Contact-tracing app sets off privacy debate
May 30, 2020The efficiency of contact-tracing applications in tackling the coronavirus crisis remains unproven. Nevertheless, like many other countries, Poland, which has so far recorded 23,155 cases of COVID-19 and 1,051 deaths, is working on its own smartphone solution.
ProteGO Safe app is based on OpenTrace library, an open-source version of the protocol used by Singapore's TraceTogether application. ProteGO Safe allows users to perform self-assessment of the risk related to contracting COVID-19, but the core functionality of the application is contact tracing by broadcasting identifiers (IDs) and scanning the environment in search of signals emitted by other phones equipped with the app. Also, the program saves the history of IDs of smartphones detected nearby. Government-backed ProteGO Safe developers promise that, in order to protect privacy, the data is not transferred to any central server, and it's deleted after two weeks or at the user's request.
Yet the Polish solution is not fully decentralized. The risk assessment of exposure to COVID-19, which is a crucial element of contact-tracing apps, is performed on a central server controlled by the Ministry of Digital Affairs. ProteGO Safe developers in project documentation argue that this functionality is dictated by "the need to extend the use of the application to older devices, on which such analysis would be difficult or impossible."
This explanation, among many other issues, is what worries Polish privacy advocates like Katarzyna Szymielewicz, the president of the privacy watchdog Panoptykon Foundation. As she points out, the project specifications lack certain clarifications when it comes to data processing.
What is worse, ProteGO Safe claims to be fully transparent and open-source, but the source code of the application processing data on the server was never disclosed. "At the moment, the code responsible for alerting users to the risk of contracting the coronavirus and data transmission doesn't exist," says Szymielewicz, who stresses the importance of scrutiny on the elements of automated decision-making related to risk assessment within the app.
Red lines
The worries are shared by experienced software engineer and open-source contributor Jaroslaw Potiuk, who initially participated in the ProteGO Safe project.
"We knew from the very beginning that such an application will have to be done together with the government, which keeps the health records and is the only entity that can build the necessary logistics for testing the people who are at risk of contracting the disease," Potiuk tells DW. "The initial idea was to keep maximum privacy. We were very keen on that aspect of the solution and we knew that it is very easy to use the exceptional time and needs of the pandemic to justify the invasion of privacy and potential surveillance. On the other hand, we also knew it can be done with full preservation of the privacy rights," he adds.
Potiuk left the project after one meeting with the Ministry of Digital Affairs, where it emerged that the officials wanted the app to link the data with users' mobile phone numbers, which could enable simple deanonymization of users. For Potiuk at this stage, this was no longer negotiable: "I knew that at least my red lines had been crossed so I quit immediately."
Project manager Mateusz Romanow, who is on board of the ProteGO Safe team, says that the Polish solution does not require users to register with a mobile phone number, and this factor sets it apart from the apps introduced in other countries, like the Czech Republic or Norway. He underlines that "he is not and never will be the spokesman of the ministry," but at the same time he quickly adds that officials never wanted to push the team toward ethically unacceptable directions.
Yet the fears of potential misuse of ProteGO Safe prevail. During a press conference in late April, the Ministry of Development announced that QR codes embedded within the app could be used to manage the numbers of customers entering shopping malls during the reopening of the economy, incentivizing the installation of the application. This raised questions about the voluntary nature of ProteGO Safe.
Romanow admits that the development team was unaware of such ideas. The officials were quickly persuaded to abandon the plan and, in his words, the ministry now calls it a "communication glitch."
Questions of trust
"Due to the COVID-19 situation, it's much easier to sneak-in surveillance solutions under the cover. It is very easy to justify such plans by claiming that this has to be done to save lives, and there is no time to discuss the details," points out Jaroslaw Potiuk.
In his opinion entrusting the state with sensitive data processed by the ProteGO Safe app is not so simple — "especially that the government already made the mishap with the shopping malls announcement, which would mean potential discriminative use of the app."
Potiuk notes that the current political situation in Poland — along with social polarization — is not making the matter of trust any easier. "Recent government actions related to the presidential elections and the way they deal with the judiciary is one more reason to wonder that a lot of people will not trust the government and they will simply not install the app," he underlines.
Joanna Debek, deputy director of communications at the Ministry of Digital Affairs, in an emailed statement said that the government was focused on integrating the ProteGO Safe app with the Google and Apple Exposure Notification system — the contact-tracing framework natively supported by iOS and Android mobile operating systems, that was released on May 20.
"The installation of the application remains voluntary, but its success depends on its wide adoption and number of its users," explains Debek, adding that the ministry will keep encouraging the installation of the ProteGO Safe app.
ProteGO Safe still remains in development. According to the official website, version 4.0 is based on the Exposure Notification system; the whole infection risk assessment process takes place on users' device; and temporary unique identifiers cannot be used in any way to identify certain devices and their users.
Every evening, DW sends out a selection of the day's news and features. Sign up here.