Decentralized Protocol Removed From EU Contact Tracing Website Without Notice

EU researchers are concerned after their proposal for a decentralized contact tracing system was rejected without explanation.

AccessTimeIconApr 16, 2020 at 8:30 p.m. UTC
Updated Dec 10, 2022 at 9:16 p.m. UTC
10 Years of Decentralizing the Future
May 29-31, 2024 - Austin, TexasThe biggest and most established global hub for everything crypto, blockchain and Web3.Register Now

The Pan-European Privacy-Preserving Proximity Tracing (PEPP-PT) consortium, which is charged with helping develop the protocols for a privacy-focused European Union contact tracing system, has removed any mention of the decentralized protocol proposal Decentralized Privacy-Preserving Proximity Tracing (DP3T) from its website. 

Contact tracing is the process by which health authorities track the spread of viruses, identifying who has been in contact with infected individuals and should therefore be quarantined. Countries are pursuing a variety of digital methods of doing so, ranging from location tracking of cell phones and facial recognition, to digital health passes that restrict movement and Bluetooth proximity tracing. Last weekend, Google and Apple announced a plan to update their mobile operating systems to allow Bluetooth tracing.

Any E.U. contact tracing would have to comply with the General Data Protection Regulation (GDPR), which ensures greater privacy and data protection for EU citizens than is currently enforced in the U.S.

The DP3T team, which outlined its proposal to CoinDesk earlier this week, was not told the protocol was being removed from the site, and was not invited to attend a PEPP-PT call Friday with the consortium's various partners, according to three sources familiar with the matter. 

“We found this in the morning, so far with no comment from them,” said someone close to the DP3T negotiations. "There are also other changes that smell centralized, and we don't know what the German government means when they say they plan on implementing ‘PEPP-PT architecture’ as now there is nothing. This seems very worrisome, and that they may implement something that has not been publicly reviewed.”

It’s now unclear what a PEPP-PT protocol might look like, as the consortium website, while listing general guidelines, does not offer concrete proposals, only general principles. 

A centralized approach has more privacy risks, as well as the potential for the re-appropriation of data for other purposes, like state surveillance.

CoinDesk reached out to the PEPP-PT contact listed on the initial press release, who did not return a request for comment by the time of publication. 

The difference between decentralized and centralized systems are not benign in this context. As CoinDesk has written about previously, a centralized approach has more privacy risks, as well as the potential for the re-appropriation of data for other purposes, like state surveillance, the researchers say. Because of this, designers of the DP3T protocol say their design would encourage more trust in the apps built on the protocol, making them more likely to be downloaded and therefore more effective. 

In Germany, the government has said it will be rolling out an app in a matter of weeks, according to the Financial Times, but exactly what app that will be is unclear. The backers of Healthy Together, one of the German app options, have focused on the app’s data protection measures, based on the PEPP-PT framework. It does not involve geolocation data, but Bluetooth proximity tracking, that would be processed locally on users’ phones. But Linus Neumann of the Chaos Computer Club, the largest hacker network in Europe, told the Financial Times that the app’s anonymity could be compromised with minimal changes.

Kenneth Paterson, who is a professor at the Applied Cryptography Group at the ETH Zurich Computer Science Department and is working on the DP3T proposal, said he can’t be sure what PEPP-PT is building now. 

“Their system is closed and not open to review by external experts. We can’t look at a specification,” said Paterson. “We can’t look at code. So the system could be full of bugs. It could have a backdoor for the security services. No one outside their closed project can tell.”

“This opens the gates to privacy hell: It could give governments the ability to build the ‘social graph’ for everyone who downloads the app, i.e., they could trivially figure out who is in close proximity to whom. To be useful in tracking Covid-19, the apps would have to be taken up by at least 60 percent of the population, according to a paper published in Science. This all then becomes a wet dream for security services.”

This story is developing and will be updated as more information becomes available.


Please note that our privacy policy, terms of use, cookies, and do not sell my personal information has been updated.

The leader in news and information on cryptocurrency, digital assets and the future of money, CoinDesk is an award-winning media outlet that strives for the highest journalistic standards and abides by a strict set of editorial policies. In November 2023, CoinDesk was acquired by Bullish group, owner of Bullish, a regulated, institutional digital assets exchange. Bullish group is majority owned by; both groups have interests in a variety of blockchain and digital asset businesses and significant holdings of digital assets, including bitcoin. CoinDesk operates as an independent subsidiary, and an editorial committee, chaired by a former editor-in-chief of The Wall Street Journal, is being formed to support journalistic integrity.

Learn more about Consensus 2024, CoinDesk's longest-running and most influential event that brings together all sides of crypto, blockchain and Web3. Head to to register and buy your pass now.