• New rapid response specifications group, E4P, aiming to facilitate interoperability across European track-and-trace apps through a focus on privacy and security, with standards ready by end‑summer 2020. 
  • Conflict between centralised and decentralised approach to developing tracing apps may prove a stumbling block, however.

Can new telco group bridge COVID tracing’s digital divide?

Can new telco group bridge COVID tracing’s digital divide?

Source: ETSI

European telecoms standards agency ETSI has established a new industry specifications group, Europe for Privacy‑Preserving Pandemic Protection (ISG E4P), intended to facilitate the coordination of proximity tracing applications developed across the continent and thereby help “break the chain” of COVID‑19 transmission. The rapidly established group faces a massive challenge, however, as countries approach the development of tracing apps with contrasting political views and fundamentally different technological principles.

E4P’s goal is to deliver a “framework of privacy, interoperability, and security” for proximity tracing solutions, which would make it possible for the European authorities to track and trace users of different applications across national borders while maintaining the integrity and anonymity of their data. This interoperability is considered essential for enabling the safe opening up of both business and leisure travel within Europe, to support economic recovery.

The timeline

While currently, countries are acting broadly unilaterally on the development of track-and-trace technological solutions, the new group, chaired by Edgar Guillot, Director of Services, Devices & Security Standardisation at Orange, is moving quickly to identify and define specifications that could be adopted across the continent, with the goal of releasing a set of standards by the end of summer 2020. It is then hoped that European governments would be in a position to release updated national apps incorporating the specifications later in the year, creating cross‑border interoperability of tracing technology.

The process of formalising pan‑European specifications by ISG E4P will entail several stages that are to be completed in the coming months. There will be an initial group report, forming a statement of existing methods for proximity tracing currently available or being developed. From this foundation, a series of requirements and use‑cases will be examined to determine methods of undertaking tracing that also support privacy and interoperability.

It is then anticipated that specifications for proximity detection methods will be drawn up, and subsequently followed by specifications that facilitate interoperability between different applications.

Fast-tracking development with government insights

The new group, said to have been established and launched in a matter of weeks — and at a record pace for the standards body — has more than 30 members already. It is inviting participation and support from across the communications ecosystem, and also from interested parties beyond the current ETSI membership, including government and research entities now working on the initial iteration of tracing applications that are set to be launched in the coming weeks.

This open approach is expected to help accelerate the release of the specifications by ensuring the needs and concerns of the countries managing proximity tracing are taken into account at an early stage. My view is that it is actually a benefit to have government and research centres on board”, said Guillot, “because without them we would speak about concepts, but with them on board we will talk about practical things and the delivery of the specifications that will be more useful to them.

Security a key consideration in building trust

Guillot said that the work of the ISG E4P will have an important role in fostering public trust in proximity tracing apps, through its work in ensuring that data anonymity is underpinned by security. The group is working with ETSI’s TC‑CYBER standards group, as well as experts within its own membership, to provide specifications that will provide a level of assurance for end‑users.

“Security is key to be sure that people can trust and be confident in the solution that could be deployed by the government. The government will decide whatever application they would like to deploy, but our commendation will help to make sure that actually this implementation will be secure so individual citizens can trust the solution.”

— Guillot.

Early supporters, but notable absences

For the development of the new standards, the group is aiming to draw on expertise from within its membership base in areas including cybersecurity solutions, e‑health applications, and emergency communications. The initial membership list shows 27 official ETSI members supporting the ISG E4P alongside five international participants, with the European Commission named as a counsellor.

While the standards group has amassed a considerable membership in a brief period, Google and Apple — the IT giants behind the APIs set to be at the core of Europe’s first round of proximity tracing technology — are not yet on board. Guillot stressed both would be welcomed, while also noting that other companies and institutes working alongside the pair are well represented.

ETSI ISG E4P official members, June 2020
 Source: ETSI.

Airbus

ALASTRIA

ANEC

Association eG4U

BT

Cadzow Communications

Certicar

DAC-UPC

Deutsche Telekom

Ericsson

FBConsulting

Fraunhofer Institute for Telecoms

FSCOM

Huawei Tech

IDEMIA

iLabs Technologies

INRIA

iTrust Ethics

MINECO

NEC Europe

Orange

Qualcomm Technologies

Samsung R&D Institute UK

TRAFICOM

Uninfo

UWB Alliance

Vodafone

Applications beyond the current crisis

Although the main priority of the group is to provide a set of standards for interoperability for the end of the summer 2020, ongoing work may see consideration of how other technologies can be integrated with the specifications to ensure ongoing interoperability for applications that may be needed to address a future health crisis.

Guillot noted that there are already additional presence detection technologies that may not be ready for deployment in tracing apps now, but that could be used in future iterations as alternatives to the Bluetooth Low Energy‑based offerings.

France leads way as tracing apps ready for launch…

France launched its contact‑tracing app, StopCOVID, in early‑June 2020, making it the first European market to do so. Meanwhile other major European countries, including Italy and the UK, are progressing through pilot and regional deployments, while development continues in Germany and Spain of applications based on APIs from Apple and Google.

The French application is home‑grown and, as is common, uses Bluetooth technology to manage proximity tracing. But it is also notable in that it takes a centralised approach to data management, with central servers used in the processing data, managing the pseudonymised user IDs, and communicating to individuals that have been in contact with an infected person. This is as opposed to the decentralised approach used for applications coordinated with Apple and Google efforts, wherein more data is processed locally on the device, but with a back‑end server used to transmit notifications from a user’s handset when they are diagnosed as infected.

… but centralisation debate may prove a major hurdle for E4P

There is an ongoing debate regarding the security of both types of system, although the centralised approach appears to be raising the most concerns surrounding the risk to privacy attached to using tracing applications, and the prospect of misuse by state or bad actors of centralised data.

The French government (while taking a swipe at the “biases of major digital players” in framing the debate on the subject) stressed that it believes a centralised approach enables it to offer greater guarantees and security than the alternatives. It also stated that guaranteed interoperability between applications used across Europe should be considered essential.

Meanwhile, ISG E4P is aiming to ensure that there will be interoperability between European applications regardless of whether they are centralised or decentralised. This may prove a significant challenge, however, with travellers potentially moving between states with fundamentally different approaches to security and privacy that may be compromised by interaction with their contrasting tracing philosophies. Interoperability will depend on servers in different countries being able to communicate and exchange data in a trusted shared environment.

Although the ISG E4P stressed to Telco Titans that it is determined to ensure interoperability, it did not unequivocally state that the issue can be resolved within its timeframe for initial specs.

It is notable that the interests of centralised developers may have high profile support on the ISG E4P. The Vice‑Chair of the group is Stéphane Dalmas, an Innovation Advisor at INRIA, the French computer science research institute that has developed the French STOPCOVID app. Germany’s Fraunhofer Institute is also a member of the group and, while it is supporting the work of the German government — and Deutsche Telekom and SAP — in developing a non‑centralised application for the country, it has also been closely linked to the development of proximity tracing applications with INRIA that are more closely aligned with a centralised approach.

GSMA looks to operators to manage practical matters

The role the operators will play in resolving the challenges of interoperability across systems that appear to have significant fundamental differences remains to be seen. It should be noted, though, that BT is principally in a centralised app market (although where a decentralised backup plan may be brewing), while DT’s home market was leaning towards centralised systems before changing course and charging DT with overseeing a decentralised approach. Vodafone, meanwhile, is present in countries on both sides of the debate.

In a hotly‑disputed political as well as technological debate it may be that telcos contribution will be more pragmatic. The GSM Association has mooted operator contributions to the field of contact tracing could include providing insight on delivering data privacy based on experience in managing customer data, and from a practical perspective, coordinating how the flood of data (particularly from decentralised approaches) will be managed for end‑users. This could cover practical steps such as ensuring that any data used for tracing is zero‑rated across all countries, and developing ways to use Wi‑Fi to offload data shared by devices.