This article lists some points and sections of the document "eHealth Network - Mobile applications to support contact tracing in the EU’s fight against COVID-19 - Common EU Toolbox for Member States - Version 1.0" (released at the 15th of April 2020) which I found especially significant. From my point of view it displays both, the enthusiasm and good intention which goes into using modern technologies to mitigate a pandemic as well as the big challenges which have to be thoughtfully tackled to foster trust throughout society and avoid a privacy disaster.
The first iteration of the common EU toolbox has been developed urgently and collaboratively by the e-Health Network with the support of the European Commission. Done right, these kind of solutions for contact tracing could prove very valuable not only with regards to the current pandemic, but in all those which may be ahead. Done wrong, they become yet another tool for mass surveillance.
Additional details can be found at "Coronavirus: An EU approach for efficient contact tracing apps to support gradual lifting of confinement measures".
[...] The essential requirements for national apps, namely that they be:
- approved by the national health authority;
- privacy-preserving - personal data is securely encrypted; and
- dismantled as soon as no longer needed.
[...] The aim of contact tracing and warning is for public health authorities to rapidly identify as many contacts as possible with a confirmed case of COVID-19, ask them to self-quarantine if possible, and rapidly test and isolate them if they develop symptoms. The aim of contact tracing could also be to have anonymised and aggregated data of infection patterns in society, as a means to make containment decisions at local level.
[...] Contact tracing is normally carried out manually by public health authorities. This is a time-consuming process where cases are interviewed in order to determine who they remember being in contact with from 48 hours before symptom onset and up to the point of self-isolation and diagnosis. [...] Such manual processes relies on the patient’s memory and obviously cannot trace individuals who have been in contact with the patient but are who are unknown to him/her.
[...] Digital tools such as mobile apps with tracing functionalities can be of substantial support in this process, identifying both known and unknown contacts of a confirmed case and possibly help in their follow up, in particular in settings with large numbers of cases where public health authorities can get overwhelmed.
[...] This digital technology, if deployed correctly, could contribute substantively to containing and reversing its spread. Deployed without appropriate safeguards, however, it could have a significant negative effect on privacy and individual rights and freedoms. [...] A fragmented and uncoordinated approach to contact tracing apps risks hampering the effectiveness of measures aimed at combating the COVID-19 crisis, whilst also causing adverse effects to the single market and to fundamental rights and freedoms. [...] Their acceptance and take-up by individuals depends on whether the public perceive them as effective, accurate, privacy protective and trustworthy, avoiding mass surveillance and strictly limited in time to the duration of the current crisis. [...] The large volume and sensitivity of the data that will be processed require robust cybersecurity measures [...] to mitigate the risk of security and data breaches which could have the devastating effect on the trust of public in the use of those apps.
[...] In Europe, the Pan-European Privacy-Preserving Proximity Tracing (PEPP-PT) consortium intends to support the development of national initiatives that pursue a fully privacy-preserving approach by providing ready-to-use, well-tested, and validated modules and tools. It also aims to enable tracing of infection chains across national borders. Initiatives under the umbrella of PEPP-PT, aim at an open protocol for COVID-19 proximity tracing using Bluetooth Low Energy on mobile devices and an architecture that ensures that personal data stays entirely on an individual’s phone.
[...] Requirements for contact tracing and warning apps [...] are divided into four parts:
- essential requirements covering the epidemiological framework, technical functionalities, cross-border interoperability requirements as well as cybersecurity measures and safeguards
- measures aimed to ensure accessibility and inclusiveness
- governance/role of public health authorities covering approval of tracing apps and their access to data generated by tracing apps,
- supporting actions covering sharing of epidemiological information and cooperation with ECDC, measures to prevent proliferation of harmful apps and monitoring of effectiveness of apps.
[...] Apps should be disabled once the pandemic has passed. If it is not possible to disable or remove apps from individual phones, authorities should no longer collect data or seek COVID-19 related data from citizens. Techniques like notifications should be considered to prompt users to disable or completely remove these apps from their phone.
[...] Member States should consider specifications which allow contact detection to an accuracy of one meter, in order to minimise false positives. Such specifications should concern, among others, aspects related to the sending and receiving of Bluetooth signals, the capability to estimate proximity with precision, the capability to record and store unique, ephemeral, pseudonymised IDs observed from other mobile phones or devices in epidemiologically relevant proximity on the device. They should also allow the recording of the device’s proximity to another device, and the duration of this proximity, on which is running any COVID-19 app officially recognised by national health authorities.
[...] Member States should ensure that the ephemeral ID is generated pseudo-randomly and changes periodically to enhance the protection against eavesdropping, as well as hacking and tracking by third parties. Likewise, the code (a one-time-password) created by the relevant health authorities to confirm that a user is infected should be generated pseudorandomly be single-use, and change frequently in order to ensure that it cannot be used by malicious individuals to pollute the data collected on the server.
[...] Member States should ensure that the apps’ performance allows, among others: (i) accuracy, and notably that it records accurately actual physical proximity and duration of contact; (ii) completeness, and notably that it holds a complete history of relevant contacts as in traditional manual contact tracing, in a irrefutable way; (iii) integrity, and notably that it only records authentic contact events with at-risk individuals and (iv) scalability and (v) security, and notably backend architecture and technology that can be deployed with local IT infrastructure and can scale to billions of users, while ensuring a high level of network and information security.
[...] Infection transmission chains do not stop at national or regional borders. To collaborate and manage cross-border transmission chains, national health authorities should be technically able to exchange available information about individuals infected with and/or exposed to COVID-19. Tracing and warning apps should therefore follow common EU interoperability protocols so that the previous functionalities can be performed, and particularly safeguarding rights to privacy and data protection, regardless of where a device is in the EU.
[...] Cybersecurity for these mobile applications, as well as the backend and any associated services is critical. [...] Member States are recommended to carry out a national risk assessment to identify and mitigate possible risks of abuse. Furthermore, as the applications are deployed, national and European health and cybersecurity agencies, including Computer Security Incident Response teams, are expected to cooperate in responding to any potential incidents including the disclosure of new vulnerabilities.
[...] Any contact tracing and warning app officially recognised by Member States’ relevant authorities should present all guarantees for respect of fundamental rights, and in particular privacy and data protection, the prevention of surveillance and stigmatization.
[...] Mobile apps will not reach all citizens given that they rely on the possession and active use of a smart phone. Evidence from Singapore and a study by Oxford University indicate that 60-75% of a population need to have the app for it to be efficient.
[...] Peer-reviews at national level, but also among Member States and coordinated at EU level, to allow the review of the effectiveness and functioning of the chosen mobile applications, as well as the balancing with the fundamental rights requirements, are particularly encouraged. This should include independent technical reviews, including indepth audits of the apps in terms of security, privacy or accessibility, ideally coordinated at European level (e.g. via an independent testing facility). Such independent assessments can be coordinated with the assessments conducted by national authorities, for example cybersecurity agencies, and will help increase trust, a vital condition for uptake and success.
[...] In order to support transparency and interoperability, the publication/sharing of the source code and the peer reviews are encouraged and are highly recommended for the apps supported by the national authorities (this could be done, if relevant, against a fair compensation).
[...] BY END APRIL 2020: Member States with the Commission will seek clarifications on the solution proposed by Google and Apple with regard to contact tracing functionality on Android and iOS in order to ensure that their initiative is compatible with the EU common approach.
- ENISA Smartphone guidelines and tool: https://www.enisa.europa.eu/topics/iot-and-smart-infrastructures/smartphoneguidelines-tool
- ENISA report on pseudonymisation techniques: https://www.enisa.europa.eu/publications/pseudonymisation-techniques-andbest-practices
- OWASP mobile security project https://owasp.org/www-project-mobile-security/ ,
- OWASP Mobile Security Testing Guide https://owasp.org/www-project-mobile-security-testing-guide/
- Android developers security documentation- https://source.android.com/security
- iOS developers security documentation- https://developer.apple.com/documentation/security
- The SOG-IS cryptography catalogue https://www.sogis.eu/documents/cc/crypto/SOGIS-Agreed-Cryptographic-Mechanisms1.1.pdf
- Germany - Requirements for OEM regarding Smartphone Security
- France - Recommandations de sécurité relatives aux ordiphones -