PEPP-PT project: Researchers call for better data protection for Corona warning apps

The PEPP-PT project, which is supported by the federal government, has entered a crisis of confidence: 300 international scientists have branded politicians to warn that some of the solutions for contact tracking apps that are currently under development could "gradually lead to systems, that would enable unprecedented surveillance of society as a whole ". Systems that allow a reconstruction of a person's "social graph" should be rejected "without further discussion".

In your Letter published on Monday The researchers also point out that Google and Apple have been pressured by advocates of centrally organized solutions to open their systems for more extensive data collection. Signatories to the statements include numerous members of scientific academies, fellows from prominent IT associations such as Association for Computing Machinery (ACM), Institute of Electrical and Electronics Engineers (IEEE) and International Association for Cryptologic Research (IACR), as well as many German scientists who work in the field of computer security or in related subject areas.

In their joint statement, the scientists formulate four general requirements for a trustworthy contact tracing system: For example, the contact tracking apps should only be used to contain COVID-19. The system should not be able to collect more data than is necessary for this purpose. In addition, every system under consideration must be "completely transparent", including the protocols and their implementations, as well as the sub-components. The scientists emphasize that the technical option that protects privacy better must always be chosen. After all, the use of the apps must be voluntary. The systems should be switched off after the current crisis and the data should all be able to be deleted.

Co-initiator and IT security researcher Tibor Jager from the Bergische Universit├Ąt Wuppertal points to "questionable current developments" within the PEPP-PT project consortium. In the past few days, numerous partners who bring experience in IT security and privacy protection to the project have distanced themselves from PEPP-PT. Previously, working-level contacts with the scientists who had been working on a decentralized architecture under the name "DP3T (Decentralized Privacy-Preserving Proximity Tracing)" had been broken. They had no longer participated in a PEPP-PT press conference scheduled on Friday. At the conference, initiator Chris Boos announced a further postponement of the project results until the end of April. The federal and state governments only officially supported PEPP-PT on Wednesday.

In the meantime, documents have appeared on Github at short notice, which raised doubts about the assertion of project coordinator Chris Boos that PEPP-PT will allow anonymous, not pseudonymous use. So one sees Concept published by PEPP-PT a server chooses pseudonyms for the terminal. "The solution described here claims to achieve anonymity, but this is not the case," Jager told heise online. "The server can easily link different pseudonyms to each other and 'track' users." The alleged anonymity is based on the assumption that the server simply does not link the pseudonyms. "This is much weaker than what other, similarly simple suggestions can make."

Ninja Marnau from the CISPA Helmholtz Center for Information Security is working on the DP3T project. Heise said online that CISPA is withdrawing from PEPP-PT: "We cannot share the results that became known at the weekend because it is a central approach with unrealistic and risky assumptions of trust. Furthermore, it is not clear whether the entire code actually is will be published. "

It was also problematic that PEPP-PT was not a platform with different forms, but only a communication platform for different projects. Several countries have now committed themselves to this, but they are pursuing very different approaches that are not interoperable with each other. Marnau: "That made an informed debate about different functionalities and risks impossible, especially since the lack of communication and lack of transparency also became a problem internally."


. (tagsToTranslate) Corona Apps (t) Coronavirus (t) Data Protection (t) PEPP-PT (t) Tracing