
Pan-European Privacy-Preserving Proximity Tracing - Quanttek
https://www.pepp-pt.org/
======
Quanttek
Technical details: [https://www.pepp-pt.org/content](https://www.pepp-
pt.org/content)

The app basically uses Bluetooth Low Energy for the proximity measurements:
The app generates temporary IDs, so if two smartphones with the app come
close, they exchange their IDs and save the IDs of their respective partner
locally and encrypted. If a person is tested positivive for the novel
coronavirus, the doctor can ask the person to upload their list of contacts to
the Pepp-PT server. The app can then compare its list with the list on the
server and notify the user if they had contact with person who has COVID-19.

Source for the summary (before I found the site at the top):
[https://www.spiegel.de/netzwelt/apps/corona-warn-app-fuer-
eu...](https://www.spiegel.de/netzwelt/apps/corona-warn-app-fuer-europa-pepp-
pt-setzt-auf-bluetooth-datenschutz-und-
freiwilligkeit-a-5e52dbb2-5553-492b-a04a-6f598f8b9205)

~~~
nroets
"The app can then compare its list with the list on the server". So the
comparison takes place on each individual's phone ? To do this without leaking
privacy, each phone will need to receive all the ids on the server i.e. all
ids collected by the phones of people with positive diagnosis. This could
require a lot of data to be distributed to a lot of phones.

If the comparison takes place on the server, it will save a lot of bandwidth.
But then there will need to be a Tor like network to hide the IPs of the
phones doing the requests.

~~~
lun4r
bloom filters to the rescue (:

~~~
nroets
Suppose Alice is permanently at home with only one caregiver. The system
should never tell Alice that she has been in contact with a virus carrier
because that will imply that the caregiver tested positive.

Instead, the system should rather tell Alice she may have been exposed to the
virus and should get tested. Bloom filters can provide that uncertainty.

------
ThePhysicist
Yesterday they still wanted to publish the source code and architecture as
open-source, seems they're already back-pedalling on that though and only want
to give access to partners. Personally I think a full open-source approach
would be better.

~~~
div
Software built with tax money should all be open source tbh.

~~~
Datenstrom
A lot of military software is built with tax money.

~~~
izacus
And can that be opensource as well. What's your point?

~~~
ardy42
>> A lot of military software is built with tax money.

> And can that be opensource as well. What's your point?

Probably because military software likely contains military secrets that would
be useful to an adversary.

A lot of espionage is focused on getting seemingly boring information like the
performance characteristics of a radar system. If the radar system is run by
software, and the software is made publicly available to anyone, an adversary
country could learn what they want from the software (and do other things,
like improve their jammers).

The government should definitely get the rights to the source code (and other
IP) for military projects they fund, but I think it should still be kept
secret (so not "open sourced" under a typical understanding of the term).

------
jka
Source code is shared with _partners_ of them program.

The page lists 130 _members_ although it is unclear if that is the same as a
partner.

Partial quote from halfway down the page:

"As a partner, you will:

… have access to our services and mechanisms.

… have access to our documentation and the source code of a reference
implementation."

~~~
clort
> a reference implementation

is not the same as "the implementation"

ie the binary will be built from other sources and those will not be made
available to other parties, partner or not?

------
einarfd
My government (Norway), seems to be going (link in Norwegian
[https://www.simula.no/news/digital-smittesporing-apper-i-
and...](https://www.simula.no/news/digital-smittesporing-apper-i-andre-land)
), for a solution where they keep all the data on their servers, and privacy
be damned. The upside they argue for with this, seems to boil down to them
then having a lot more data to look at.

Having an app to help tracking infections, is something I would install. But
what my government seem to be going for, no way. Way to intrusive and all
encompassing.

I haven't found Simula, which is building the Norwegian app, on the list of
partner of PEP-PT. So this is probably a saner initiative.

~~~
usrusr
I'm torn on this matter. A part of me wants to believe that a fully
acknowledged state of emergency privacy exception, organizationally siloed and
bounded by well defined purpose and expiry, could be less erosive in the end
than than something that tries hard to dance along the borders of regular
privacy expectations and sets the new "acceptable" by precedent.

~~~
einarfd
Singapore seem to be doing well with a solution that doesn't store everything
on the governments servers.

Why not follow their lead?

------
okintheory
Immediate reaction: I'm sorry they settled on blue-tooth induced proximity. It
seems likely to be a poor approximation of "epidemiologically relevant
proximity". I would like to see research supporting the efficacy of this
approach. I suspect they would conclude they need a geolocation-based
approach. This will make privacy even more difficult.

~~~
adrianN
If you're in "epidemiologically relevant proximity" you're almost surely also
in bluetooth proximity. Quarantining a few more people than necessary is not a
big deal and totally worth the privacy tradeoff imho.

~~~
okintheory
Is that true? I'm more worried about false negatives on connections. Two
concerns (as a layperson):

1) Transmission via surfaces is thought to be important (afaik). You don't
have to be in the same place _at the same time_ to transmit.

2) My bluetooth seems pretty slow and unreliable when connecting to my
headphones. Is it reliable for logging ~50 proximities during my trip to the
supermarket?

~~~
HSO
> _1) Transmission via surfaces is thought to be important (afaik)._

According to Hendrik Streeck, a leading researcher in Germany, this may not be
the case:
[https://youtu.be/VP7La2bkOMo?t=231](https://youtu.be/VP7La2bkOMo?t=231)

They are working on a more formal study of this but indications are that the
viruses that other teams have found on surfaces may be "dead" (in the sense
that they cannot actually replicate anymore and therefore are not bioactive
relatively soon after leaving host organisms).

Video only in German, sorry, sure this will get publicized internationally if
the study confirms the indications.

~~~
xenonite
This totally contradicts another study [1]. They found that the virus is
"viable and infectious in aerosols for hours and on surfaces up to days
(depending on the inoculum shed)."

[1]
[https://www.nejm.org/doi/10.1056/NEJMc2004973](https://www.nejm.org/doi/10.1056/NEJMc2004973)

~~~
HSO
that's only a letter not a paper.

and they only measured the quantity, not whether the viruses they found after
x hours could actually still replicate.

~~~
xenonite
Thank you for the hint (in the reference [1], the measurement done as in [2],
which states "Collected aerosols were analysed by quantitative real-time
polymerase chain reaction (qRT-PCR) and by virus titration"), although I then
don't get why the paper [1] writes that the viruses are "infectious".

[1]
[https://www.nejm.org/doi/10.1056/NEJMc2004973](https://www.nejm.org/doi/10.1056/NEJMc2004973)
[2]
[https://www.eurosurveillance.org/content/10.2807/1560-7917.E...](https://www.eurosurveillance.org/content/10.2807/1560-7917.ES2013.18.38.20590)

------
holri
Austrias Red Cross is developing such a tool (but with ultrasonic
communication with speakers / mics) instead of bluetooth) at the moment. It
seems that it is going to be free software (open source).

------
faltoz
Unless I missed it, this is not open source right ?

Claiming to respect privacy without being open source is useless.

Google, Facebook, etc. also "claim" to respect you, they are also "compliant
with European norms"

~~~
Certhas
You didn't look at this at all, did you? If you did, please explain how it's
useless.

~~~
faltoz
I don't think you've read my comment correctly (maybe I wasn't clear sorry).

I never said the app is useless, I said that "claiming to respect privacy" on
a website is not useful if you don't prove it with open code.

------
lun4r
Privacy is still an issue with several of these Bluetooth-based solutions, and
it can only alert about exposure through proximity, not through e.g. surface
contact. There are other approaches being suggested as well. E.g.
[https://www.healthcast.nl](https://www.healthcast.nl)

~~~
DavideNL
"When you go outside scan every QR-code along the way."

Huh, that sounds ridiculous/impossible... who will be putting these qr codes
all over the Netherlands??

------
xenonite
Well I don't understand how situations like toilet use, where many aerosols
are created, could be safely recorded. (Don't forget that the virus is in the
stool.)

Also note that this air is often piped somewhere else, hence you would need an
airflow analysis.

~~~
KarlKemp
It doesn’t have to be perfect. If this stops just one in four infections, and
masks, washing hands, and distancing each do the same, R0 goes from 2.5 to 0.8
and we win.

~~~
xenonite
I agree that this helps as an _additional_ measure, but certainly not as a
replacement.

But please see the problems with it!

~~~
rswail
South Korea managed to control the spread by endless testing and then contact
tracing and notification and quarantine.

They didn't lock down the cities. They did it and continue to do it without
locking down.

They are staying flat now because they continue to do that.

This is a tool to help that second part of contact tracing. No one is saying
it's a replacement for social distancing, but it enables us to relax it if
there's a way to stop detected infections spreading.

~~~
vonmoltke
"Endless testing"? South Korea has done this thus far by testing less than 1%
of their population: [http://ncov.mohw.go.kr/en/](http://ncov.mohw.go.kr/en/)

~~~
TuringTest
That's because they caught it early, and because they have the factories so
they could ramp-up test production very fast to the level required to contain
the spread. Those are not universal circumstances.

------
anmolsahoo25
Shameless plug, but I created a simple Flutter app which does the exact same
at - [https://github.com/anmolsahoo25/covid19-dtrack-
app](https://github.com/anmolsahoo25/covid19-dtrack-app)

Works on Android, maybe useful for someone else, since they are not open-
sourcing the app.

------
xenonite
This requires a to completely trust people to carry along their cell phone
("oops I forgot it"), and to trust people carrying their OWN cell phone ("Let
me visit some enemies with the cell phone of my coughing friend to make them
go to quarantine as soon as my friend is tested positive").

~~~
obituary_latte
Touché on second point, but who forgets their phone these days, really? I
haven’t forgotten mine ever that I can remember.

~~~
xenonite
well, one may "forget" it on purpose to avoid being quarantined after seeing
someone else who gets tested positive later on. This could be even used as a
countermeasure to the second point above.

Another reason: "lets meet at a corona party, no cell phones permitted".

~~~
peq
As I understand this, the approach here is to bet on personal responsibility.
This technology cannot be used to enforce quarantines as the authorities have
no access to the data.

Basically, we have to stop 2/3 of infections to get an R<1\. If 2/3 of the
population use the app honestly and we keep up some other measures (no indoor
events where people are in close contact, wearing masks while shopping, no
visitors in nursing homes and hospitals, etc.) then this might be enough to
contain the virus until we have a vaccine.

------
m_mmoli
Stuck in lock-down, we started a hack to volunteer contact information to keep
your friends & family informed if you fall ill. Couple of weeks later, we
joined an online Hack and got global support. Then we launched:
[https://contacttracing.app/en/](https://contacttracing.app/en/)

Totally non-commercial; we're relying on the generosity of cloud providers
@neo4j and @digitialocean.

I reached out pepp-pt (catchy name) to see if they wanted to contribute. Come
put time and energy into our hack.

If any JS devs wanna help out please, please say hi:
[https://github.com/contactTracing-app](https://github.com/contactTracing-app)

------
mattlondon
On Firefox the page appears, then goes black/blank after a second or two...
deliberate? Joke about "preserving privacy" perhaps? Seems odd.

------
blopeur
MIT folks are working on their own version using Bluetooth tech:
[http://privatekit.mit.edu/](http://privatekit.mit.edu/)

------
buboard
You need lots of coverage for these things to work, plus you need reliable
reports of all infections. Governments have access to both these datasets
through mobile carriers and it s gdpr-compliant, so they can start tracing
spread today

~~~
rswail
Governments could only get the data down to the range of individual mobile
cells, which is way too large to use for any useful contact tracing.

That's why BLE works, it's because it's a very low distance technology only
phones actually within a distance that are relevant are going to show up.

~~~
lun4r
perhaps even too small distance bc it might not connect two persons sitting on
opposite sides of a bus/airplane/... while they could still transmit the virus
between them (less likely, but still)

------
0x006A
how is the list of ids compared?

