The controversial Pan-European Privacy-Preserving Proximity Tracing (PEPP-PT) project provides a good example of how an EU COVID-19 mobile app should function, the European Parliament’s largest political group said on Tuesday (21 April), drawing criticism from other parties.
The conservative European People’s Party (EPP) said in a statement that a single European app which meets EU data protection standards is “crucial” in the fight against COVID-19.
The statement added that the “technical possibilities to collect data anonymously and in accordance with existing EU data protection laws are already available” with software developed by the PEPP-PT consortium.
The recently developed technology analyses bluetooth handshakes registered between smartphone users when they come into close proximity with one another, but the initiative has recently become mired in controversy.
Last week, PEPP-PT came under fire for a lack of transparency in their software operations, after reports emerged that the consortium erased text on their website that had highlighted its commitment to using a decentralised protocol in the technology, which is widely regarded as having higher privacy protections.
It is understood that the project now favours centralised data storage, which can be prone to less security standards.
Since then, following one of the leaders of the consortium, Swiss epidemiologist Marcel Salathé, a number of members of the consortium have decided to withdraw from the project.
Those include Belgium’s KU Leuven, who cited “serious concerns” with the recent news, the Italian ISI foundation, who said they were worried about “ambiguities on governance and communication,” and Germany’s CISPA Helmholtz Center for Information Security.
With the project coming under increasing fire as researchers leave to explore other decentralised data storage solutions, it has also transpired that PEPP-PT now includes strategic communications consultancy Hering Schuppener as a member. The firm was previously contracted by Volkswagen to help mitigate the fallout from the 2015 Dieselgate scandal.
Meanwhile on Monday (20 April), academics from more than 25 countries published an open letter, urging governments to distance themselves from the application of contact tracing software that stores data centrally.
“Solutions based on sharing geolocation (i.e. GPS) to discover contacts lack sufficient accuracy and also carry privacy risks because the GPS data is sent to a centralized location,” the letter read. It added that such solutions could facilitate “a form of government or private sector surveillance that would catastrophically hamper trust in and acceptance of such an application by society at large.”
Back in Brussels, the EPP’s comments, which were signed off by MEP Axel Voss, drew fierce criticism from political opponents in the European Parliament.
“I’m not actually surprised by the EPP’s stance,” Renew MEP Sophie in’t Veld told EURACTIV over the phone. “Axel Voss is a big believer in collecting as much data on citizens as is possible. The fact that he is advocating a large, singular repository of data doesn’t surprise me.”
Last week, Renew’s in’t Veld was a signatory on a Renew Europe letter addressed to PEPP-PT’s founder, Hans-Christian Boos, calling for the consortium to be more transparent in its operations.
“We should be taking a more cautious approach and question what value such an app could be,” she added. “If people don’t trust the technology and the uptake is low, the app would not be a remedy to the virus.”
Meanwhile, Pirate MEP Patrick Breyer was also critical of EPP’s statement.
“Axel Voss appears to have missed that numerous scientists are leaving the PEPP-PT project he is recommending for an EU app,” Breyer told EURACTIV. “This project is not transparent and allows governments to centralise data collection on their own servers.”
“Via mission creep this may result in systems which would allow unprecedented surveillance of society at large.”
Last week, the European Parliament adopted a join resolution on a coordinated response to the coronavirus crisis, in which MEPs highlighted their preference for a ‘decentralised’ model for storing data as part of the use of contact tracing apps.
Parliamentarians stated that “generated data are not to be stored in centralised databases, which are prone to potential risk of abuse and loss of trust and may endanger uptake throughout the Union”. They also demanded that “all storage of data be decentralised.”
The decentralised approach to data storage was one that S&D’s Finnish MEP Miapetra Kumpula-Natri backed.
“I am in favour of using technology to its full potential in crisis situations,” she told EURACTIV over the phone. “But that doesn’t mean that standards should be compromised. Storing data in a decentralised way still offers the same capacity for analytics.”
[Edited by Zoran Radosavljevic]