The name is more complicated than the idea: “Pan European Privacy-Protecting Proximity Tracing”, or Pepp-PT for short, is the name of a new platform that is supposed to help slow the spread of the corona virus. It is backed by an international team of more than 130 scientists and IT experts. The project is the largest and most ambitious attempt to fight the pandemic with modern technology – without encroaching on user privacy. If enough people join, Pepp-PT could become an important building block to contain Covid-19. Instead of imposing general curfews, it would be possible to isolate the sick and their potential contacts in a targeted manner. Answers to the most important questions:
Who is developing the platform?
For weeks, researchers and employees from more than two dozen institutes, universities and companies have been working on Pepp-PT. From Germany, the Robert Koch Institute (RKI), the Heinrich Hertz Institute (HHI) and the Federal Office for Information Security (BSI) are involved. The Federal Data Protection Officer also accompanies the development and soldiers of the Bundeswehr help with the tests.
“It’s a strange time and the pressure is incredible,” says IT entrepreneur Chris Boos, who helped launch the project. “Some have decided to work separately, we prefer to join forces.” The group worked almost continuously to win the race against the virus. “I have never seen such a cooperative project in which individual egos do not play a role,” says Swiss epidemiologist Marcel Salathé. To date, researchers and institutes from eight countries have been involved in the development: Belgium, Denmark, Germany, France, Italy, Austria, Spain and Switzerland.
All reports on the current situation in Germany and worldwide as well as the most important news of the day – twice a day with SZ Espresso. Our Newsletter brings you up to date in the morning and evening. Free registration: sz.de/espresso. In our News app (download here) you can also subscribe to the espresso or breaking news as a push message.
How does the system work?
Pepp-PT is a software framework on which apps can be based. “We don’t need another app, we need a uniform framework,” says Boos. The problem: If there are many individual approaches that only a small part of the population uses, the concept cannot work. For this reason, a common foundation is to be created that will quickly reach a critical size.
The system is an alternative to the partly repressive and invasive approaches of other countries. Instead of collecting massively sensitive location data, monitoring users or placing infected people in a digital corona pillory, Pepp-PT should be completely voluntary and data protection friendly. The identity of the user remains protected at all times, neither doctors nor the operators of the platform can identify individuals.
“The only way to slow down exponential growth is to prevent human-to-human transmission,” says Salathé. Social distancing and other measures could help. However, it is equally important to warn contact persons of infected people at an early stage. If they show symptoms, it is usually too late, and they have already passed the virus on. This is where Pepp-PT comes into play, which, after a positive diagnosis, notifies all cell phone owners whose devices were close to the patient.
How do the apps work?
At the heart of the system are apps that users install on their smartphones. Their developers integrate Pepp-PT technology, in Germany RKI and HHI are working on such an application. The apps assign a randomly generated number code to each device, which changes at regular intervals and does not allow any conclusions to be drawn about the identity of the user.
With Bluetooth radio technology, the apps scan the surroundings and determine which other smartphones are within range – but the prerequisite is that their owners also use an app that is based on the Pepp-PT system. If two devices come closer than two meters, the apps save the temporary ID of the other cell phone. The data initially remains encrypted on the smartphone, nobody can access it.
In order to reduce false alarms, the researchers examined all widely used cell phone models and measured the signal strength of the radio technology, which sometimes differs. Bundeswehr soldiers have helped to calibrate the technology so that it can detect whether there was a glass pane or other obstacles between the two contact persons that prevent the virus from being transmitted.
So a list of IDs is created on the smartphone, behind which there are people you could have infected yourself or from whom you could have received viruses. Anyone who suffers from Covid-19 transmits the previously stored ID list to a central server. Then the contact persons receive an automatic push notification on their smartphone and are asked to be tested. The IDs contain a country code, so the system works across borders.
Why do users remain completely anonymous?
The temporary, randomly generated IDs function as pseudonyms, which reliably protect the identity of everyone involved. In retrospect, nobody can find out who is hiding behind such a code. Pepp-PT does not save any data that enable de-anonymization. This includes, for example, location data or unique device IDs such as the smartphone’s IMEI number.
“We only measure how long and how close two people met,” says Thomas Wiegand, who heads the HHI. The virus doesn’t care where the meeting took place. “This is the only information that is of epidemiological importance.” The data will be automatically deleted after 21 days. Instead of tracking, Pepp-PT relies on tracing – it should not track the movements of people, but only their contacts should be traceable.
How should abuse be prevented?
Those who report themselves as infected suddenly alert dozens of people – this is an invitation for trolls. Therefore doctors, laboratories and health authorities have to confirm the notification. So a positive diagnosis is imperative. The interface should work encrypted and secret, so that the identity of the sick remains protected. The exact process differs from country to country.
How many people need to use Pepp-PT?
In order to effectively break infection chains, the researchers are aiming for a user base of 60 percent of the population – in Germany that would be 50 million people. With a completely voluntary system, this is a major hurdle. So far there is no app in Germany that is not preinstalled on smartphones and has to be downloaded deliberately and that has so many users. However, a smaller proportion could help to at least slow the spread.
To make matters worse, only about 80 percent of people in Germany have a smartphone. Normal cell phones and older devices do not yet support the necessary Bluetooth standard. In particular, seniors, for whom the virus is particularly dangerous, can only be partially warned. That is why the researchers are considering distributing Bluetooth bracelets or other wearables in the future.
According to surveys, a large part of the population in Germany would be willing to give up some of their privacy in order to stop the virus. That would not be necessary in this case. You only need to install an app. The Pepp-PT platform is scheduled for completion on April 7th. RKI and HHI want to publish the app for German users about a week later.