By Katy Romy
Contact tracing apps, which alert users when they have been in contact with infected people, are being touted as crucial aids to control the spread of Covid-19. But critics warn of data privacy concerns, and Switzerland’s parliament has demanded a legal basis for such an app.
Europe is slowly emerging from an artificial coma induced by the Covid-19 pandemic. As countries ease their lockdowns and try to avoid a second wave of infections, the race is on to develop smartphone apps to trace the spread of the virus. However, the tech sprint has raised numerous questions among the general population and scientific community.
The decentralised contact tracing app DP-3T, developed by the federal institutes of technology in Zurich (ETH Zurich) and Lausanne (EPFL), will launch on May 13 in a pilot phase “for a certain group of the population” until the end of the month, Health Minister Alain Berset said on Friday.
The app, which people can voluntarily download and use, employs Bluetooth technology to allow smartphones to communicate with each another anonymously. If a person tests positive for coronavirus, all the people with whom that person was in contact in previous days – less than two metres proximity for more than 15 minutes – are alerted via the app to isolate themselves and get tested.
The DP-3T system is decentralised with contacts and data stored on devices rather than on an external server.
Legal basis required
On Tuesday, the Swiss House of Representatives approved a proposal that urges the government to prepare a bill to ensure the app is defined under Swiss law. The Senate had agreed a similar proposal earlier.
During this week’s debate, critics argued that it was important to set clear rules for the use of such a tracking device, including data security and the voluntary principle for participants.
“We must avoid, for example, that businesses or institutions demand the use of the application from their customers or visitors,” argued centre-right Radical parliamentarian Damien Cottier.
Opponents say a specific law is not necessary as current regulations are enough under the law on communicable diseases in force since 2016.
Berset told reporters on May 8 that the Federal Council (executive body) would submit a draft bill to parliament by May 20, which will be discussed in the June session.
The May test phase will go ahead, as no specific legal basis is necessary for trials. Berset urgent parliament to quickly resolve the matter but acknowledged that if parliament says no to the legal basis] it will be “finished for the app”.
Who will download it
Researchers frequently cite a participation rate of 60% by the population to ensure the contact tracing is efficient.
“It is all the more important to establish a solid foundation on which to build public confidence,” added Cottier.
But some epidemiologists believe that a 20-30% usage rate would already help to control the spread of infections.
Over the past few months the Swiss authorities have pushed ahead with the development of the DP-3T app “as fast as possible” while insisting on its safety.
“The individual’s doctor and the cantonal contact tracing centre will be the only ones to know the identity of the infected person. In addition, only they can authorise an infected person to report the infection to the system anonymously, by transmitting an authorisation code,” the Federal Council states in its position paper.
Solange Ghernaouti, a professor at the University of Lausanne and cybersecurity expert, is among the sceptics. She welcomes parliament’s decision to create a legal basis to “put safeguards against misuse”.
“The drafting of a law will make it possible to have a public debate on the role of digital technology in finding solutions to concrete problems,” she said. But Ghernaouti warns that a legal basis is not necessarily the solution to all problems.
“There’s no guarantee that the system won’t be hacked. What’s more, there will be some people trying to do just that, because we know that health-related data is worth its weight in gold,” she said.
Breaking anonymity requires certain specialist hacking skills, explained the professor. But she is certain that anyone who tries will be successful by cross-checking information.
‘Swiss-made’ – so what?
And arguing that it is “Swiss made” system is not a guarantee of security either, warned Ghernauouti.
“No single country has found the miracle app or proven its effectiveness. Under these conditions, it would be better not to use it,” she said.
Aside from the security problems, the Lausanne professor is worried by the speed with which the tracing system has been created.
“There won’t be enough time for it to be tested and validated properly, but a huge amount of trust has been put in it. Insufficient time seems to have been set aside to create something good.”
The risk, she added, is that if we accept such surveillance systems during crises, it might not be possible to uninstall them later.
“Do we want to help epidemiologists control pandemics? Of course, but not at any price,” said Ghernaouti. Her concerns have been shared by other scientists, even at the EPFL.
For several weeks, the EPFL researchers involved in the project have been working 15-hour days to finalise the app.
“Technically, we are almost there. We’ll be ready to launch the application when the authorities decide to do so,” said EPFL spokesperson Emmanuel Barraud.
While acknowledging the security concerns, Barraud reassures that “the application is designed to guarantee anonymity… Everything happens on the users’ phones, not on a central server, which could be the target of a hacking attempt.”
Even if a someone manages to get into the system, they would only find encrypted information, said Barraud. “They’d get a list of codes that can’t be traced back to anyone. This is the only information that circulates between two phones,” he explained.
Despite this, some researchers working on the project say the high expectations should be downplayed.
“The Bluetooth technology isn’t perfect; it’s going to miss some people. And just because you’re alerted to the fact that you’ve been in contact with an infected person doesn’t mean that it’s that person who infected you,” Carmela Troncoso, a computer scientist at Lausanne who has been involved in designing and coding DP-3T, recently told the weekly Illustré magazine.
She insists that the app must be seen as “a complement to manual contact tracing”.
Compulsory in Asia, voluntary in Europe
Most Asian countries affected by coronavirus have trialled patient tracking technologies that use the geo-location capabilities of smartphones. Various techniques have been tested with data directly sent to telephone operators. Users, however, generally get no choice in the matter.
Western nations have instead been inspired by an app developed in February by Singapore, which is less intrusive and downloaded on a voluntary basis. It uses Bluetooth instead of GPS technology. Bluetooth could offer more privacy protections because they amass less information, collecting only data about who people meet but not where they are.
In Singapore, however, contact information is centralised on a government-run database. Many Western countries have prefered to adapt this system.
ETH Zurich and EPFL initially collaborated in an-European Privacy-Preserving Proximity Tracing, or PEPP-PT project, which brings together organisations from eight European countries. However, they felt that the system was too centralised and had concerns about privacy protection. They therefore developed their own DP-3T application, based on a so-called decentralised system. The DP-3T system is supported by a loose coalition of European states that includes Germany and Italy.
France announced earlier this week that its StopCovid app should be available as of June 2.