11.04.2020
Chaos Computer Club lists 10 requirements for Corona Tracking App
Europe's largest association of hackers, the Chaos Computer Club (CCC) has published a set of minimum requirements for "Contact Tracing" apps, currently evaluated by governments around the world. While CCC evaluates the potential risk of collecting contact- and health data as ‘enormous’, it believes that with the use of proven privacy by design concepts and technologies the potential of contact tracing could be unfold, without creating a privacy disaster.
First and foremost, CCC explains in its blog, epidemiology experts (NOT GOVERNMENTS OR THIRD PARTIES!) must prove that "contact tracing" can help to reduce the number of infections. CCC also rejects involvement of companies developing surveillance technologies as "covid washing". For potential users, it is not sufficient to rely on organizational measures, "trust" and promises. Verifiable technical measures such as cryptography and anonymisation technologies must ensure user privacy. Complete source code for the app and infrastructure must be freely available without access restrictions to allow audits by all interested parties.
Building on this, CCC has listed a set of technical requirements for the contact tracing app, available on the CCC website
What's Europe's take on this?
In Europe, the discussion about the Corona App is taking place at Member State - (National Data Protection Authorities) and European level: The Chair of the Civil Liberties Committee, Juan Fernando López Aguilar (S&D, ES) , said: “Even in these exceptional times, the EU’s data protection principles, namely the General Data Protection Rules (GDPR) and the e-Privacy Directive, must continue to apply and be respected”. He underlined that “the Civil Liberties Committee is following these developments closely because of the serious risks that such tools may imply for an individual’s fundamental rights to a private life and data protection.”
The European Data Protection Supervisor and the European Data Protection Board have stressed that as long as the information shared with national authorities is anonymised and does not allow for individuals to be identified in any way, it can be used. However, strong security measures regarding the use, access and storage of the information as well as strict retention periods must be implemented.
What do we think?
Well, at least in Europe there seems to be a shared vision and approach towards privacy and security. (We would stress out that some member states are more democratic then the next one, even in Europe). But a shared vision is a minimum requirement, it will take quite a leep from there to secure and privacy- aware apps. The public discussion today is mostly about Governments and other actors that maliciously want to take advantage of the current crisis. But there are examples of governmental COVID initiatives that where meant well but did put citizens in harms way. We'd strongly recommend consultation with organizations like the CCC. The Chaos Computer Club has already offered its knowledge and expertise for an advisory and observation role in this debate. It will not recommend specific apps, concepts or procedures. But will advise against the use of apps that do not meet these requirements.
Having said all that, we believe that governments should seriously reconsider where to put their energy and allocate resources in this crisis. We seriously doubt if this initiative would contribute to the overall objectives of governments to fight the spreading of the virus. In addition to this a topdown approach would be required to make this work to some extend. And a topdown approach with incentives to join and mandatory participation will not meet the security and privacy coditions as mentioned above. Lastly, the app could become a victim of its own success: The warning system will lead to false positives (people that were not infected will be warned to take action) and increase the pressure on healthcare resources that are overloaded as it is.
Another very interesting read...
In addition to this, the app is a stand alone discussion from other Government measures that could (should) be considered, and with limited explanation of what Contact Tracing in the Real World really entails. Ross Anderson has done some great work in this field, we definitely recommend reading his take on this.
Update 14 february: The European Data Protection Board has issued a letter, with draft guidelines for corona app requirements