Tech With Viral

Friday, 17 April 2020

Europe’s PEPP-PT COVID-19 contacts tracing standard push could be squaring up for a fight with Apple and Google

A coalition of EU scientists and technologists that’s developing what’s billed as a “privacy-preserving” standard for Bluetooth-based proximity tracking, as a proxy for COVID-19 infection risk, wants Apple and Google to make changes to an API they’re developing for the same overarching purpose.

The Pan-European Privacy-Preserving Proximity Tracing (PEPP-PT) uncloaked on April 1, calling for developers of contacts tracing apps to get behind a standardized approach to processing smartphone users’ data to co-ordinate digital interventions across borders and shrink the risk of overly intrusive location-tracking tools gaining momentum as a result of the pandemic.

PEPP-PT said today it has seven governments signed up to apply its approach to national apps, with a claimed pipeline of a further 40 in discussions about joining.

“We now have a lot of governments interacting,” said PEPP-PT’s Hans-Christian Boos, speaking during a webinar for journalists. “Some governments are publicly declaring that their local applications will be built on top of the principles of PEPP-PT and also the various protocols supplied inside this initiative.

“We know of seven countries that have already committed to do this — and we’re currently in conversation with 40 countries that are in various states of onboarding.”

Boos said a list of the governments would be shared with journalists, though at the time of writing we haven’t seen it. But we’ve asked PEPP-PT’s PR firm for the info and will update this report when we get it.

“The pan-European approach has worked,” he added. “Governments have decided at a speed previously unknown. But with 40 more countries in the queue of onboarding we definitely have outgrown just the European focus — and to us this shows that privacy as a model and as a discussion point… is a statement and it is something that we can export because we’re credible on it.”

Paolo de Rosa, the CTO at the Ministry of Innovation Technology and Digital Transformation for the Italian government, was also on the webinar — and confirmed its national app will be built on top of PEPP-PT.

“We will have an app soon and obviously it will be based on this model,” he said, offering no further details.

PEPP-PT’s core ‘privacy-preserving’ claim rests on the use of system architectures that do not require location data to be collected. Rather devices that come near each other would share pseudonymized IDs — which could later be used to send notifications to an individual if the system calculates an infection risk has occurred. An infected individual’s contacts would be uploaded at the point of diagnosis — allowing notifications to be sent to other devices they had come into contact with.

Boos, a spokesman for and coordinator of PEPP-PT, told TechCrunch earlier this month the project will support both centralized and decentralized approaches. The former meaning IDs are uploaded to a trusted server, such as one controlled by a health authority; the latter meaning IDs are held locally on devices, where the infection risk is also calculated — a backend server is only in the loop to relay info to devices.

It’s just such a decentralized contacts tracing system that Apple and Google are collaborating on supporting — fast-following PEPP-PT last week by announcing a plan for cross-platform COVID-19 contacts tracing via a forthcoming API and then a system-wide (opt-in) for Bluetooth-based proximity tracking.

That intervention, by the only two smartphone platforms that matter when the ambition is mainstream app adoption, is a major development — putting momentum in the Western world behind decentralized contacts tracing for responding digitally to the coronavirus crisis, certainly at the platform level.

In a resolution passed today the European parliament also called for a decentralized approach to COVID-19 proximity tracking. MEPs are pushing for the Commission and Member States to be “fully transparent on the functioning of contact tracing apps, so that people can verify both the underlying protocol for security and privacy, and check the code itself to see whether the application functions as the authorities are claiming”. (The Commission has previously signalled a preference for decentralization too.)

However backers of PEPP-PT, which include at least seven governments (and the claim of many more), aren’t giving up on the option of a “privacy-preserving” centralized option — which some in their camp are dubbing ‘pseudo-decentralized’ — with Boos claiming today that discussions are ongoing with Apple and Google about making changes to their approach.

As it stands, contacts tracing apps that don’t use a decentralized infrastructure won’t be able to carry out Bluetooth tracking in the background on Android or iOS — as the platforms limit how general apps can access Bluetooth. This means users of such apps would have to have the app open and active all the time for proximity tracking to function, with associated (negative) impacts on battery life and device usability.

There are also (intentional) restrictions on how contracts tracing data could be centralized, as a result of the relay server model being deployed in the joint Apple-Google model.

“We very much appreciate that Google and Apple are stepping up to making the operating system layer available — or putting what should be the OS actually there, which is the Bluetooth measurement and the handling of crypto and the background running of such tasks which have to keep running resiliently all the time — if you look at their protocols and if you look at whom they are provided by, the two dominant players in the mobile ecosystem, then I think that from a government perspective especially, or from lots of government perspectives, there is many open points to discuss,” said Boos today.

“From a PEPP-PT perspective there’s a few points to discuss because we want choice and implementing choice in terms of model — decentralized or centralized on top of their protocol creates actually the worst of both worlds — so there are many points to discuss. But contrary to the behavior that many of us who work with tech companies are used to Google and Apple are very open in these discussions and there’s no point in getting up in arms yet because these discussions are ongoing and it looks like agreement can be reached with them.”

It wasn’t clear what specific changes PEPP-PT wants from Apple and Google — we asked for more detail during the webinar but didn’t get a response. But the group and its government backers may be hoping to dilute the tech giants’ stance to make it easier to create centralized graphs of Bluetooth contacts to feed national coronavirus responses.

As it stands, Apple and Google’s API is designed to block contact matching on a server — though there might still be ways for governments (and others) to partially workaround the restrictions and centralize some data.

We reached out to Apple and Google with questions about the claimed discussions with PEPP-PT. At the time of writing neither had responded.

As well as Italy, the German and French governments are among those that have indicated they’re backing PEPP-PT for national apps — which suggests powerful EU Member States could be squaring up for a fight with the tech giants, along the lines of Apple vs the FBI, if pressure to tweak the API fails.

Another key strand to this story is that PEPP-PT continues to face strident criticism from privacy and security experts in its own backyard — including after it removed a reference to a decentralized protocol for COVID-19 contacts tracing that’s being developed by another European coalition, comprised of privacy and security experts, called DP-3T.

Coindesk reported on the silent edit to PEPP-PT’s website yesterday.

Backers of DP-3T have also repeatedly queried why PEPP-PT hasn’t published code or protocols for review to-date — and even gone so far as to dub the effort a ‘trojan horse’.

#DP3T entered as a candidate to so-called PEPP-PT in good faith, but it is now clear that powerful actors pushing centralised databases of Bluetooth contact tracing do not, and will not, act in good faith.

PEPP-PT is a Trojan horse.

— Michael Veale (@mikarv) April 16, 2020

ETH Zürich’s Dr. Kenneth Paterson, who is both a part of the PEPP-PT effort and a designer of DP-3T, couldn’t shed any light on the exact changes the coalition is hoping to extract from ‘Gapple’ when we asked.

“They’ve still not said exactly how their system would work, so I can’t say what they would need [in terms of changes to Apple and Google’s system],” he told us in an email exchange.

Today Boos couched the removal of the reference to DP-3T on PEPP-PT’s website as a mistake — which he blamed on “bad communication”. He also claimed the coalition is still interested in including the former’s decentralized protocol within its bundle of standardized technologies. So the already sometimes fuzzy lines between the camps continue to be redrawn. (It’s also interesting to note that press emails to Boos are now being triaged by Hering Schuppener; a communications firm that sells publicity services including crisis PR.)

“We’re really sorry for that,” Boos said of the DP-3T excision. “Actually we just wanted to put the various options on the same level that are out there. There are still all these options and we very much appreciate the work that colleagues and others are doing.

“You know there is a hot discussion in the crypto community about this and we actually encourage this discussion because it’s always good to improve on protocols. What we must not lose sight of is… that we’re not talking about crypto here, we’re talking about pandemic management and as long as an underlying transport layer can ensure privacy that’s good enough because governments can choose whatever they want.”

Boos also said PEPP-PT would finally be publishing some technical documents this afternoon — opting to release information some three weeks after its public unveiling and on a Friday evening (a 7-page ‘high level overview’ has since been put on their Github here — but still a far cry from code for review) — while making a simultaneous plea for journalists to focus on the ‘bigger picture’ of fighting the coronavirus rather than keep obsessing over technical details.

During today’s webinar some of the scientists backing PEPP-PT talked about how they’re testing the efficacy of Bluetooth as a proxy for tracking infection risk.

“The algorithm that we’ve been working on looks at the cumulative amount of time that individuals spend in proximity with each other,” said Christophe Fraser, professor at the Nuffield Department of Medicine and Senior Group Leader in Pathogen Dynamics at the Big Data Institute, University of Oxford, offering a general primer on using Bluetooth proximity data for tracking viral transmission.

“The aim is to predict the probability of transmission from the phone proximity data. So the ideal system reduces the requested quarantine to those who are the most at risk of being infected and doesn’t give the notification — even though some proximity event was recorded — to those people who’re not at risk of being infected.”

“Obviously that’s going to be an imperfect process,” he went on. “But the key point is that in this innovative approach that we should be able to audit the extent to which that information and those notifications are correct — so we need to actually be seeing, of the people who have been sent the notification how many of them actually were infected. And of those people who were identified as contacts, how many weren’t.

“Auditing can be done in many different ways for each system but that step is crucial.”

Evaluating the effectiveness of the digital interventions will be vital, per Fraser — whose presentation could have been interpreted as making a case for public health authorities to have fuller access to contacts graphs. But it’s important to note that DP-3T’s decentralized protocol makes clear provision for app users to opt-in to voluntarily share data with epidemiologists and research groups to enable them to reconstruct the interaction graph among infected and at risk users (aka to get access to a proximity graph).

“It’s really important that if you’re going to do an intervention that is going to affect millions of people — in terms of these requests to [quarantine] — that that information be the best possible science or the best possible representation of the evidence at the point at which you give the notification,” added Fraser. “And therefore as we progress forwards that evidence — our understanding of the transmission of the virus — is going to improve. And in fact auditing of the app can allow that to improve, and therefore it seems essential that that information be fed back.”

None of the PEPP-PT aligned apps that are currently being used for testing or reference are interfacing with national health authority systems, per Boos — though he cited a test in Italy that’s been plugged into a company’s health system to run tests.

“We have supplied the application builders with the backend, we have supplied them with sample code, we have supplied them with protocols, we have supplied them with the science of measurement, and so on and so forth. We have a working application that simply has no integration into a country’s health system — on Android and on iOS,” he noted.

On its website PEPP-PT lists a number of corporate “members” as backing the effort — including the likes of Vodafone — alongside several research institutions including Germany’s Fraunhofer Heinrich Hertz Institute for telecoms (HHI) which has been reported as leading the effort.

The HHI’s executive director, Thomas Wiegand, was also on today’s call. Notably, his name initially appeared on the authorship list for the DP-3T’s White Paper. However on April 10 he was removed from the README and authorship list, per its Github document history. No explanation for the change was given.

During today’s press conference Wiegand made an intervention that seems unlikely to endear him to the wider crypto and digital rights community — describing the debate around which cryptography system to use for COVID-19 contacts tracing as a ‘side show’ and expressing concern that what he called Europe’s “open public discussion” might “destroy our ability to get ourselves as Europeans out of this”.

“I just wanted to make everyone aware of the difficulty of this problem,” he also said. “Cryptography is only one of 12 building blocks in the system. So I really would like to have everybody go back and reconsider what problem we are in here. We have to win against this virus… or we have another lockdown or we have a lot of big problems. I would like to have everybody to consider that and to think about it because we have a chance if we get our act together and really win against the virus.”

The press conference had an even more inauspicious start after the Zoom call was disrupted by racist spam in the chat field. Right before that Boos had kicked off the call saying he had heard from “some more technically savvy people that we should not be using Zoom because it’s insecure — and for an initiative that wants security and privacy it’s the wrong tool”.

“Unfortunately we found out that many of our international colleagues only had this on their corporate PCs so over time either Zoom has to improve — or we need to get better installations out there. It’s certainly not our intention to leak the data on this Zoom,” he added.

from Apple – TechCrunch https://ift.tt/3agrPwi

Apple Music’s web interface exits beta

Apple has done a good job closing the gap between Spotify and its own music streaming service. But the former still maintains some advantages, a list that until recently included a robust web interface. As a Spotify user myself, I find myself frequently using the browser interface on different devices.

Apple’s been working on its own version of course, but for the past six months, it’s only been available as a beta. The interface dropped that tag today, officially going live sans-beta URL. As noted by MacRumors, the interface looks nearly identical to the desktop app, but bringing it to browsers allows for a lot more cross-platform flexibility.

Once logged in with an Apple ID, your music library should be visible. The news also comes Apple prepares for tonight’s One World: Together at Home concert, cohosted by three late night comedians and featuring everyone from Paul McCartney and Elton John to Lady Gaga and Lizzo.

from Apple – TechCrunch https://ift.tt/3aje8g2

Thursday, 16 April 2020

Apple adds macOS feature designed to prolong the lifespan of MacBook batteries

Apple is adding a new Battery Health Management feature to the latest version of macOS Catalina. The arrival of 10.15.5 will bring the new feature, which is designed to increase the overall lifespan of MacBook batteries by reducing the maximum charge in certain instances.

Rather than focusing on things like specific app usage, the feature determines battery health based on charging patterns and temperature history. That means if you’re the kind of users who constantly has their laptop plugged in during use (as a majority of us currently do, thanks to stay at home orders), you may be the prime target.

The feature is designed to primarily operate in the background, though users will be able to toggle it on and off in the Energy Saver Preferences under settings. It’s designed have a limited impact on device charging time. No word on how it will ultimately impact the battery’s lifespan. System performance, on the other hand, should be unaffected.

The feature is rolling out as part of the developer seed today and will be included in the final version of 10.15.5. It’s compatible with all MacBook models sporting Thunderbolt 3.

from Apple – TechCrunch https://ift.tt/2VdwgU7

New Google Play policies to cut down on ‘fleeceware,’ deepfakes, and unnecessary location tracking

Google is today announcing a series of policy changes aimed at eliminating untrustworthy apps from its Android app marketplace, the Google Play store. The changes are meant to give users more control over how their data is used, tighten subscription policies, and help prevent deceptive apps and media — including those involving deepfakes — from becoming available on the Google Play Store.

Background Location

The first of these new policies is focused on the location tracking permissions requested by some apps.

Overuse of location tracking has been an area Google has struggled to rein in. In Android 10, users were able to restrict apps’ access to location while the app was in use, similar to what’s been available on iOS. With the debut of Android 11, Google decided to give users even more control with the new ability to grant a temporary “one-time” permission to sensitive data, like location.

In February, Google said it would also soon require developers to get user permission before accessing background location data, after noting that many apps were asking for unnecessary user data. The company found that a number of these apps would have been able to provide the same experience to users if they only accessed location while the app was in use — there was no advantage to running the app run in the background.

Of course, there’s an advantage for developers who are collecting location data. This sort of data can be sold to third-party through trackers that supply advertisers with detailed information about the app’s users, earning the developer additional income.

The new change to Google Play policies now requires that developers get approval to access background location in their app.

But Google is giving developers time to comply. It says no action will be taken for new apps until August 2020 or on existing apps until November 2020.

“Fleeceware”

A second policy is focused on subscription-based apps. Subscriptions have become a booming business industry-wide. They’re often a better way for apps to generate revenue as opposed to other monetization methods — like paid downloads, ads, or in-app purchases.

However, many subscription apps are duping users into paying by not making it easy or obvious how to dismiss a subscription offer in order to use the free parts of an app, or not being clear about subscription terms or the length of free trials, among other things.

The new Google Play policy says developers will need to be explicit about their subscription terms, trials and offers, by telling users the following:

Whether a subscription is required to use all or parts of the app. (And if not required, allow users to dismiss the offer easily.)
The cost of the subscription
The frequency of the billing cycle
Duration of free trials and offers
The pricing of introductory offers
What is included with a free trial or introductory offer
When a free trial converts to a paid subscription
How users can cancel if they do not want to convert to a paid subscription

That means the “fine print” has to be included on the offer’s page, and developers shouldn’t use sneaky tricks like lighter font to hide the important bits, either.

For example:

This change aim to address the rampant problem with “fleeceware” across the Google Play store. Multiple studies have shown subscription apps have gotten out of control. In fact, one study from January stated that over 600 million Android users had installed “fleeceware” apps from the Play Store. To be fair, the problem is not limited to Android. The iOS App Store was recently found to have an issue, too, with more than 3.5 million users having installed “fleeceware.”

Developers have until June 16, 2020 to come into compliance with this policy, Google says.

Deepfakes

The final update has to do with the Play Store’s “Deceptive Behavior” policy.

This wasn’t detailed in Google’s official announcements about the new policies, but Google tells us it’s also rolling out updated rules around deceptive content and apps.

Before, Google’s policy was used to restrict apps that tried to deceive users — like apps claiming a functionally impossible task, those that lied in their listing about their content or features, or those that mimicked the Android OS, among others.

The updated policy is meant to better ensure all apps are clear about their behavior once their downloaded. In particular, it’s meant to prevent any manipulated content (aka “deepfakes”) from being available on the Play Store.

Google tells us this policy change won’t impact apps that allow users to make deepfakes that are “for fun” — like those that allow users to swap their face onto GIFs, for example. These will fall under an exception to the rule, which allows deepfakes which are “obvious satire or parody.”

However, it will take aim at apps that manipulate and alter media in a way that isn’t conventionally obvious or acceptable.

For example:

Apps adding a public figure to a demonstration during a politically sensitive event.
Apps using public figures or media from a sensitive event to advertise media altering capability within an app’s store listing.
Apps that alter media clips to mimic a news broadcast.

In particular, the policy will focus on apps that promote misleading imagery that could cause harm related to politics, social issues, or sensitive events. The apps must also disclose or watermark the altered media, too, if it isn’t clear the media has been altered.

Similar bans on manipulated media have been enacted across social media platforms, including Facebook, Twitter and WeChat. Apple’s App Store Developer Guidelines don’t specifically reference “deepfakes” by name, however, though it bans apps with false or defamatory information, outside of satire and humor.

Google says the apps currently available on Google Play have 30 days to comply with this change.

In Google’s announcement, the company said it understood these were difficult times for people, which is why it’s taken steps to minimize the short-term impact of these changes. In other words, it doesn’t sound like the policy changes will soon result in any mass banning or big Play Store clean-out — rather, they’re meant to set the stage for better policing of the store in the future.

from Android – TechCrunch https://ift.tt/34F9AiV
via IFTTT

India says video conference app Zoom is ‘not safe’

India said today Zoom is ‘not a safe platform’ and advised government employees to not use it as the video conference service surges in popularity in many nations including the world’s second largest smartphone market as billions of people remain stuck at home due to the coronavirus crisis.

“Zoom is a not a safe platform,” the Cyber Coordination Centre (CyCord) of India’s ministry of home affairs said in a 16-page (PDF) advisory. The advisory also includes guidelines for users who still wish to use Zoom for their private communications.

The move comes as several companies including Google, Apple, NASA, and Tesla have urged — or warned — their employees from using Zoom, which has amassed over 200 million users. German and Taiwan have also banned the use of Zoom in their nations. But the firm, with market cap of over $40 billion, has also come under scrutiny — and become subject of a lawsuit — after several of its security and privacy lapses emerged in recent weeks.

MHA issues advisory, says Zoom not secure video conferencing platform for private individuals. Mentions guidelines for those who still want to use it. pic.twitter.com/b900JOw1Si

— Prasar Bharati News Services (@PBNS_India) April 16, 2020

Zoom has been trending in India in recent weeks, too, in a surprise as enterprise services rarely get traction with consumers in the country. Several Indian ministers in India have also tweeted pictures that showed they were using Zoom in recent weeks.

The app is being downloaded more than 450,000 times a day for the last two weeks in India, research firm Apptopia told TechCrunch. This week, India also started a competition for startups to develop a secure conferencing app.

Zoom chief executive has Eric S. Yuan has apologized for the security lapses and pledged to prioritize focus on users’ privacy and security over development of new features. The firm recently also recently hired former Facebook security officer Alex Stamos as an advisor.

from Apple – TechCrunch https://ift.tt/34EAIi1

EU lawmakers set out guidance for coronavirus contacts tracing apps

The European Commission has published detailed guidance for Member States on developing coronavirus contacts tracing and warning apps.

The toolbox, which has been developed by the e-Health Network with the support of the Commission, is intended as a practical guide to implementing digital tools for tracking close contacts between device carriers as a proxy for infection risk that seeks to steer Member States in a common, privacy-sensitive direction as they configure their digital responses to the COVID-19 pandemic.

Commenting in a statement, Thierry Breton — the EU commissioner for Internal Market — said: “Contact tracing apps to limit the spread of coronavirus can be useful, especially as part of Member States’ exit strategies. However, strong privacy safeguards are a pre-requisite for the uptake of these apps, and therefore their usefulness. While we should be innovative and make the best use of technology in fighting the pandemic, we will not compromise on our values and privacy requirements.”

“Digital tools will be crucial to protect our citizens as we gradually lift confinement measures,” added Stella Kyriakides, commissioner for health and food safety, in another supporting statement. “Mobile apps can warn us of infection risks and support health authorities with contact tracing, which is essential to break transmission chains. We need to be diligent, creative, and flexible in our approaches to opening up our societies again. We need to continue to flatten the curve – and keep it down. Without safe and compliant digital technologies, our approach will not be efficient.”

The Commission’s top-line “essential requirements” for national contacts tracing apps are that they’re:

voluntary;
approved by the national health authority;
privacy-preserving (“personal data is securely encrypted”); and
dismantled as soon as no longer needed

In the document the Commission writes that the requirements on how to record contacts and notify individuals are “anchored in accepted epidemiological guidance, and reflect best practice on cybersecurity, and accessibility”.

“They cover how to prevent the appearance of potentially harmful unapproved apps, success criteria and collectively monitoring the effectiveness of the apps, and the outline of a communications strategy to engage with stakeholders and the people affected by these initiatives,” it adds.

Yesterday, setting out a wider roadmap to encourage a co-ordinated lifting of the coronavirus lockdown, the Commission suggested digital tools for contacts tracing will play a key role in easing quarantine measures.

Although today’s toolbox clearly emphasizes the need to use manual contact tracing in parallel with digital contact tracing, with such apps and tools envisaged as a support for health authorities — if widely rolled out — by enabling limited resources to be more focused toward manual contacts tracing.

“Manual contact tracing will continue to play an important role, in particular for those, such as elderly or disabled persons, who could be more vulnerable to infection but less likely to have a mobile phone or have access to these applications,” the Commission writes. “Rolling-out mobile applications on a large-scale will significantly contribute to contact tracing efforts also allowing health authorities to carry manual tracing in a more focussed manner.”

“Mobile apps will not reach all citizens given that they rely on the possession and active use of a smart phone. Evidence from Singapore and a study by Oxford University indicate that 60-75% of a population need to have the app for it to be efficient,” it adds in a section on accessibility and inclusiveness. “However, non-users will benefit from any increased population disease control the widespread use of such an app may bring.”

The toolbox also reiterates a clear message from the Commission in recent days that “appropriate safeguards” must be embedded into digital contacts tracing systems. Though it’s less clear whether all Member States are listening to memos about respecting EU rights and freedoms, as they scrambled for tech and data to beat back COVID-19.

“This digital technology, if deployed correctly, could contribute substantively to containing and reversing its spread. Deployed without appropriate safeguards, however, it could have a significant negative effect on privacy and individual rights and freedoms,” the Commission writes, further warning that: “A fragmented and uncoordinated approach to contact tracing apps risks hampering the effectiveness of measures aimed at combating the COVID-19 crisis, whilst also causing adverse effects to the single market and to fundamental rights and freedoms.”

On safeguards the Commission has a clear warning for EU Member States, writing: “Any contact tracing and warning app officially recognised by Member States’ relevant authorities should present all guarantees for respect of fundamental rights, and in particular privacy and data protection, the prevention of surveillance and stigmatization.”

Its list of key safeguards notably includes avoiding the collection of any location data.

“Location data is not necessary nor recommended for the purpose of contact tracing apps, as their goal is not to follow the movements of individuals or to enforce prescriptions,” it says. “Collecting an individual’s movements in the context of contact tracing apps would violate the principle of data minimisation and would create major security and privacy issues.”

The toolbox also emphasizes that such contacts tracing/warning systems be temporary and voluntary in nature — with “automated/gentle self-dismantling, including deletion of all remaining personal data and proximity information, as soon as the crisis is over”.

“The apps’ installation should be consent-based, while providing users with complete and clear information on intended use and processing,” is another key recommendation.

The toolbox leans towards suggesting a decentralized approach, in line with earlier Commission missives, with a push for: “Safeguards to ensure the storing of proximity data on the device and data encryption.”

EU privacy experts push a decentralized approach to COVID-19 contacts tracing

Though the document also includes some discussion of alternative centralized models which involve uploading arbitrary identifiers to a backend server held by public health authorities.

“Users cannot be directly identified through these data. Only the arbitrary identifiers generated by the app are stored on the server. The advantage is that the data stored in the server can be anonymised by aggregation and further used by public authorities as a source of important aggregated information on the intensity of contacts in the population, on the effectiveness of the app in tracing and alerting contacts and on the aggregated number of people that could potentially develop symptoms,” it writes.

“None of the two options [decentralized vs centralized] includes storing of unnecessary personal information,” it adds, leaving the door open to states that might want their public health authorities to be responsible for centralized data processing.

However the Commission draws a clear distinction between centralized approaches that use arbitrary identifiers and those that store directly-identifiable data on every user — with the latter definitely not recommended.

They would have “major disadvantage”, per the toolbox, because they “would not keep personal data processing to the absolute minimum, and so people may be less willing to install and use the app”.

“Centralised storage of mobile phone numbers could also create risks of data breaches and cyberattacks,” the Commission further warns.

Michael Veale, a backer of a decentralized protocol for COVID-19 contacts tracing that’s being developed by an EU coalition of privacy and security experts, told us: “It is good to see the document clearly lay out how you can achieve contact tracing in a decentralised, privacy-preserving way. However, some Member States might be confused, as they think that if they go for PEPP-PT [a separate EU initiative to standardize contacts tracing apps, by distributing tools and processes, whose spokesman previously told us it will support both centralized and decentralized approaches], they get privacy and decentralisation. In fact, PEPP-PT has removed mention of DP-3T from its website, but has not published any alternative white paper or code for scrutiny for its own system.”

We’ve reached out to PEPP-PT for comment.

Discussing cross-border interoperability requirements, the Commission’s toolbox highlights the necessity for a grab-bag of EU contacts tracing apps to be interoperable, in order to successfully break cross-border transmission chains, which requires national health authorities to be technically able to exchange available information about individuals infected with and/or exposed to COVID-19.

“Tracing and warning apps should therefore follow common EU interoperability protocols so that the previous functionalities can be performed, and particularly safeguarding rights to privacy and data protection, regardless of where a device is in the EU,” it suggests.

On preventing the spread of harmful or unlawful apps the document suggests Member States consider setting up a national system of evaluation/accreditation endorsement of national apps, perhaps based on a common set of criteria (that would need to be defined).

“A close cooperation between health and digital authorities should be sought whenever possible for the evaluation/endorsement of the apps,” it writes.

The Commission also says “close cooperation with app stores will be needed to promote national apps and promote uptake while delisting harmful apps” — putting Apple and Google squarely in the frame.

Earlier this week the pair announced their own collaboration on coronavirus contracts tracing — announcing a plan to offer an API and later opt-in system-level contacts tracing, based on a decentralized tracking architecture with ephemeral IDs processed locally on devices, rather than being uploaded and held on a central server.

Given the dominance of the two tech giants their decision to collaborate on a decentralized system may effectively deprive national health authorities of the option to gain buy in for systems that would give those publicly funded bodies access to anonymized and aggregated data for coronavirus modelling and/or tracking purposes. Which should, in the middle of a pandemic, give more than a little pause for thought.

A note in the toolbox mentions Apple and Google — with the Commission writing that: “By the end of April 2020, Member States with the Commission will seek clarifications on the solution proposed by Google and Apple with regard to contact tracing functionality on Android and iOS in order to ensure that their initiative is compatible with the EU common approach.”

from Android – TechCrunch https://ift.tt/2XCi20N
via IFTTT