An Investigation Into PEPP-PT2020-04-17
This post covers an ongoing situation and will be updated as things progress.
Update 7 (April 27st, 8:00AM CEST): Over 400 of France’s cryptographers and computer security experts have signed a just-published letter calling on the French government to not adopt any contact tracing application before due scrutiny has been laid by the applied cryptography community.
Update 6 (April 21st, 6:00PM CEST): some of the best Inria scientists that I know have just published a highly critical (and excellent) whitepaper outlining the dangers of the centralized French contact tracing initiatives published over the last week (including ROBERT, see Update 4 below), as well as decentralized approaches such as DP-3T. While the paper is ultimately highly sceptical of contact tracing in general including both centralized and decentralized approaches, it’s absolutely worth a read and may be the best analysis of privacy-preserving contact tracing that exists so far.
Update 5 (April 20th, 8:00PM CEST): a letter signed by nearly 300 cryptographers and scientists has been published, decrying centralized efforts encouraged by PEPP-PT and urging for a stronger focus on privacy-preserving contact tracing.
Update 4: Inria Proposes ROBERT, a Centralized Protocol
On April 18th at roughly 6:00PM CEST, Inria, under its affiliation with PEPP-PT and in collaboration with Fraunhofer, published documentation for “ROBERT — ROBust and privacy-presERving proximity Tracing protocol” on GitHub. ROBERT’s protocol specification came alongside a PDF statement from the Inria team titled “The Misleading Debate about Centralized Versus Decentralized Approaches”, which claimed the following:
“Several approaches described as decentralised have been proposed. However, a “fully decentralized” approach is not realistic for proximity tracing.” […] “The debate about proximity tracing applications is of high importance to all the EU Member States and all the fundamental rights of individuals residing in those states. We underline the importance of this debate and encourage to compare technical solutions based on privacy risk assessment rather than on ill-defined catchwords such as ‘centralised’ vs ‘decentralised’.”
Nevertheless, it is truly striking just to what degree the protocol specification describes a system that is centralized:
What is more striking is that the design still claims to have a security and privacy guarantee of user anonymity from a central authority. Section 1.3 of version 1.0 of the ROBERT specification states the following:
“Anonymity of users from a central authority. The central authority should not be able to learn information about the identities or locations of the participating users, whether diagnosed as COVID-positive or not.”
And yet, this assumption is only meant to hold under an honest authority:
“The authority running the system, in turn, is “honest-but-curious”. Specifically, it will not deploy spying devices or will not modify the protocols and the messages. However, it might use collected information for other purposes such as to re-identify users or to infer their contact graphs. We assume the back-end system is secure, and regularly audited and controlled by external trusted and neutral authorities (such as Data Protection Authorities and National Cybersecurity Agencies).”
And yet, Section 2.2 states the following:
“When a user wants to use the service, she installs the application, App, from an official App store (Apple or Google). App then registers to the server that generates a permanent identifier (ID) and several Ephemeral Bluetooth Identifiers (EBIDs). The back-end maintains a table, IDTable, that keeps an entry for each registered ID. The stored information are “anonymous” and, by no mean, associated to a particular user (no personal information is stored in IDTable).”
This is a genuinely self-contradicting design. From a first read, it really does appear that all of ROBERT is built on trust from central authorities and the assumption that they will behave honestly and be impervious to third-party compromise. I am unable to determine how this is a strong, or even serious and realistic approach to real user privacy. Given the level of trust assurances that ROBERT, as a system, is attributing to authorities, and given that authorities are responsible for generating, storing and communicating all pseudonyms directly to users to their devices, what security property can actually achieved in ROBERT in terms of pseudonymity between authorities and users?
Furthermore, it appears that the trust model for ROBERT is such that the server allocates pseudonyms and is thereafter trusted to never examine the social graph or any network relationship graph for users, ever. How could this possibly be a reasonable assumption for a privacy-preserving protocol?
I have filed a GitHub issue with my concerns and will keep updating this post as I progress with my analysis.
Update 3 (April 18th, 4:48PM CEST): At roughly noon CEST, the ETH Zürich and EPFL logos were removed from the list of sponsors on the PEPP-PT website. At 4:00PM CEST, Prof. Dr. Cas Cremers posted on Twitter that the Helmholtz Center for Information Security (CISPA) had also withdrawn from PEPP-PT.
Update 2 (April 17th, 7:13PM CEST): PEPP-PT uploaded a GitHub repository containing a single PDF draft of PEPP-PT’s closed, proprietary “PEPP-PT NTK” protocol, and then removed the GitHub repository minutes after for unknown reasons. Upon inspection, the PDF appears to be a hastily written overview of contact tracing protocols in general and does not include any information in the way of an actual protocol or contact tracing technology design. Prof. Dr. Ralf Sasse noted on Twitter that the proposed design sketch already poses privacy problems and appears to violate the GDPR.
Update 1 (April 17th, 1:54PM CEST): In an internal Zoom call, PEPP-PT just committed to releasing their protocol documentation later today on GitHub.
On April 3rd, 2020, a team of 26 European researchers, led by the EPFL’s Prof. Dr. Carmela Troncoso, published the whitepaper for the Decentralized Privacy-Preserving Proximity Tracing protocol, DP-3T, meant to enable privacy-preserving contract tracing mechanisms at scale in order to help track and manage the COVID-19 pandemic in the general population.
DP-3T has attracted substantial attention, with many fruitful discussions on its GitHub repository as well as reasoned critiques by a handful in the cryptography community. Nevertheless, on April 10th, it was announced that a close variant of DP-3T had been adopted by Apple and Google for roll-out on all of their mobile devices, and the project seems to be moving forward productively. As a cryptography researcher, I personally contributed some outside feedback into DP-3T by writing a Verifpal model for it and participating in GitHub discussions regarding its security properties and wireless communication capabilities.
The purpose of this post is to track and document an emerging controversy between the DP-3T community and an organization called Pan-European Privacy-Preserving Proximity Tracing (PEPP-PT), which claims to represent a pan-European effort at arriving to a proximity tracing standard but which has been accused of opacity and of dishonest political behavior.
Sequence of Events
“Our privacy core: At PEPP-PT we support centralized and decentralized approaches and each country chooses which is suitable for their legislation. The DP-3T approach is the project currently under review for a decentralized implementation of the crypto part of an end-to-end implementation. Anything we provide is based on voluntary participation, provides anonymity, does not use personal data nor geolocation information, operates in full compliance with GDPR, and has been certified and tested by security professionals.”
On or around April 16th, the above text was erased from the PEPP-PT website. On April 17th, Coindesk reported on this removal, claiming that it was done “without notice”:
“The DP3T team, which outlined its proposal to CoinDesk earlier this week, was not told the protocol was being removed from the site, and was not invited to attend a PEPP-PT call Friday with the consortium’s various partners, according to three sources familiar with the matter.”
Prof. Dr. Kenneth Paterson, one of the researchers working on DP-3T, expressed his concerns thus:
“Their system is closed and not open to review by external experts. We can’t look at a specification,” said Paterson. “We can’t look at code. So the system could be full of bugs. It could have a backdoor for the security services. No one outside their closed project can tell.”
The concern is that PEPP-PT is attempting to steer its partners into an opaque, centralized approach to contact tracing instead of following the public academic standard maintained by DP-3T. It seems worthwhile at this stage to look into PEPP-PT and to see what can be gleaned throughout their public presence.
Who is PEPP-PT?
PEPP-PT appears to be the brainchild of Hans-Christian Boos, founder of Arago GmbH and member of the Digital Council of the German Federal Government. Boos’s name is listed on the website’s impressum and headlines every communiqué that PEPP-PT has. PEPP-PT’s press communiqué also lists Prof. Dr. Marcel Salathé of EPFL and Prof. Dr. Thomas Wiegand of TU Berlin as “interview and discussion partners”.
It is worth mentioning that no other name is available in any disclosed PEPP-PT materials whatsoever, be it their website, press releases, or anything else. Only these three names appear, and the latter two very sparingly. Really, the only name that appears to be strongly associated with PEPP-PT despite its 40+ partners is that of Hans-Christian Boos. Boos’s online presence has him claiming to be an expert on Artificial Intelligence and many other fields in IT, at many times professing his expertise in a field precisely at the moment in which its name was becoming a public buzzword. Boos is also listed as a participant in the 2019 Bilderberg meeting (see Bilderberg meetings).
But what is perhaps most concerning about Boos is that in an interview with Der Tagesspiegel on April 17th, Boos is quoted as saying:
“For Germany, I favor a centralized solution [for contact tracing].” (“Für Deutschland stelle ich mir eine Server-Lösung vor.”)
On April 17th, Marcel Salathé, who was still listed as the second name out of the three names in PEPP-PT’s press communiqué, publicly disassociated from the project:
I am personally disassociating from PEPP-PT. While I do believe strongly in the core ideas (international, privacy-preserving), I can’t stand behind something I don’t know what it stands for. Right now, PEPP-PT is not open enough, and it is not transparent enough. 1⁄3
— Marcel Salathé (@marcelsalathe) April 17, 2020
On the same day, PEPP-PT was publicly attacked by the DP-3T community, including Prof. Dr. Michael Veale and Paterson. The criticism of Veale, Paterson and others seems to center around the fact that despite its long list of prestigious members, PEPP-PT has not yet produced any technical or research output whatsoever, and seems to be, on the contrary, withdrawing further into itself:
#DP3T entered as a candidate to so-called PEPP-PT in good faith, but it is now clear that powerful actors pushing centralised databases of Bluetooth contact tracing do not, and will not, act in good faith.
PEPP-PT is a Trojan horse.
— Michael Veale (@mikarv) April 16, 2020
It’s striking how, aside from issuing press releases and accruing industry partners, PEPP-PT has not accomplished anything whatsoever, aside from continuously regressing its practices into opacity. As it stands, it seems that PEPP-PT was established via the following chronology:
- PEPP-PT propped itself up on the legitimacy of academic partners by claiming to champion open standards like DP-3T.
- PEPP-PT then locked out these same academics and only permitted governments and industry to participate in closed discussions.
- PEPP-PT is using these closed discussions in order to attempt to sell its proprietary, centralized counter-proposal, which would allow less privacy-preserving properties than DP-3T and would be, by design, shielded from public feedback.
This is not only a dishonest way, but also a very dangerous way to coordinate a crisis response. It not only undermines open, independent and peer-reviewed research practice at the times in which it is needed most, but actually is appearing to exploit them in order to further a discrete agenda.
- Despite claiming to represent the European effort for a contact tracing technology, and despite having more than 40 partners in academia, industry and government, PEPP-PT has not produced any open or transparent solution, draft, public call, or any research initiative whatsoever for contact tracing.
- Despite its claims of having “more than 130 (increased to 200 on April 17th) members across eight European countries, includes scientists, technologists, and experts from well known international research institutions and companies”, only Hans-Christian Boos’s name keeps showing up, and no technical or research output has been made public by the effort.
- PEPP-PT has disavowed DP-3T without justification and without disclosing its decision to the DP-3T team. In return the DP-3T team has disavowed PEPP-PT and has accused it of being a “Trojan horse” for a centralized contact tracing standard.
Is PEPP-PT a Scam?
There is a lot that seems to suggest that PEPP-PT is Hans Christian Boos’s attempt to capitalize on the fear and uncertainty of major European institutions during the COVID-19 pandemic in order to drag them into a group which he leads but which is nevertheless opaque, centralized, ill-managed and untrustworthy. PEPP-PT’s behavior currently appears to be political and irresponsible. At the very least, it can be said that PEPP-PT has not earned the institutional credibility required for an entity such as itself being charged with devising a protocol that deals in matters relating to a major global crisis.
In order to address the situation, PEPP-PT should likely do the following:
- Explain its contact-tracing efforts, justify the shift away from publicly documented, open designs such as DP-3T and name alternatives.
- Reveal the names of the precise technologists and scientists working on alternative contact tracing protocols, if any, as well as their threat models, security guarantees and other design elements.
- Publicly disclose a governing process and governing body that is more nuanced and legitimate than “a handful of companies and institutions united by Hans-Christian Boos” for undetermined purposes and in closed circumstances.
Until the above is accomplished, I strongly discourage anyone from associating with PEPP-PT. Furthermore, I ask all European partners to PEPP-PT to justify their participation in such an opaque and unilaterally-led effort, which appears to be disavowing public standards for solving urgent public problems. This request applies particularly strongly to European academic and public institutions, such as CISPA, EPFL, ETH Zürich, Inria, KU Leuven, and others.
I will continue to monitor this story and will update this post as more unfolds.