Contact tracing? What about ...
NGI Zero supports research dealing with pandemic
Technology is not a panacea for everything, but some technology may indeed be of help dealing with crises like the SARS-CoV2/COVID-19 pandemic. However, it is vital that if we decide to deploy technology we do so without endangering our privacy and security — there are some things you can never undo. NGI Zero is building towards a more trustworthy next generation internet, and some of the already developed technologies can be immediately useful in the current crisis. Some researchers involved with NGI Zero-projects also critically and constructively investigate the technical potential of privacy-friendly, secure and accessible solutions. They for instance look into whether contact tracing is not better off if we can entirely avoid the smartphone - and all the liabilities that brings.
The COVID-19 pandemic has led to drastic measures worldwide, as governments first try to block and afterwards slow down the spread of the virus. This severely limits the physical freedom of hundreds millions of people, overloads health care systems and has a deep impact on economies and societies around the world. To prevent infection as much as possible while we wait for a vaccin, researchers and companies scramble to develop technologies that can map and track the virus.
Can an app save the world?
A novelty class of applications that has captured the imagination are the so called "contact tracing" apps, smartphone applications that in by far the most designs broadcast radio signals (over Bluetooth, the technology with which you for instance connect to a wireless headphone) between smartphones or other devices capable of doing so. Such a system allows you to check — some time after you have been potentially exposed, unfortunately — whether you have been close (with a rather broad range of close) to someone who is reported sick or infected. The appeal is clear, but the caveat is that everyone activates the app and makes a report after she or he is found to be ailing. Regardless of whether such a mechanism is an effective way to prevent or slow down the spread of a virus in a certain stage of a pandemic, governments, health agencies but also politicians need to ask themselves very important privacy and security questions when considering the development or deployment of a 'corona app':
- How does an app work and where does the data actually go?
- Who has access to data, and how is it protected? Can the technology used adequately protect our privacy (privacy by design, not by contract)?
- What are the security implications of deploying this within a given population, both at level of vulnerable groups as well as at a macro-level
- Is it inclusive: what about people without a (smart)phone, or people for whom this gets too complex quickly?
We have to be realistic. An app alone is unlikely to 'save the world', and there are significant and hard to map the larger risks involved in rushing into massive technology push. Without a clear goal and transparent design, contact tracing apps may even make matters worse by giving users a false sense of security and increase the risk of contamination or be misused for mass surveillance (or simply be fundamentally insecure).
Trustworthy and inclusive
NLnet believes that if technology is to be used to help trace the spread of the COVID-19 infections, the technologists behind those projects should guarantee the rights of citizens, meaning that at least the following requirements must be met:
- Privacy by design
- Verifiably secure
- Open source
- Accessible
- Single purpose (no function creep)
That may seems like an unsurmountable heap of fundamental issues and tough demands, and one could argue that there is no point in even trying. Our position is that technology could potentially contribute, and rather than sit on our hands that we should constructively explore the different options to see what can be done. Some of the projects funded by NLnet and NGI Zero therefore contribute to open source efforts investigating whether it is possible to build privacy-friendly, secure, user-centric contact tracing.
NGI Zero is a mission-driven coalition that supports development of privacy and trust enhancing technologies and more open and empowering search and discovery as part of the Next Generation Internet initiative, an ambitious R&D effort from the European Commission to make the internet more resilient, trustworthy and sustainable.
Simmel: Why use a smartphone?
Simmel is a platform that enables COVID-19 contact tracing while preserving user privacy. It is a wearable hardware beacon and scanner which can broadcast and record randomized user IDs. Contacts are stored within the wearable device, so you retain full control of your trace history until you choose to share it. The Simmel design is open source, so you are empowered to audit the code. Furthermore, once the pandemic is over, you are able to recycle, re-use, or securely destroy the device, thanks to the availability of hardware and firmware design source.
Read more about Simmel or visit the project's website if you want to contribute.
Variation Graph
The Variation Graph is a project that is pioneering privacy-preserving variation graphs, that allow to capture complex models and aggregate data resources with formal guarantees about the privacy of the individual data sources from which they were constructed. One of the many types of sensitive data that can be represented in a variation graph form, is geolocation trajectory data - the trajectories of individuals and vehicles through transportation networks. Epidemiologists can use a public database of personal movement trajectories to for instance do geophylogenetic modeling of a pandemic like SARS-CoV2. The idea is that one cannot see individual movements, but rather large scale flows of people across space that would be essential for understanding the likely places where a outbreak might spread. This is essential information to understand at scientific and political level how to best act in case of a pandemic, now and in the future.
Read more about VariationGraph or visit the project's website if you want to contribute.
PPDT: Trustworthy contact tracing or bust
The PPDT (Privacy Preserving Disease Tracking) project is contributing knowledge on distributed reputation and architectural skills to TCN to see how close we can get towards a privacy preserving contact tracing mechanism. There are quite some challenges, and collaboration between the thousands of experts involved with a Cambrian explosion of initiatives is essential. How can we protect best protect user privacy? Can we remove the ultimate single point of privacy failure of the operators of a server having access to data, and create a decentralised alternative that gives strong guarantees of trustworthiness? The project aims to create a portable library that can be used across different mobile platforms, and make sure that aggregated data can be sent back to the participants.
Read more about PPDT or visit the project's website if you want to contribute.
Want to help? Send in your idea!
Next to funding critical investigation of privacy-friendly COVID-tech, NLnet and NGI Zero-projects share their knowledge to help where they can in this time of crisis:
- Cryptographic verification tool and NGI Zero-project Verifpal helped dramatically speed up formal modeling of the contact trace protocol DP3-T
- NGI Zero-projects offer privacy-friendly and open source remote work solutions
Do you want to help as well? Submit a proposal! NGI Zero is open to project proposals for privacy and trust enhancing technology and ideas to improve open search and discovery. Submit your proposal to the NLnet foundation before the next following deadline and see if we can help you.