Jokes aside, I find the PEPP-PT app freaking scary. I know folks working on a more privacy-preserving solution if you're going to do something like this, but let me say two things that stand out about it:

1) Adversary model assumes thee state is trustworthy

and... https://twitter.com/ShahakShapira/status/1247490324869545985

2) As I understand it, your device collects ID information from every device around it. If you get the virus, you publish all of the IDs you've collected, allowing the state to build social graphs.

Decentralised privacy doesn't work if the info you expose is about someone else.

If I am a user want to expose myself as an infected person, that's one thing. And there are ways to mitigate how much that info is bound to you. There are technologies out there (e.g. MPC) which could be used to make finding out if you were exposed private*.

And which would NOT expose that data directly, even when querying a centralised server. The research group a couple of my friends work in are looking at such solutions.

But when you start publishing other people's data, that's just bad.

We can have a robust argument about whether one should do this at all. Whether it's really in the public's interest, or whether it's handing the state tracking tools they don't already have which will certainly be abused later.

We should have that debate.

But if we're gonna do this?

People, this is not the way.

(I'll post a link to other research if folks have any, and will ask my friends for info about what they propose as well.)

I should add, as full disclosure, that I used to work with some of the people responsible for PEPP-PT, though it's a huge consortium.

Let's just say this doesn't necessarily alleviate my concerns and leave it at that.