As countries rush to develop COVID-19 tracing apps, France has become a lightning rod for the technical and ethical debates surrounding attempts to balance public health and mass surveillance.
The French government has embraced a framework for its app, called StopCovid, that would centralize the collection of citizens’ data. Privacy groups have blasted this approach and accused the otherwise privacy-obsessed French politicians of being hypocrites. StopCovid has also triggered a confrontation with Apple, which has so far refused to enable such an approach on its devices.
The government is not backing down, insisting that a centralized approach can protect privacy by anonymizing data while at the same time offering greater overall security and insights into the virus’ spread. More fundamentally, the French government insists that decisions around the public use of this data need to be made by elected officials rather than private companies.
With data viewed as a critical tool for combating the pandemic, the fevered arguments in France serve as a microcosm of the global debate over how to strike a balance between public health and privacy. All parties agree that creating trust around these apps is essential to achieving participation rates high enough to be effective. In terms of public buy-in and technical design, these apps will serve as a test run for governments seeking to navigate the tradeoffs necessary to fight not just the coronavirus, but future pandemics as well.
“As with any technology, zero risk does not exist,” French digital minister Cédric O wrote in defending his government’s approach to developing an app. “No solution is foolproof, but each type has its own flaws … StopCovid is not a ‘peacetime’ application. Such a project would not exist without the situation created by COVID-19.”
So far, about a dozen countries have deployed some kind of COVID-19 tracing app. The tools represent wide-ranging approaches to a variety of questions — such as whether to centralize data and whether to track users’ locations. More recently, Apple and Google announced a partnership to develop a contact tracing API that will allow other organizations to create apps that work across Android and iOS devices.
In Europe, two competing visions have emerged as possible frameworks for these apps. The first stores data on a central server, where it performs infection-matching. The second keeps the data on users’ smartphones, where the matching happens. Neither would use GPS or other methods of location tracking.
The technical details, privacy tradeoffs, and security risks have been front-page news and widely debated on evening news shows in France over the past few weeks — an indication of just how important such issues are to people in the country.
In France, the government has chosen to adapt the centralized framework developed by a group called Pan-European Privacy-Preserving Proximity Tracing (PEPP-PT). Initially led by German researchers, this effort eventually resulted in the creation of a tracing framework called ROBERT (ROBust and privacy-presERving proximity Tracing protocol).
In explaining ROBERT, Bruno Sportisse, CEO of French research institute Inria, wrote in mid-April that any framework involving data tracking will have some privacy and security tradeoffs. He argued that it was a false narrative to label one approach “centralized” and another “decentralized” because all systems would involve some information at the device level and some information passing through a common server. In the case of ROBERT, all users would have to opt in, and the information sent to a central server would be stored using only crypto-identifiers, rather than any actual names or personal information.
“This application is not a ‘tracking’ app: It only uses Bluetooth, never GSM or geolocation data,” Sportisse wrote. “Nor is it a surveillance app. To be even clearer: It has been designed in such a way that NOBODY, not even the government, has access to the list of people diagnosed as positive or to the list of social interactions between people.”
France’s StopCovid app is being built on the ROBERT framework, with input from a coalition of institutes, universities, and companies. These include Inria, ANSSI, Capgemini, Dassault Systèmes, Inserm, Lunabee Studio, Orange, Withings, and France’s public health agency. A version of the StopCovid app is slated to be ready in late May so it can be put up for debate and approval by France’s National Assembly. Assuming it is approved and tests are successful, it may begin to roll out in early June.
Nobody is promoting the app as a silver bullet, but rather as one of the tools France is weighing as it slowly begins reopening this month.
Digital minister O has also stressed that StopCovid is not intended to monitor people and that no one can be forced to download it to their phone and activate it. Any sharing of information would be on a strictly opt-in basis.
If someone does opt in, they can declare that they have tested positive for COVID-19, and the app will then notify any users who have been in proximity to the infected individual. From there, it’s up to app users who have been exposed to decide whether to contact health officials. People are not informed who the infected contact was, and the app on the phone would not contain information to let them figure that out.
The French model has received a tentative thumbs up from the independent privacy agency Commission Nationale Informatique et Libertés (CNIL), which felt it provided sufficient privacy measures to meet Europe’s General Data Protection Regulation (GDPR) guidelines. The National Digital Council advisory board also gave preliminary support, but said it could not render a full opinion until it was able to evaluate the actual app.
Speaking to broader privacy concerns, O wrote: “The StopCovid project is not a foot in the door. Everything is temporary: The data is erased after a few days, and the application itself is not intended to be used beyond the epidemic period.”
The framework competing with ROBERT is a decentralized contact tracing protocol called Decentralized Privacy-Preserving Proximity Tracing (DP-PPT). A coalition of researchers from several European institutions designed this framework, and it syncs up with the API Apple and Google are developing.
Prior to that Apple-Google partnership, COVID-19 tracing apps had faced various problems operating on iPhones. For one thing, Apple generally prevents Bluetooth from continually sending out signals to ping other phones. More recent versions of Android also place some restrictions on Bluetooth, but it’s Apple phones that are viewed as the biggest hurdle for any contact tracing apps.
“You can implement either app just fine on an Android phone,” said James Larus, part of the DP-PPT team and dean of the School of Computer and Communications Science at Switzerland’s École Polytechnique Fédérale de Lausanne (EPFL) technical university. “The problem is Apple phones.”
In Singapore, the government developed a workaround to the Apple issue by having their app run in the foreground and keeping the phone unlocked. However, that drained the battery and created privacy concerns that led to an adoption rate too low to be effective.
Apple has decided it’s willing to bend on that issue as long as the data regarding contacts is being kept on users’ phones, essentially forcing governments to accept a decentralized solution. In the centralized app, if someone is infected, their contact information would be uploaded to the central server. For the decentralized Apple-Google version, if someone reported to their app that they were infected, a server would then upload their encrypted contacts into a database.
On the other end, an app periodically downloads this database to other users’ smartphones. If the app detects a match between a record of infection reports in the database and a user’s recent contact, the user would be notified. The main difference between this approach and the ROBERT framework is that the anonymized IDs would not be continuously stored on the central server.
“The real differences come down to this question of where the data is stored and where the matching is done,” Larus said. “And those are true differences. But in the end, the functionality of the apps [is] the same.”
Both frameworks pose potential security risks, as each system relies on some form of encryption. In France’s version, users must trust that the government agency controlling the system has designed enough security into the app and the network. But with the decentralized approach, users must take the risk of other people’s phones storing their encrypted information if they are diagnosed, making the system only as secure as everyone else’s phones.
The French government cites this as one of the reasons for rejecting the decentralized approach. Its own security agency, the National Information Systems Security Agency (ANSSI), labeled the “decentralized” model riskier because the encrypted identifiers would be circulating on people’s phones.
“All those applications involve very important risks when it comes to protecting privacy and individual rights,” ANSSI stated in a letter. “This mass surveillance could be done by collecting the interaction graph of individuals — the social graph. It could happen at the operating system level on the phones. Not only could operating system makers reconstruct the social graph, but the state could as well, more or less easily depending on the approaches.”
France versus Apple
With the French group rushing to complete work on the app this month, one of the main logjams remains tension between Apple and the French government. While the United Kingdom has taken a COVID-19 tracing app philosophy similar to that of France, Germany has changed course and opted for a decentralized version.
Orange CEO Stéphane Richard, whose company is helping create France’s app, has expressed some optimism that the French StopCovid app consortium can reach a deal with Apple. “There are meetings almost every day. It’s not a done deal yet … but we have a discussion dynamic with Apple that is not bad,” Richard told Reuters.
But the French government has expressed continued frustration. “Apple could have helped us make the application work even better on the iPhone. They have not wished to do so,” France’s O told BFM Business TV on May 5. He also issued a stern reminder that the dispute with Apple underscores the “oligopolistic nature of the OS market,” which puts nations at the mercy of big companies.
“Health policy is, from the point of view of the French government, a sovereign prerogative which is the responsibility of the state,” O wrote. “It is up to the public authorities, with their qualities and their faults, to make the choices they consider to be the best for protecting French women and men. The French government does not refuse the API proposed in the state by these two companies because they are American companies. … It refuses to do so because, in its current format, it constrains the technical choice: Only a ‘decentralized’ solution can work perfectly on phones equipped with iOS.”
France, he added, must be able to protect its sovereignty and “not to be constrained by the choices of a big company, as innovative and efficient as it is.”
Lost in these technical and political debates is the reality that no one knows whether any of these apps will be truly effective. In part, that’s because the technology is unproven and it’s not clear whether enough people will download them. Epidemiologists have generally estimated that 60% of the population must use the apps for them to provide an effective tracking system. Even then, Switzerland’s Larus said the apps must be connected to the broader health care infrastructure of a country to have an impact. People need to know what specific actions to take if they receive a notification, such as who to call for more information or to make an appointment for testing. Likewise, doctors, hospitals, StopCovid app call centers, and testing facilities must be prepared to follow set policies if they are contacted by someone who has received an exposure notification. Policymakers must decide whether such people should be directed to get immediate testing or told to monitor symptoms.
“These issues involve large groups of people, and they require political decisions,” Larus said. “These are much more difficult decisions, and they’re very national and specific to each country. There’s not going to be a single app’s back end that you can take from one country and just plop it down in another country.”
Still, Larus said, he’s glad to see that the issues surrounding the app, even though they can be quite technical, are being taken so seriously in France and across Europe. Making the right tradeoffs between privacy, security, design, and policy for this generation of contact tracing apps will be critical to limiting damage from the current pandemic.
But the decisions made now will also likely form the foundation of future contact tracing apps. If the coming COVID-19 apps are widely embraced and prove their value, many painful and time-consuming policy and technical debates could be avoided when the next pandemic hits.
And Larus said we can be sure there will be a next time.
“If you needed to do this again, could we do it faster next time?” Larus asked. “Could we have the code for the app sitting there so that it’s easy to do it again quickly? Is the integration into the health system maintained so that next time we don’t have to start from scratch? The expertise we are developing right now, the knowledge, is going to be important even after we are past this crisis.”