The biggest risks associated with contact tracing apps are related to the potential misuse of the information they collect. Compared to many other types of applications, an app for contact tracking inevitably collects an exceptionally large amount of sensitive information about the contacts and relationships between individual users in great detail. In addition, for a mobile application to be effective for its intended purpose, as many citizens as possible should voluntarily install the app and actively use it. Due to this, the system related to the monitoring application will collect a lot of information about the mutual contacts of people – considerably more than any other system currently used by authorities! It is clear, therefore, that the implementation of the system and the monitoring application must be designed such that effective contact tracing can be achieved, while minimizing the exposure of privacy-sensitive user data.
Centralized tracing models, such as, e.g., The TraceTogether solution used in Singapore or the CovidSafe application used in Australia, as well as the PEPP-PT model developed in Germany, do not provide adequate privacy protection for their users in this regard.
These systems are based on an approach in which a centralized back-end system assigns a unique identifier (a pseudonym) to each user’s application, from which frequently-changing pseudonymous proximity identifiers are derived and broadcast over Bluetooth to other nearby devices. The weakness of this approach is that the backend system is able to associate all proximity identifiers of all users with the unique pseudonym of each user. This in turn enables comprehensive monitoring of all users of the system.
By recording proximity identifiers observed by Bluetooth sensors in a number of strategically placed observation points in a given area (e.g. in a particular city), it is possible to track the movements of individual users between observation points and thus collect very detailed movement profiles of individual users.
Although the system does not explicitly collect or record the true identities of individual users, movement profiles based on pseudonymous tracing data make it possible to identify a large fraction of users with high probability. This is mainly because movement profiles are very distinctive. For example, using only the locations of home (main location during the night) and the workplace (main location during the day) make it possible to identify a very large proportion of people unambiguously. Also other possibilities for de-anonymisation have been proposed: for example, it is conceivable that by placing a Bluetooth sensor close to a camera system with facial recognition ability, it is in principle possible to directly associate the proximity identifier beaconed over Bluetooth and thereby the pseudonym used by the system with an identifiable person and thus entirely de-anonymise the person in question.
For reasons mentioned above, contact tracing apps should be based on decentralized identification of contacts. In this model, the backend system does not have information about proximity identifiers of users and is therefore unable to associate them with individual users. Indeed, due to the fundamental problems with the centralized tracing model, the Federal Government of Germany decided to abandon the approach of the PEPP-PT consortium, which it initially supported, and has set clear criteria for the German Coronavirus surveillance application to be based on decentralized contact tracing.