Great Success of the ViSP Workshop on Security and Privacy in Contact Tracing

The Vienna Cybersecurity and Privacy Research Center (ViSP) organized an online workshop where national and international researchers discussed technical, societal and legal implications of digital contact tracing in the times of a global pandemic, as a contribution to the ongoing digital humanism initiative of the city of Vienna.

The workshop was held online on Friday, September 11th, and is available on YouTube where it has attracted more than 200 viewers.

The workshop was opened by Matteo Maffei, a professor at TU Wien and member of ViSP, who set the stage for following presentations and introduced the speakers.

The first speaker, Edouard Bugnion, is the Vice President for Information Systems at EPFL, in Lausanne, Switzerland and is a former advisor to the Swiss national COVID-19 science task force. He is part of the team behind the design of the DP3T protocol, which is at the core of the exposure notification approach adopted by Google and Apple, and hence deployed in many European states. Bugnion sees this is an important step towards an international solution, that allows for interoperability between applications deployed in different countries. He highlights decentralization as an important feature of this protocol, as it ensures that all computation happens locally on phones, and no social network can be built. He furthermore presented a first evaluation of the application in Switzerland, that shows the practical impact in the fight against COVID-19.

Vincent Roca, is the head of the PRIVATICS team at Inria, France. He and his team worked on the digital contact tracing protocol ROBERT, which is used by the French StopCovid application. In contrast to the previously presented DP3T protocol, this approach is based on a centralized architecture, aiming at efficiency, sovereignty, and privacy. Due to privacy issues, that arise from the design of the protocol, but also from the fact that the system is controlled by two American tech giants, Roca believes that the DP3T based solution offered by Google and Apple is unlikely to find legal approval in France. Roca also presents the novel protocol DESIRE, with which he wants to overcome limitations of other approaches and that he sees as a potential protocol for a new generation of contact tracing applications.

Véronique Cortier is a research director at CNSR at the Loria laboratory in Nancy, France, and an ERC grant holder. Due to the implications to privacy, she is critical of the usage of contact tracing applications in general. She highlights privacy risks for specific protocols, such as ROBERT and DP3T, but also fundamental risks that exist for any functional protocol. She questions the efficiency of digital contact tracing and requests that a better evaluation takes place, before applications are deployed on a large scale. Furthermore she criticizes that political and economical interests obstruct open discussions and thus hinder the scientific progress.

Krzysztof Pietrzak is a professor at IST Austria, an ERC grant holder, and a member of ViSP. While the previous speakers focused on the privacy aspect of contact tracing protocols, Pietrzak focusses on security attacks, e.g., attacks that cause exposure notifications to be sent to users that have not in contact with any infected person. To address those attacks, he proposes cryptographic solutions and shows how a protocol like DP3T could make use of these solutions.

Christian Kudera is a researcher at SBA Research in Vienna. He presented a timeline of the development of the Austrian Stopp-Corona application, and showed the impact of a security analysis of the Stopp-Corona application that he and other technical and legal experts performed. Kudera also highlights how specific technical and political decisions impact the public opinion of the app and the willingness to install it on personal phones.

Walter Hötzendorfer is a senior researcher and senior consultant at the Research Institute - Digital Human Rights Center in Vienna. He is a member of the Austrian data protection council and as a permanent advisor of the Austrian Red Cross in data protection he participated in the design of the Austrian Stopp Corona App. In his talk, he gave insight into legal and ethical aspects of contact tracing applications. He is convinced that digital contact tracing can offer more privacy than manual data collection, although he still sees aspects, where privacy of the app could be improved. He is raising the question, how more trust in the application can be established, so that it is installed by more users.

In the following panel, the speakers discussed the potential impact of digital contact tracing and agreed on the importance of understanding its societal, legal and technical implications with a particular focus on security and privacy threats.

Link to video : https://youtu.be/ZbLo2ddcmsI