time for the next emergency

Disease X fever infects Davos: WEF to plan response to whatever big pandemic is next

Heads up, this isn't about Elon

COVID-19 infection surge detected in wastewater, signals potential new wave

US, Netherlands, Germany all show spikes while UK no longer collects data

Petaflops help scientists understand why some COVID-19 variants are more contagious

'If we did one of these calculations in our lab, we are talking weeks or months'

FBI boss says COVID-19 'most likely' escaped from lab

Latest claim comes days after Dept of Energy waved finger in China's direction

I was reasonable to ask to WFH in early days of COVID, says fired engineer

Infrastructure company retorts that it is an 'essential' business and cites lack of medical records

Crowds not allowed to leave Shanghai Disneyland without a negative COVID test

Let us go, let us gooooooo

Gartner predicts 9.5% drop in PC shipments

Stark contrast to 11 percent increase year-over-year in 2021 shipments

Back-to-office mandates won't work, says Salesforce's Benioff

As industry and governments push to get workers crammed into commuter trains, glass box edifices, tech boss says: 'Why?'

UK health privacy watchdog still in talks over who is accessing country's COVID data store

Over a year after discussions began, National Data Guardian continues to pursue transparency in health data use

Next six months could set a new pace for work-life balance

The only way to ease transition back to office is reduce the time in the office

ServiceNow ordered a year's worth of hardware to avoid supply chain hassles

CTO shares datacenter secrets with The Reg: NVMe, MariaDB, mid-range x86 CPUs, S3-alike, and more