Nearly two-thirds of Swiss citizens are in favour of proximity tracing apps to help control the spread of infections, according to a recent survey. These apps alert users when they have been in contact with infected people. But could such early warning systems also compromise data privacy?
How do tracing apps work?end of infobox
Unlike location tracing, which shows where you have been, proximity or contact tracing records each time two smartphones, which have downloaded the app, come into close physical contact.
Smartphones send Bluetooth signals to each other, looking for other phones with the app. When a contact is detected, both phones log an encrypted “contact event” if they have been in proximity long enough for an infection to be transmitted.
If someone becomes ill they tell the app, which searches though the logs of contact events and alerts anyone who has been too close for comfort with the infected user. To prevent false infection claims, people will typically be required to enter confirmation of their diagnosis from their health provider.
How is my data protected?end of infobox
For a start, proximity tracing apps do not record where you have been and when. They only log the number of times you have been close to another app user for a significant period of time. Secondly, the information is encrypted, which hackers would have to crack to get your personal information.
Experts say that no digital system is completely safe from intrusion, but the involvement of the Federal Institutes of Technology in Zurich and Lausanne (ETHZ and EPFL) provides legitimacy and a high level of comfort for the Swiss-designed app.
Are centralised or decentralised systems better?end of infobox
This has become a hotly debated question, and the Swiss DP-3T app and a pan-European project called PEPP-PT take different approaches. The key difference is what happens when a person signals that they are infected, and how the system then determines who should be alerted.
The PEPP-PT app sends the contact event information on the infected person’s phone (i.e. the records of which other phones have been close to the infected person) to a central server that crunches the data and send out alerts.
Several Swiss collaborators in the PEPP-PT project, including ETHZ and EPFL, recently pulled out over concerns about the centralised data feature. They feel that it is easier to hack and decode personal information on a centralised server and so are now concentrating all their efforts on DP-3T.
DP-3T keeps contact event information on the individual smartphones – it’s only the infection alert that goes to the central server. Individual phones then communicate with the server looking for an alert that matches their contact event data.
How are the Swiss authorities reacting?end of infobox
Both the Swiss health ministry and data protection commissioner favour the decentralised approach. The data commissioner also wants users to have full details on how the apps work and individuals to be legally protected against the federal authorities getting their hands on the data.
Parliament is also demanding that it should have a say on the implementation of such apps, rather than leaving the decision to the government or health ministry.
The DP-3T project, part of the Swiss National Covid-19 Science Task Forceexternal link set up to tackle the pandemic, is due to be completed in May.