European Commission Wants Coronavirus Tracing Apps To Build In Strong Protections For Privacy -- Unlike The French Government
from the essential-requirements dept
Techdirt has just written about France's incredibly hypocritical attitude to privacy when it comes to contact tracing apps for COVID-19. The European Commission seems to be rather more consistent in this area. As well as pushing privacy legislation like the GDPR and ePrivacy Directive, it has released a series of documents designed to help EU Member States create tracing apps without compromising on citizens' privacy. For example, on April 8, it adopted a "Recommendation to support exit strategies through mobile data and apps", which called for "a joint toolbox towards a common coordinated approach for the use of smartphone apps that fully respect EU data protection standards". Details followed a week later, when the European Commission announced a pan-EU toolbox for "efficient contact tracing apps to support gradual lifting of confinement measures". A 44-page document spelled out in some detail (pdf) the "essential requirements" for national apps deployed in the region -- that they should be:
voluntary;
approved by the national health authority;
privacy-preserving -- personal data is securely encrypted; and
dismantled as soon as no longer needed.
Finally, as if to underline the importance of respecting citizens' privacy yet further, the European Commission released another communication (pdf) providing "Guidance on Apps supporting the fight against COVID 19 pandemic in relation to data protection". The whole section on security is worth reading in full, since it offers a good summary of the current thinking on the best ways to preserve privacy with these apps:
The Commission recommends that the data should be stored on the terminal device of the individual in an encrypted form using state-of-the art cryptographic techniques. In the case that the data is stored in a central server, the access, including the administrative access, should be logged.
Proximity data should only be generated and stored on the terminal device of the individual in encrypted and pseudonymised format. In order to ensure that tracking by third parties is excluded the activation of Bluetooth should be possible without having to activate other location services.
During the collection of proximity data via [Bluetooth Low Energy communications between devices] it is preferable to create and store temporary user IDs that change regularly rather than storing the actual device ID. This measure provides additional protection against eavesdropping and tracking by hackers and therefore makes it more difficult to identify individuals.
The Commission recommends that the source code of the app should be made public and available for review.
Additional measures to secure the data processed can be envisaged notably with automatic deletion or anonymisation of the data after a certain point in time. In general, the degree of the security should match the amount and sensitivity of personal data processed.
All transmissions from the personal device to the national health authorities should be encrypted.
The contrast between this rigorous and comprehensive approach to safeguarding the rights of citizens and France's cavalier disregard for the same, is stark. Unfortunately the Commission's guidance is not legally binding and is likely to be ignored by the French government, which often insists on going its way, as with its terrible implementation of Article 17 of the EU Copyright Directive.
Follow me @glynmoody on Twitter, Diaspora, or Mastodon.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: contact tracing, covid-19, eprivacy directive, eu, france, gdpr, privacy
Reader Comments
Subscribe: RSS
View by: Time | Thread
Doesn't seem like something that can easily be made voluntary
[ link to this | view in chronology ]
Re:
It can, you just won't get the same guaranteed reliable results, and won't have much use following the current emergency situation.
[ link to this | view in chronology ]
"French government, which often insists on going its way"
This is one of the reasons why I often mock the people who voted Brexit because they perceive the EU as some kind of dictatorship that left no leeway for local decisions. The UK, along with France and Italy, regularly did things differently to the rest of the EU and were often granted special concessions. It's just that the EU made a handy scapegoat whenever these turned out to be bad decisions.
[ link to this | view in chronology ]
European Parliament resolution
This follows the European Parliament resolution of 2020-04-17 https://www.europarl.europa.eu/doceo/document/TA-9-2020-0054_EN.pdf (HTML version:
(bold added)
[ link to this | view in chronology ]
Google and Apple have been lobbying, or someone has been following their proposals.
[ link to this | view in chronology ]
The French situation is actually more nuanced that what you are reporting. They actually develop a really secured protocol for contact tracing, more secured in terms of privacy that what have been proposed by Apple and Google. But its implementation can not be done using the API Apple and Google are developing. That's why they asked for a higher access to the Bluetooth functionality.
[ link to this | view in chronology ]
Re:
If they want more access that normal app developers you can be sure that it is not for protecting user privacy.
Also, the thing with the Google/Apple protocol is that the servers cannot identify contacts, but only provide everyone with the information that allows the to determine that they are a contact. That it relies solely on self reporting, both for those who contract covid-19, and those they were in contact with. You cannot get more privacy respecting than that.
[ link to this | view in chronology ]
Re:
Access to what?
[ link to this | view in chronology ]
Remind me again ... what is the french for backdoor?
Notwithstanding the purported aims of politicians, bureaucrats, medics, clinicians, and possibly developers of a bluetooth app, it appears to me that, as a user of an ancient Motorola moto 4g/lte phone running kitkat (which has data, location, and wifi turned off), even if it could somehow determine that a passing phone carrier (possibly untested, like me) is asymptomatic, infected or recovered, how would said app phone home (wherever that is)?
Deity only knows.
[ link to this | view in chronology ]
Re: Remind me again ... what is the french for backdoor?
Surprise buttsecks?
[ link to this | view in chronology ]
I have yet to find any specifics about the possible implementation(s) of such a system. Will this become mandatory? What about those who refuse. What about all those who lack a cell phone, I have read there are tracker bracelets available but will the homeless wear them?
I doubt those on the far right would be very enthusiastic about this, they may even claim it is part of the 5G/corona conspiracy or something.
[ link to this | view in chronology ]
Re: trust your betters
relax,
The expert technocrats/bureaucrats/politicians in government (French or otherwise) will handle everything for you -- that's why we have rulers in the first place.
Do as you are told, pay your taxes, and do not fret or complain.
[ link to this | view in chronology ]