Have we been close?
The spread of the SARS-COV-2 virus has led to many digital initiatives trying to slow down contagion and to ‘flatten the curve’. Hackathons, developers, academics and pundits all try to contribute in their own way. Proximity tracing through a mobile app seems to be the most logical way forward and we are convinced that we will see several of these come into the market.
In a European context, these apps should never make a trade-off between privacy and functionality but they should be privacy-preserving at heart and respect the sovereignty of individual citizens. That is the only way to make them acceptable and accepted.
There is no reason not to, as decentralised technologies provide the necessary tools to create privacy-centric, self-sovereign apps for proximity tracing.
The European Context
The Dutch prime-minister Mark Rutte spoke of a government that “treats its citizens as adults” when it comes to self-isolation and social distancing; in other words, no police in the streets to enforce the lock-down, but an appeal to everyone’s common sense to stay at home and only go out when necessary. This approach fits the Dutch ‘laissez-faire’ culture and the wider European mainland tradition in which cooperation, consensus, and serving the interests of multiple stakeholders play a central role.
This kind of self-sovereignty of citizens is important to create buy-in from the public. This is what will make the solution accepted in the European context.
Secondly, Europe has strong privacy-preserving laws and regulations. And Europe has these because of its history in which it has seen the dark sides of governments using information on their citizens in unacceptable ways. We could argue that we might temporarily do with less privacy for the greater good, but it’s even better if that is simply not needed.
So we’d better start designing a solution with privacy at its heart. That is what will make the solution acceptable in the European context.
Both these conditions can be met if tracking solutions are built using decentralised technologies.
Preserving privacy and enabling self-sovereignty through decentralised technology
When we talk about decentralisation we mean that a system operates without a single central authority, both architecturally as well as politically. This makes it possible to create a system which is resilient, autonomous, secure and privacy-preserving.
Decentralised technologies enable an architecture without central servers and databases in which applications run locally leveraging only natively stored data or data from a distributed ledger. If shared logic is needed in a decentralised application it can be guaranteed by using smart contracts stored on the shares ledger as well.
It might seem strange that, in times where we expect governments to apply their authority to fight this virus, we ask these same governments to embrace decentralisation. But governments set the parameters, and create incentives or disincentives for citizens to take their responsibility in fighting COVID-19. It does not mean they actually have to ‘DO’ it. It’s us, the citizens, who are actively ‘flattening the curve’ with our actions.
When it comes to a digital solution to fight COVID-19, we ask from policy makers the same approach: set the requirements but let the applications do their work in a decentralised environment.
What should a decentralised solution look like?
While we can imagine several functionalities in digital solutions to combat the current crisis, let’s focus on the bare necessities : fighting the spread of the virus through a proximity tracing app. This application runs on a smartphone and detects other smartphones with the app when they are nearby, for instance using the built-in Bluetooth. The registration of the other person’s phone can be done using a unique but otherwise anonymous identifier which is stored locally. When later on a person registers their ID on a distributed ledger because they are (possibly) infected, all phones that they have been close to them and thus have registered that ID, will be able to receive a simple message “you have been in proximity of someone who is potentially infected and you should self-isolate”. Now from this simple premise on, we can start to build additional functionality, only adding functions if needed for the required goal and again disclosing the minimum amount of personal identifiable information.
Take for example the case in which the application could also function as a ‘laissez passer’ for anyone who is not or no longer contagious. The data used to determine this could come from a number of trusted third parties (rather than a single authority) or could even be self-registered, depending on the specific case. When this additional data is needed, designing the solution using decentralised and privacy-preserving technologies enables the information to simply be displayed as a green or red checkmark, possibly accompanied by a form of zero-knowledge proof, without disclosing the underlying data or identity.
Last but not least, to avoid the app being used for other unintended use cases at a later stage, it should be possible to disconnect the application from the distributed ledger, removing the link to the unique identifier as a form of ‘self-destruct’.
Let’s do it right, because we don’t get a second chance
We understand policy makers are in a hurry, but again it’s a matter of setting the requirements and developers will build it for sure. As a matter of fact, some are already really close.
So here’s the checklist for all policymakers:
- Avoid or limit the amount of personal identifiable information
- Keep data local as much as possible
- Use strong encryption (one way encryption where possible)
- Verifiably revoke data when no longer needed
- Make the whole architecture and processes decentralised and transparent
This will enable, even in these trying times, applications that are both accepted and acceptable in the short term and for the future.
This article has been written by the decentralisation experts of WBNoDE. A special thanks to Jeroen Schouten of Grasp, the tech-savvy lawyers.
