The European Commission (EC) has published a document describing how it thinks member nations can best built a contact-tracing smartphone app to fight the COVID-19 pandemic.

Such apps have been adopted by Singapore and India. The UK, USA and Australia have all suggested they’ll soon follow suit. Apple and Google have weighed in, saying they’ll tune their mobile operating systems to help the apps operate, a crucial step as current apps use Bluetooth yet smartphones don’t allow the wireless protocol to operate constantly.

The apps are controversial as their explicit purpose is collecting data about users and then sharing it. But they’re also seen as a tool that will make it possible to loosen lockdowns because, by tracing encounters that lead to infections, they have the potential to make it possible to understand who needs to be in isolation and who can roam more freely.

Wanted: An exit strategy from the overt surveillance of smartphone contact tracing READ MORE

Enter the EC with a 44-page guide to what such apps should do, how they should do it and when they might be deployed.

The document thinks such apps can do their job without recording users’ phone numbers. Instead, it suggests that apps broadcast “a temporary anonymous ID that permits establishing contact with other app users in proximity.” Apps will record that anonymous ID and, if any user that has been in proximity tests positive to coronavirus and consents to having their data shared, other devices that have hoovered up the anonymous ID will receive a notification. The document suggests users could optionally enter other contact data if they’d like more than a notification in case they receive worrying news.

The EC is not in a screaming rush. It suggested timeframe is to stage bi-weekly meetings that some time in May deliver a security recommendation and in June deliver data-sharing standards that help authorities to plan exit strategies.

There’s also a list of safeguards the EC believes the apps must include, namely:

App should be deactivated automatically and all remaining personal data and proximity data should be erased, as soon as the crisis is over.

App should be consent-based with full information of intended processing of data

Location data is not necessary nor recommended for the purpose of contact tracing apps, as their goal is not to follow the movements of individuals or to enforce prescriptions. Collecting an individual’s movements in the context of contact tracing apps would violate the principle of data minimisation and would create major security and privacy issues.

The app should ensure that no user knows the identity of any infected persons or of close contacts of infected persons

In order to enhance privacy and security, proximity data (close contacts) should be stored only on the device, and be deleted after the epidemiologically relevant period as recommended by ECDC (14-16 days). Only after a user has been confirmed infected, the proximity data of that user may be uploaded to the central server and/or the competent health authorities, depending on the system chosen by the Member State.

The ephemeral IDs transmitted between devices via BLE should be generated pseudorandomly and changed periodically. They should neither allow any user to identify the user of the specific device nor to associate multiple signals to the same device.

Pseudonyms should have no relation to long-lived personally identifiable information (PII).

The app should encrypt data as much as possible in order to enhance security and privacy

There’s also a call for independent review of the apps by technical experts, open-sourcing the apps, and a fair bit of commentary about such software being a complement to manual contact-tracing. The document also cites an Oxford study that suggests 60 percent of a national population will need to adopt the app for it to be effective.

El Reg is tracking two European efforts at developing contact-tracing apps: the DP-3T project from Switzerland and PEPP-PT. If there are more we should consider, let us know!

The document is sufficiently prolix and careful to be almost a cliché of the European approach to administration! However it is also as comprehensive a statement of the potential pitfalls and requirements that your humble hack has yet seen on the subject. I suspect it will be more than influential in coming weeks.

One last thing: the document suggests that while Apple and Google have made a splash with their announcement of plans to assist contact-tracing apps, it appears that the precise details of what they’ll offer are hard to divine. The Register suggests this as the first item on the EC’s to-do list is “seek clarifications on the solution proposed by Google and Apple with regard to contact tracing functionality on Android and iOS in order to ensure that their initiative is compatible with the EU common approach.” ®