The Gist: What's with the Covid Apps?

Across the world, mass population tracking apps are being deployed or developed. I try to get to the Gist.

To a man with a hammer, everything looks like a nail.

As the coronavirus swept through Asia, there were reports of the deployment of the Chinese mass surveillence regime to track and control the poplulation through their phones. Singapore, careful to always present itself as an alternative Asian model, rolled out an app trying to preserve privacy while still helping with contact tracing.

Now, as the US and EU grapple with their own lockdowns, technologists, doctors and governments alike are sure that Covid Apps represent a potential silver bullet solution to reopening economies.

But not all app approaches are equal. This- insofar as it can be given the speed the situation is moving- is the Gist.

Ireland: The Wrong Reflex

Having a medically useful Covid 19 tracking app is not a software project. It is a social project. That is because the app will only work to help identify who has been near an infected person if it has widespread adoption.

Basically, if people don’t want an app on their phone because they don’t trust it then whole project is dead on arrival.

The Singapore model recognises this. There, the source code of the app was published for everyone to examine. The best way to kill rumours or misinformation about what an app can do is just to let everyone see for themselves. The app itself aims to ensure that there is no centralised database of the populations’s movements. Instead, a bluetooth token is passed from phone to phone, if they both have the app installed.

The Irish Health officals have, to date, stated that they will not publish their app’s source code before launch.

Add to this the suggestion that the project isn’t being developed in-house, but has been contracted out to an external management consultancy, and the refusal to publish the (legally required) Data Protection Impact Assessment in advance to allow all stakeholders to assist with the planning and development of the project. That document would also allow us to see if the model is one with a centralised database of population movements or a decentralised Singapore-style model.

They haven’t said why they want to keep the app details hidden. And, to be clear, it doesn’t matter why. What matters is that the launch of the app will inevitably be marred by immediately being the subject of questions and misinformation that could have been avoided by simply overcoming the State’s institutional impulse for secrecy.

The development of this app seems to have drifted within the purview of the Department of Public Expenditure and Reform- the same ministry responsibile for the PSC project. Given that what is at stake can be described as literally life or death, we can only hope that the same institutional mistakes of that ‘mandatory but not complsory’ project are not going to be repeated.

EU Commission: A False Start

There’s no point pretending otherwise- The EU has not had a great Pandemic so far. Member states have gone it alone, instead of acting in concert. There have been instances of hoarding of PPE by countries and one member state decided to bring in an autocracy in the kerfuffle.

Healthcare is not an EU competency. The Treaties that govern the EU leave that to the individual countries. So, in an effort to exert some relevance and influcence, the EU Commissioner in charge of telecoms decided they would try to co-ordinate data-informed responses. We saw an initial flurry of effort around mobile phone tracking (mostly not actually useful, as this data tracks location within such large cell sizes as to tell us nothing about who was within 2m or 20m of anyone else).

Then we saw the emergence of a slightly mysterious body- The Pan-European Privacy-Preserving Proximity Tracing group (PEPP-PT). Basically built around one fellow, Hans-Christian Boos, this has been tapped by the relevant EU Commissioner as being a framwork the EU might endorse for Covid Tracking apps.

The problem is that it has, so far, refused to provide documentation of what that framework might be. Members of the consortium were growing concerned at the lack of info before that concern burst into alarm at the removal of references to the decntralised model of tracking (DP3T) from the PEPP-PT website. Here’s Kenneth Patterson, the Professor of Computer Science at ETH Zurich , who then announced that ETH Zurich was withdrawing from the PEPP-PT consortium.

“Their system is closed and not open to review by external experts. We can’t look at a specification. We can’t look at code. So the system could be full of bugs. It could have a backdoor for the security services. No one outside their closed project can tell.

This opens the gates to privacy hell”

And this was followed by a pretty punchy letter yesterday from a group of MEPs, putting basic questions to the PEPP-PT contact, Mr. Boos, about the group’s plans and structure.

You can read that letter here. But here’s the key paragraph;

Can you explain why PEPP-PT has so far not been transparent on the functioning of the contact-tracing apps it is developing? Why has it not published its full protocol for security and privacy, and not devided to make its code available through open source, so that people can verify whether the application functions as stated by the authorities, such as the DP3T approach?

These questions seem sort of familiar to anyone who’s just read the paragraph above on the Irish Government’s approach. It would be nice to know if the Irish Gov is one of those seven countries that PEPP-PT’s Boos says have committed to adopt this centralised, cloud-based ‘privacy hell’ model.

The US: It’s Google and Apple’s world, we just live in it

While the rest of the world works on apps, the two companies that effectively control the entire smartphone ecosystem decided to get out ahead of the game. Remember, these companies do not want people to come to resent their smartphones as tools of oppressive governments tracking their populations silently, a tiny trench-coated agent in every pocket.

So they’ve moved to introduce a framework for tracing apps that would force the use of decentralisation as the model if you wanted them to run in the background.

In the end, this is the move with the greatest significance made so far in the contact tracing app ballet. It will probabaly be the deciding factor for which model is adopted, regardless of whatever dreams individual governments had.

And, while their move has been in favour of privacy today, it is a reminder that when it comes to the smartphone world, there are two voices that matter and everyone else is just playing in their sandpit.

Note: This was sort of long, for a Gist and a bit niche. But I hope it’s been at least of interest. Thanks are due to my loyal subscriber who suggested this special topic edition. All errors are my own, as usual.