StopCovid: Should We Follow The German Model and Give In To Apple on Contact Tracing?

Posted on

Should France draw inspiration from Germany? The adage, which makes me smile as a Franco-German, is no less exasperating.

The press is waving it around as soon as a parallel, however far-fetched, is feasible with measures taken by our first cousins, who have set an example.

And with the debate surrounding the StopCovid application and contact tracing to stem the Covid-19 epidemic, there has been no shortage of them.

To make a long story short and before plunging into this vast debate, Germany announced on Sunday 26 April that it would base the development of its own contact tracing anti-coronavirus application on the common API of Apple and Google, whereas it had initially ruled it out.

A reversal which is explained by the software block imposed by Android but especially iOS regarding the activation of Bluetooth in the background, essential for the proper functioning of contact tracing apps and that only this API would allow.

However, France, which is also working on its own StopCovid application, refuses to bend in the name of technological sovereignty (but also data security) and is asking the GAFA to lift software restrictions, without having to use the controversial API.

A lost arm-wrestling match with Apple, which has already happily sent the FBI packing in the past for a similar request related to terrorist acts.

In the face of the obvious technological impasse, the question arises: should France take its cue from Germany and put aside its Gallic pride to prevent StopCovid from becoming a total fiasco?

The answer is not so simple. There are no bad guys or good guys in this case. But the balance seems to be in favour of a decentralized “German-style” solution with Apple and Google.

A choice that is “more reasonable from a technical point of view and in terms of comparing the dangers for our data” as Damien Stehlé, professor of computer science at the ENS in Lyon and co-signatory of an open letter addressed to the government warning about the risks presented by contact tracing applications, explains to AndroidPit.

Leaving Your Data To Apple/Google or the State: A False Debate

The current point of contention centres around the question of the method chosen by France to deploy contact tracing. One can roughly distinguish two protocols: a centralized or ROBERT protocol (the French solution) and a decentralized one (the Google/Apple method, the German DP3T, PACT and many others).

“The centralized/decentralized terminology is confusing,” says Damien Stehlé. “The question is not whether I leave my data to Apple/Google or the state, but whether I leave it to Apple/Google or Apple/Google AND the state – it’s either one or both.” You have to be interested in who is processing the data that is collected. In the case of ROBERT, this processing is done by the State at the central server level.

The ROBERT protocol, for (hang on) ROBust and privacy-presERving proximity Tracing, is a contact tracing method developed by researchers at Inria, the National Institute for Research in Digital Science and Technology. The data is collected here and stored on a central server.

“The key element of the protocol is that users declaring themselves infected via the application are not individualized on the State’s servers.

Thus, nobody can, in theory, trace the patient, neither private individual, nor State, nor hacker: only the hospital which keeps health data on this trace” as my colleague from Numerama, Julien Cadot, explains it very well.

Indeed, Inria proposes never to dissociate a set of Bluetooth identifiers. If your smartphone collects 10 identifiers from people you came into contact with during your trip, it will send 10 identifiers to the central server, and yours.

If one of the people you’ve met declares himself or herself ill, the central server will locate that person’s ID and deem all transmitted IDs to be at risk.

Everyone will therefore receive a notification without knowing who is sick. But the patient will still be digitally registered by another means at the hospital, with all the details of his real identity.

“In the other solutions, called decentralized (Apple/Google’s API, among others), the treatment to find out if you are at risk is done locally on the phone, which receives an encrypted list of sick people, and based on that and the contacts you have had, the smartphone determines whether you are at risk,” explains Damien Stehlé.

But there is no solution that is categorically more protective of our data than the other, according to Damien Stehlé, who points out that each protocol presents the same dangers, but in different proportions.

Between The Plague And Cholera…

The only indisputable fact in this debate is that a centralized contact tracing application cannot work properly without the Google/Apple API to lift the restrictions on Bluetooth activation. The Singaporean example demonstrated this well.

The argument for better data protection allowed by the ROBERT protocol is not as strong. “Each model, whether decentralized or centralized, presents the same three types of risk, but not in the same proportions,” says Damien Stehlé. These risks are mass surveillance, neighbourhood espionage and false alarms.

With both protocols, the risk of false alarms is the same. This is a flaw inherent in the inaccuracy of Bluetooth. There will therefore be false negatives and false positives (you are notified at risk when you did not have physical contact with a sick person but that person was close enough to generate contact via Bluetooth).

“The decentralized model brings more risks of neighborhood espionage, I want to know who is sick in my building, where I crossed it. The centralized option presents a greater danger in terms of mass surveillance,” explains our expert.

This mass surveillance involves, among other things, collecting and reproducing the social graph. In more layman’s terms Damien Stehlé explains that “in the ROBERT solution, when you’re sick, you go back up all the Bluetooth contacts you’ve had over the last 14 days.

You trace who you have been in contact with and how often to notify them. The social graph is the set of social links between individuals, in such an application, the central server could reconstruct a large part of this social graph thanks to data collected by the state.”

Decentralized therefore brings more risk of neighborhood espionage and centralized brings more risk of mass surveillance. But these two risks don’t disappear in either solution. And their seriousness depends above all on the degree of minimization of the data collected, which itself is not precise enough.

On a personal note, Damien Stehlé believes that “the risk of mass surveillance is much more serious than the risk of neighborhood espionage. So if you have to choose between the two, a priori it’s better to choose the latter.”

In this sense, the professor considers that as it stands, decentralized DP3T or Apple/Google’s solutions are more commendable than Robert’s centralized protocol. “Germany made the reasonable choice, at least from a technical point of view and in terms of comparing the dangers.”

As for me, I think that technical limitations and data privacy are only the tip of the iceberg. The human element and the voluntariness on which these applications rely (in compliance with the GDMP) are a serious hindrance to their effectiveness in a context of general mistrust towards the GAFA and the State.

But these questions will not arise in any case if StopCovid malfunctions from the outset because of this technological impasse. Perhaps for once we could learn from the German model.

Leave a Reply