Governments are betting on coronavirus tracking apps to help ease lockdown restrictions. Too bad the techies developing these tools have turned on one another.

At first glance, the spat seems charmingly geeky — developers who favor so-called decentralized design for the apps, with data stored on devices, disagree with other developers who back a centralized design where data gets stored on the cloud.

But for those involved, the choice is ultra-serious and has far-reaching consequences for privacy and Europe's technological independence.

It's already prompted a series of defections from a high-profile German-led project, and comes at an inconvenient time for governments — just as they are agonizing over which apps to choose to help them out of their lockdowns.

At the center of the fight is the clunkily named Pan-European Privacy-Preserving Proximity Tracing (PEPP-PT) consortium, an alliance once of around 130 European computer scientists that launched last month with the aim of developing apps that adhere to the Continent's strict privacy rules.

"Right now, PEPP-PT is not open enough, and it is not transparent enough” — Marcel Salathé, a researcher at École Polytechnique Fédérale de Lausanne

But while PEPP-PT is gaining traction among national governments — the body's leadership say eight countries are developing apps using its code, while 40 others have signed up — it is facing an exodus of members over what they say is a lack of transparency and a preference for a centralized app design.

A letter out Monday signed by over 300 scientists from 25 countries — including former PEPP-PT backers — argues that decentralized app designs do a better job of preserving privacy than centralized models.

"The statement ... recommends that decentralised approaches be adopted. Interestingly, the PEPP-PT consortium, now largely composed of German research institutions, has been promoting an opposite, centralized approach," said Kenneth Paterson, an ETH Zürich researcher who publicly withdrew support from PEPP-PT on Saturday in a statement accompanying the letter.

The letter also has the support of researchers across institutes and universities in Canada, the U.K., U.S. and other non-European countries.

It’s the latest, arguably strongest push to adopt “decentralized apps” and steer clear of projects like the earlier PEPP-PT project — after a series of European researchers sounded the alarm in the past days.

“I am personally disassociating from PEPP-PT … I can't stand behind something I don't know what it stands for. Right now, PEPP-PT is not open enough, and it is not transparent enough,” said Marcel Salathé, a researcher at École Polytechnique Fédérale de Lausanne in a tweet on Friday.

Instead, Salathé said he would be pouring his efforts into a DP-3T, a group that began under the auspices of the PEPP-PT, but has now largely detached itself from the umbrella organization.

Other defections swiftly followed, with researchers from ETH Zürich, CISPA, and KU Leuven withdrawing from PEPP-PT to focus on DP-3T over the weekend.

Many defections have focused on PEPP-PT's alleged lack of transparency — a claim backed up by a group of MEPs, who wrote to the organization's leadership on Friday to demand more clarity. By contrast, DP-3T has gained kudos for publishing its code.

Turning tide

The split underscores a rapid breakdown in trust.

PEPP-PT began life as Europe's answer to surveillance-heavy technology used in countries like China to ease lockdown measures, and promised to unite the Continent's techies. Together, they would come up with privacy-friendly ways to do "contact tracing" — a technique of gathering data on encounters and alerting those that have crossed paths with coronavirus-infected people.

But the project is now on life support as erstwhile members withdraw their backing.

“PEPP-PT is still trying to claim it’s some kind of umbrella organization, but it’s been captured by a single project,” DP-3T member and University College London researcher Michael Veale told POLITICO over the phone.

According to Veale, a mostly German group including the renowned Fraunhofer institute and tech entrepreneur Chris Boos are using PEPP-PT to push their more centralized approach to contact tracing at the expense of other models — including the "decentralized" one developed by DP-3T.

Boos, who is also part of PEPP-PT's leadership team, sought to play down reports of the rift in a call with reporters on Friday, saying that PEPP-PT still supports different models of contact tracing. "We still like the DP-3T protocol ... Our approach is that countries have to be able to choose."

The dispute now puts researchers head to head — especially in Germany, where most of PEPP-PT’s members are headquartered.

PEPP-PT's website says it backs both centralized and decentralized approaches to contact tracing. Boos said Friday he is also in favor of a "semi-centralized" model.

At an online virtual conference the same day he also dismissed the debate raging around the relative merits of the different systems.

“Honestly, I could not care less. Both approaches guarantee privacy — one sends more data to a central server and the other sends more data to everyone. It doesn't matter, and this discussion has been going on for 30 years in the crypto community and they will never be able to agree.”

Germany center stage

The dispute now puts researchers head to head — especially in Germany, where most of PEPP-PT’s members are headquartered.

The German government has been in talks with these institutes and companies for its app for weeks. But it will now have to hear out the criticism of the rival, “decentralized” group. Over 50 German scientists signed the new letter, including one from the Fraunhofer institute, several ones from the CISPA Helmholtz Center for Information Security and others from institutes like Bundeswehr University in Munich.

In a position paper sent to the German government, a coalition of German startups that is working with PEPP-PT fired back, arguing that DP-3T's approach of storing data on phones would mean more ending up in the hands of the two companies that make the vast majority of phone software: Google and Apple.

"Looking from a global perspective, PEPP-PT is on the side of a decentralized national storage — while with DP-3T, all data would be stored globally with two giant companies, therefore more centralized than ever," the group, called GesundZusammen, said in a statement.

PEPP-PT promised clarity, but as techies ramp up their feud, privacy-conscious governments are facing an even tougher choice.

Want more analysis from POLITICO? POLITICO Pro is our premium intelligence service for professionals. From financial services to trade, technology, cybersecurity and more, Pro delivers real time intelligence, deep insight and breaking scoops you need to keep one step ahead. Email pro@politico.eu to request a complimentary trial.