COVID-10 Contact Tracing Apple and Google Must Comply with EU Privacy Laws Using Advanced Cryptography

By
Richard Kastelein
-
0
2274
default
Unfinished European Union Flag puzzle

The European Union wants Apple and Google to remove contact tracing apps that violate users’ privacy from their respective app stores as detailed in a report from 9-5 Mac. The Apps, which are not compulsory, are due to come out on April 28. However, the Legislators in Brussels have already published detailed guidance for the Member States on how to best use cryptography when building contract-tracing applications to help battle the current COVID-19 lockdown restrictions and it’s not clear if Google and Apple are totally compliant yet.

But some countries in the EU are calling for Apple and Google to bypass new privacy legislation to make it more effective.

France’s digital minister, Cédric O, said in an interview with Bloomberg News.

“We’re asking Apple to lift the technical hurdle to allow us to develop a sovereign European health solution that will be tied our health system,” O said.

Germany is,  however,  at odds with the project as they have their own app technology in place based on the Pan-European Privacy-Preserving Proximity Tracing (PEPP-PT) consortium and an app built by one of its members, the Fraunhofer Heinrich Hertz Institute. Reuters is now reporting that Apple is refusing the EU apps to monitor Bluetooth while running in the background.

“The chancellery is in talks with Apple but so far no solution is in sight,” opposition lawmaker Anke Domscheit-Berg said after parliament’s digital affairs committee was briefed by a government representative on Wednesday.

Apple and Google are using Bluetooth low energy to reduce the tackle the spread of the virus by building a new layer into their existing operating systems. It’s an opt-in system that will appear on iPhones running iOS 13 and Android handsets running Android 6.0 and above from mid-May, which will use Bluetooth low energy to work out when two phones (and therefore phone owners) are in close proximity to each other.

Android and Apple operating systems will ping users if they want to participate in contact tracing and users will also need to download a regional application. The apps will trace anonymous Bluetooth identifiers and have the ability to alert users if a COVID-19 positive case is close by. Both Apple and Google App stores will only allow government organisations to use the contact tracing APIs, enforcing that there will only be one app from the appropriate regional government health organization. Users will not be able to report themselves as positive without some kind of medical verification in order to stop trolls.

Legislators have developed an EU toolbox for the use of mobile applications for contact tracing and warning in response to the coronavirus pandemic – as part of a common coordinated approach, supporting the gradual lifting of confinement measures, as set out in a Commission Recommendation last week. Since the outbreak of the coronavirus pandemic, Member States, backed by the Commission, have been assessing the effectiveness, security, privacy, and data protection aspects of digital solutions to address the crisis. Contact tracing apps, if fully compliant with EU rules and well-coordinated, can play a key role in all phases of crisis management, especially when the time will be ripe to gradually lift social distancing measures. They can complement existing manual contact tracing and help interrupt the transmission chain of the virus. The toolbox is accompanied by guidance on data protection for such mobile apps.

Welcoming the toolbox, Commissioner for Internal Market Thierry Breton said:

“Contact tracing apps to limit the spread of coronavirus can be useful, especially as part of Member States’ exit strategies. However, strong privacy safeguards are a pre-requisite for the uptake of these apps, and therefore their usefulness. While we should be innovative and make the best use of technology in fighting the pandemic, we will not compromise on our values and privacy requirements.”

Commissioner for Health and Food Safety, Stella Kyriakides added:

“Digital tools will be crucial to protect our citizens as we gradually lift confinement measures. Mobile apps can warn us of infection risks and support health authorities with contact tracing, which is essential to break transmission chains. We need to be diligent, creative, and flexible in our approaches to opening up our societies again. We need to continue to flatten the curve – and keep it down. Without safe and compliant digital technologies, our approach will not be efficient.”

The Financial Times writes that this impacts as many as 500 million phones—a quarter of the smartphones in use today and analyst Neil Shah told the newspaper that:

“…most of these users with the incompatible devices hail from the lower-income segment or from the senior segment which actually is more vulnerable to the virus.”

The EU toolbox sets out the essential requirements for these apps:

  • They should be fully compliant with the EU data protection and privacy rules, as put forward by the guidance presented today following consultation with the European Data Protection Board.
  • They should be implemented in close coordination with and approved by, public health authorities.
  • They should be installed voluntarily and dismantled as soon as no longer needed.
  • They should aim to exploit the latest privacy-enhancing technological solutions. Likely to be based on Bluetooth proximity technology, they do not enable tracking of people’s locations.
  • They should be based on anonymised data: They can alert people who have been in proximity for a certain duration to an infected person to get tested or self-isolate, without revealing the identity of the people infected.
  • They should be interoperable across the EU so that citizens are protected even when they cross borders.
  • They should be anchored in accepted epidemiological guidance, and reflect best practice on cybersecurity, and accessibility.
  • They should be secure and effective.

While allowing for easier, quicker and more efficient tracing than traditional systems based on interviews with infected patients, manual tracing will continue to cover citizens who could be more vulnerable to infection but are less likely to have a smartphone, such as elderly or disabled persons.

A common approach to other functionalities, in particular on information and symptom tracking, may be developed in future iterations of the toolbox.

By 30 April 2020, public health authorities will assess the effectiveness of the apps at national and cross-border level. Member States should report on their actions by 31 May 2020 and make the measures accessible to the other Member States and the Commission for peer review. The Commission will assess the progress made and publish periodic reports starting in June 2020 and throughout the crisis, recommending action or the phasing out of measures that seem no longer necessary.

For more information: