Switzerland this week launched a pilot program for SwissCovid, a contact tracing app based on Apple and Google’s jointly developed APIs.
The APIs will work with iOS 13.5 and devices running Android 6.0 or higher.
The pilot involves several thousand workers at Ecole polytechnique fdrale de Lausanne, ETH Zurich, the Swiss Army, and staff at some hospitals and cantonal administrations.
The app will monitor people in real-world situations, notifying participants who have been in contact with someone who was diagnosed COVID-positive.
It will run until the Swiss Parliament debates its legal basis in June. The aim is to launch it nationwide in mid-June.
However, the app was
publicly available in the Google Play Store for several hours on Monday.
Access was restricted on Tuesday, according to EFPL spokesperson Emmanuel Barraud.
Although the number of unauthorized downloads has not been disclosed, the unintended access should not affect the pilot’s effectiveness, Barraud said.
How SwissCovid Works
SwissCovid uses Bluetooth Low-Energy beacons to exchange and record the ephemeral proximity identifiers of phones in a user’s vicinity. The identifiers are kept on the phone unless the user tests positive for COVID-19.
The app signals a user who has been in prolonged contact with one or more people who subsequently tested positive for COVID-19. The user must have been in contact with a COVID-positive person for more than 15 minutes or must have been less than two meters away — about six feet.
SwissCovid indicates the day of exposure the risk and tells the user what procedures to follow.
Users who test positive are given a single-use code by their doctor, which lets them voluntarily send their phone’s ephemeral keys, for the days they are contagious, to a server managed by the Swiss administration.
SwissCovid uses the Decentralized Privacy-Preserving Proximity Tracing (DP3T) protocol to minimize the collection and sharing of information.
The protocol, from EPFL’s Security & Privacy Engineering Laboratory, is the joint work of 25 academics from research institutions across Europe.
“Our goal is to offer a solution that can be adopted in Europe and around the world,” said Carmela Troncoso, an assistant professor at EFPL and head of its SPRING Lab.
The EU plans
to adopt common rules for using mobile apps to track the spread of the coronavirus.
Security and Privacy
Contact tracing has raised a number of concerns about security and privacy.
Researchers
uncovered seven security flaws in the UK’s app. A security flaw in Qatar’s Ehteraz mandatory tracing app
exposed the personal information of more than 1 million people.
In the United States, Democrat and Republican lawmakers
have released competing bills targeting privacy in COVID-19 contact tracing apps.
Apple and Google have tried to forestall obstacles stemming from privacy and security concerns by requiring public health authorities (PHAs)
to sign legal agreements governing use of the Apple-Google API:
- Apps built using the APIs can be used only to fight the coronavirus epidemic;
- The amount of data collected must be minimized;
- The PHAs must get user consent at multiple stages;
- Users can turn exposure notifications on and off;
- They cannot ask permission to use a smartphone’s location services;
- They cannot employ user data collected for things like targeted advertising; and
- The API will be available for only one app per country or region, depending on the government’s approach.
All metadata associated with Bluetooth will be encrypted.
Centralized vs. Decentralized
There is considerable debate in Europe over whether to adopt a centralized or decentralized approach. The UK has taken a centralized approach, while SwissCovid is decentralized, storing personal data it collects only on users’ phones.
“Governments prefer centralized proximity tracking because they receive the richest amount of information. They have more detailed information on users and citizens to understand deeper trends,” noted Ray Wang, principal analyst at Constellation Research.
However, the success of that approach relies on trust in the collector, and “privacy advocates are worried about the social graph moving into the hands of governments,” Wang told TechNewsWorld. “Privacy advocates prefer the decentralized approach.”
Decentralized models “tend to be faster. They can be more resilient if a massive breach of the data is also decentralized, and they can better conform to localized regulations and concerns,” remarked Rob Enderle, principal analyst at the Enderle Group.
However, they are more difficult to secure overall because of their increased complexity, greater contact surface, and numerous weak links, Enderle told TechNewsWorld. Further, analysis “is often slower and less comprehensive.”
Centralized systems are easier to secure and manage, faster to analyze, and less expensive to deploy, Enderle said. They often are also more robust.
On the other hand, centralized systems don’t conform as well to local rules such as moving data, Enderle pointed out. They make it easier to capture the entire database if breached, and can be destroyed totally in a catastrophic event.
Coming to America
There is no clear-cut indication as to which approach would be best in the U.S.
“I think the question is which solutions protects the rights of people best,” said Mike Jude, research director at IDC.
“Obviously, this would be a decentralized application,” he told TechNewsWorld. “However, that’s a very American point offer — that freedom is more important than centralized control.”
Still, both approaches are dangerous because “we’re building an infrastructure that can easily be perverted by a police state,” Jude said. “Any system like this can and will be used for nefarious purposes.”
A group of 200 scientists worldwide expressed concern that tracking apps could be misused for surveillance purposes.
Despite issues in the U.S., “if the COVID-19 vaccine doesn’t pan out,” Jude said, “or there’s a second wave that’s more intense than the first, people might demand contact tracing.”
Richard Adhikari has been an ECT News Network reporter since 2008. His areas of focus include cybersecurity, mobile technologies, CRM, databases, software development, mainframe and mid-range computing, and application development. He has written and edited for numerous publications, including Information Week and Computerworld. He is the author of two books on client/server technology.
Email Richard.