In an open letter, almost 300 scientists warn of “unprecedented surveillance”. Now the most important resource that is needed for an app could disappear: the trust of the users.

In early April, everything sounded like a heroic story. More than 130 scientists from all over Europe come together and develop an idealistic project. They work day and night on the Pepp-PT platform because they have one goal in common: they want to help defeat Covid-19 – with the help of cell phone data. “I have never seen such a cooperative project in which individual egos do not play a role,” said Swiss epidemiologist Marcel Salathé during a joint video conference.


Three weeks later there is nothing left of unity. In an open letter, nearly 300 researchers from dozens of countries warn of “solutions” that could creepingly establish unprecedented surveillance of society. The original project is not mentioned by name anywhere, but the message is unmistakable: the former supporters of Pepp-PT, including Salathé, have refused because they distrust the project.

Superficially, scientists struggle for technical details and the way of public communication. In fact, there is much more to it: The most ambitious attempt to slow the spread of the coronavirus by technical means threatens to fail. Because to warn contact persons of sick people and to interrupt infection chains, an app that as many people as possible need as quickly as possible. Two resources are critical: time and trust – the longer the dispute lasts, the scarcer both become.

With the open letter, a conflict escalated that emerged publicly at the end of last week, but has actually been smoldering for some time. “Within a few days, more than 200 renowned researchers signed up,” says Tibor Jager, Professor of IT Security at the University of Wuppertal, who is also one of the signatories. Some of the scientists were previously at Pepp-PT. “They didn’t change their minds from now on, that has been apparent longer.”


If you want to understand the dispute, you need to know a few basic terms and concepts: Pepp-PT should become a European platform on which developers can build with their apps. With the help of the Bluetooth Low Energy (BLE) radio standard, cell phones should be able to save who they are approaching for two minutes or less for at least 15 minutes – exclusively locally on the smartphone of the user and allegedly completely anonymously. This is guaranteed by randomly generated identification numbers, and no additional personal data is collected, the researchers promise.

In the event of a positive diagnosis of Covid 19, the infected person can release the list of his previous contacts – but only their IDs, which are practically pseudonyms. These contact persons are then automatically warned and asked to be tested. This is where the dispute begins: one faction of the researchers supports a central approach in which a server acts as a switching point, which collects the transmitted IDs and then sends push messages. In contrast, the decentralized method only connects the devices to one another. There is no database, all information is only stored locally and transferred from cell phone to cell phone.

“Such a central authority that monitors everything is problematic”

“Privacy can be better guaranteed through decentralized approaches,” says Thorsten Holz, who heads the System Security Chair at the Ruhr University in Bochum. “A central database could be an interesting target for attackers or even be misused by the operators. A central authority that monitors everything is problematic.” Holz has also put his name under the open letter and wants the publication to be understood as a clear criticism of Pepp-PT. “The scientists who support this are not satisfied with how the development went. In the meantime, most academic partners have withdrawn from the project, which speaks for itself.”


In fact, numerous renowned European universities and research institutes have actually abandoned Pepp-PT in recent days, including the Helmholtz Institute, the Italian ISI Foundation, the Catholic University of Leuven, as well as researchers from ETH Zurich and the Swiss Federal Institute of Technology in Lausanne. They are now putting their energy into the DP-3T project, which is taking a decentralized approach.

If you speak to these scientists on Pepp-PT, you will hear a lot of incomprehension and in part open-mouthed accusations. Some believe that initiator Chris Boos wanted to make money with the project – and that would be better with a central approach. The IT entrepreneur sits on the Federal Government’s Digital Council and is said to maintain close relationships with Chancellor-in-Office Helge Braun. His former colleagues accuse him of lack of transparency and bad communication. Last week, for example, the name DP-3T suddenly disappeared from the Pepp-PT website without the parties being warned.

Chris Boos warns of a war of faith

Boos has now apologized for this, that it was “unfortunate”. He rejects the allegations and warns of a war of faith. “Instead of looking at which solution is better in which case, some representatives of the approach approach the discussion religiously,” he said Handelsblatt. He wanted to open Pepp-PT for central and decentralized solutions alike and then look from country to country as to what was best. Assuming that he wanted to enrich himself personally was unacceptable. “So far, almost everyone has been working completely for free for weeks,” said Boos. “But I always said that if there is money, we should be involved.” Boos has not yet responded to a SZ request.


In addition to the discussion about central or decentralized approaches, there is another issue. “My main concern is transparency,” says IT professor Tibor Jager. “With an app that collects sensitive data from millions of people, development must not take place behind closed doors.” The program code must be publicly viewable and can be checked independently. “In this regard, DP-3T is way ahead. The first open source apps are already available that can be tested in practice.”

A Corona app requires trust – and that disappears

The EU Parliament advocated decentralized approaches last week, and Apple and Google are also promoting a solution without a central server. Germany, on the other hand, still adheres to Pepp-PT. “The federal government has to change course,” says Thorsten Holz. “There may be supporters of a central solution in the private sector, but I don’t know anyone in science.” Jager sees it similarly and suspects that Germany could soon change its stance Support came at a time when it was still a real cooperation project. Now the situation has changed. I think the open letter could trigger a rethink. “

At least on one thing, the remaining developers at Pepp-PT and the proponents of DP-3T agree: “In the end, it’s about getting the corona pandemic under control, that shouldn’t be forgotten,” says Chris Boos. “What we want to avoid at all costs is a mud fight,” says Tibor Jager. Both know that a tracing app can only work if a large part of the population takes part. And if supporters of Pepp-PT continue to argue publicly with those of DP-3T, in the end only the virus wins.