France

A German research institute that’s involved in developing a COVID-19 contacts tracing app with the backing of the national government has released some new details about the work, which suggests the app is being designed as more of a “one-stop shop” to manage coronavirus impacts at an individual level, rather than having a sole function of alerting users to potential infection risk.

Work on the German app began at the start of March, per the Fraunhofer-Gesellschaft institute, with initial funding from the Federal Ministry of Education and Research and the Federal Ministry of Health funding a feasibility study.

In a PDF published today, the research organization reveals the government-backed app will include functionality for health authorities to directly notify users about a COVID-19 test result if they’ve opted in to get results this way.

It says the system must ensure only people who test positive for the virus make their measurement data available to avoid incorrect data being input. For the purposes of “this validation process,” it envisages “a digital connection to the existing diagnostic laboratories is implemented in the technical implementation.”

“App users can thus voluntarily activate this notification function and thus be informed more quickly and directly about their test results,” it writes in the press release (which we’ve translated from German with Google Translate) — arguing that such direct digital notification of tests results will mean that no “valuable time” is lost to curb the spread of the virus.

Governments across Europe are scrambling to get Bluetooth-powered contacts tracing apps off the ground, with apps also in the works from a number of other countries, including the U.K. and France, despite ongoing questions over the efficacy of digital contacts tracing versus such an infectious virus.

The great hope is that digital tools will offer a route out of economically crippling population lockdowns by providing a way to automate at least some contacts tracing — based on widespread smartphone penetration and the use of Bluetooth-powered device proximity as a proxy for coronavirus exposure.

Preventing a new wave of infections as lockdown restrictions are lifted is the near-term goal. Although — in line with Europe’s rights frameworks — use of contacts tracing apps looks set to be voluntary across most of the region, with governments wary about being seen to impose “health surveillance” on citizens, as has essentially happened in China.

However if contacts tracing apps end up larded with features that are deep linking into national health systems, that raises questions about how optional their use will really be.

An earlier proposal by a German consortium of medical device manufacturers, laboratories, clinics, clinical data management systems and blockchain solution providers — proposing a blockchain-based Digital Corona Health Certificate, which was touted as being able to generate “verifiable, certified test results that can be fed into any tracing app” to cut down on false positives — claimed to have backing from the City of Cologne’s public health department, as one example of potential function creep.

In March, Der Spiegel also reported on a large-scale study being coordinated by the Helmholtz Center for Infection Research in Braunschweig, to examine antibody levels to try to determine immunity across the population. Germany’s Robert Koch Institute (RKI) was reportedly involved in that study — and has been a key operator in the national contacts tracing push.

Both RKI and the Fraunhofer-Gesellschaft institute are also involved in parallel German-led pan-EU standardization efforts for COVID-19 contacts tracing apps (called PEPP-PT) that’s been the leading voice for apps to centralize proximity data with governments/health authorities, rather than storing it on users’ device and performing risk processing locally.

As we reported earlier, PEPP-PT and its government backers appear to be squaring up for a battle with Apple over iOS restrictions on Bluetooth.

PEPP-PT bases its claim of being a “privacy-preserving” standard on not backing protocols or apps that use location data or mobile phone numbers — with only arbitrary (but pseudonymized) proximity IDs shared for the purpose of tracking close encounters between devices and potential coronavirus infections.

It has claimed it’s agnostic between centralization of proximity data versus decentralization, though so far the only protocol it’s publicly committed to is a centralized one.

Yet, at the same time, regional privacy experts, the EU parliament and even the European Commission have urged national governments to practice data minimization and decentralized when it comes to COVID-19 contacts tracing in order to boost citizen trust by shrinking associated privacy risks.

If apps are voluntary, citizens’ trust must be earned not assumed, is the key argument. Without substantial uptake the utility of digital contacts tracing seems doubtful.

Apple and Google have also come down on the decentralized side of this debate — outting a joint effort last week for an API and later opt-in system-wide contacts tracing. The first version of their API is slated to be in developers’ hands next week.

Meanwhile, a coalition of nearly 300 academics signed an open letter at the start of this week warning that centralized systems risked surveillance creep — voicing support for decentralized protocols, such as DP-3T: Another contact tracing protocol that’s being developed by a separate European coalition which has been highly critical of PEPP-PT.

And while PEPP-PT claimed recently to have seven governments signed up to its approach, and 40 more in the pipeline, at least two of the claimed EU supporters (Switzerland and Spain) had actually said they will use a decentralized approach.

The coalition has also been losing support from a number of key research institutions which had initially backed its push for a “privacy-preserving” standard, as controversy around its intent and lack of transparency has grown.

Nonetheless, the two biggest EU economies, Germany and France, appear to be digging in behind a push to centralize proximity data — putting Apple in their sights.

Bloomberg reported earlier this week that the French government is pressurizing Apple to remove Bluetooth restrictions for its COVID-19 contacts tracing app which also relies on a “trusted authority” running a central server (we’ve covered the French ROBERT protocol in detail here).

It’s possible Germany and France are sticking to their centralized guns because of wider plans to pack more into these contacts tracing apps than simply Bluetooth-powered alerts — as suggested by the Fraunhofer document.

Access to data is another likely motivator.

“Only if research can access sufficiently valid data it is possible to create forecasts that are the basis for planning further steps against are the spread of the virus,” the institute goes on. (Though, as we’ve written before, the DP-3T decentralized protocol sets out a path for users to opt in to share proximity data for research purposes.)

Another strand that’s evident from the Fraunhofer PDF is sovereignty.

“Overall, the approach is based on the conviction that the state healthcare system must have sovereignty over which criteria, risk calculations, recommendations for action and feedback are in one such system,” it writes, adding: “In order to achieve the greatest possible usability on end devices on the market, technical cooperation with the targeted operating system providers, Google and Apple, is necessary.”

Apple and Google did not respond to requests for comment on whether they will be making any changes to their API as a result of French and German pressure.

Fraunhofer further notes that “full compatibility” between the German app and the centralized one being developed by French research institutes Inria and Inserm was achieved in the “past few weeks” — underlining that the two nations are leading this particular contacts tracing push.

In related news this week, Europe’s Data Protection Board (EDPB) put out guidance for developers of contacts tracing apps, which stressed an EU legal principle related to processing personal data that’s known as purpose limitation — warning that apps need to have purposes “specific enough to exclude further processing for purposes unrelated to the management of the COVID-19 health crisis (e.g., commercial or law enforcement purposes)”.

Which sounds a bit like the regulator drawing a line in the sand to warn states that might be tempted to turn contacts tracing apps into coronavirus immunity passports.

The EDPB also urged that “careful consideration” be given to data minimisation and data protection by design and by default — two other key legal principles baked into Europe’s General Data Protection Regulation, albeit with some flex during a public health emergency.

However the regulatory body took a pragmatic view on the centralization vs decentralization debate — saying both approaches are “viable” in a contacts tracing context, with the key caveat that “adequate security measures” must be in place.