Governments cannot be trusted w/ social network data from Bluetooth. So w/ colleagues from 7 unis, 5 countries, we've built & legally analysed a bluetooth COVID proximity tracing system that works at scale, where the server learns nothing about individuals
https://twitter.com/carmelatroncoso/status/1246122415794593794

Health authorities learn nothing
Users learn nothing about other users
Users learn if they were too close to others who tested positive
Governments learn nothing about users
No-one is coerced: everything based on genuine, voluntary consent.

We don't know if Bluetooth tracing will truly help fight COVID-19. Some epidemiologists say yes. But we know that centralising data is a recipe for misuse by law enforcement and police, at least in some countries where the rule of law is weak and power grabs are frequent.

For privacy law scholars, the data protection and security analysis document explains more. https://github.com/DP-3T/documents/blob/master/DP3T%20-%20Data%20Protection%20and%20Security.pdf

Also: LOADS of people were involved in this (see image). But @carmelatroncoso in particular is absolutely brilliant.

This system was designed so it could not be co-opted, it had purpose limitation built in and function creep built out, and it is also built for 'graceful dismantling' — it will organically collapse after the epidemic as users stop uploading.

Clarifying points #1: The best way to raise points or issues about the protocol is using the GitHub issues https://github.com/DP-3T/documents/issues . PLEASE read a bit about our suggestion in the documents we have published first.

Clarifying points #2: On PEPP-PT: this is a submission to the PEPP-PT consortium for consideration around how to make a decentralised set-up that scales, involving many of the same institutions and people. It is published to start discussion, for transparency.

Clarifying points #3: To collaborate or have more formal contact, the best way is to email [email protected]