ETSI moves to standardize COVID-19 tracking apps

The European Telecommunications Standards Institute is moving quickly to establish standards for mobile apps that can track and reduce the spread of the virus.

We’ve all heard how testing and tracking is essential to controlling the spread of the COVID-19 virus. Mobile apps can help by tracking your location and reporting to a database if you’ve been in contact if you’ve been exposed. While such apps are already in use, they may not have the ability to share information. To be effective, apps need to communicate with a common database and with each other.

The European Telecommunications Standards Institute (ETSI) has formed an Industry Specification Group to develop a framework for standardizing interoperability among mobile apps that track and report COVID-19 exposure. The group, called “Europe for Privacy-Preserving Pandemic Protection” (ISG E4P) will organize on May 26 and plans to have a specification in place by late summer. EE World spoke with Edgar Guillot, director, standardisation & ecosystems development at Orange to learn more about the framework and its development.

While many apps designed to track COVID-19 cases are already in use, they suffer from differences in function and in their inability to reference a central database. The ETSI framework and open specification to follow will define the functionality of the apps, drawing on features from those already in use.

How might the system work?
Guillot explained that there are two ways to implement such a network: centralized and decentralized. In a centralized system, a database stores information such as a person’s unique identifier and if that person has been tested positive for COVID-19. The central server calculates the risk of exposure and notifies them based on their recent proximity to someone infected with the virus. In a decentralized system, the mobile app calculates risk and notifies all people who have come in contact with the infected person, including those nearby at the time. It can then notify people in close range. The notifications will be based on distance from and time spent near the infected person to calculate risk.

The framework will specify how to sense distance between people. While existing apps communicate with each other over a Bluetooth Low Energy link, the apps will use cellular or Wi-Fi connections to communicate with a server.

Group organization and timeline
The May 26 meeting to formally organize the group is open to both ETSI members and non-members. “We expect a large participation,” said Guillot. The framework needs to define the system’s functional requirements, which include:

• Proximity detection;
• Data storage;
• Communication protocols;
• Seamless operation in any European country;
• Server software.

While the framework and specification will define the functionality and interoperability of the apps, it will not define the specifics of an implementation. That’s up to software developers.

Will people use such an app?
Developers must grapple with security and privacy but most of all, people must trust an app for them to install and use it. “People will be responsible for their own data input,” said Guillot. “No app will work without a person’s consent. Trust is important.” That’s why one requirement will state that data on a person will be deleted after fifteen days.

Of course, a COVID-19 tracking app is only as good as its data. That means people must be tested. Plus, people must feel confident in the app’s privacy and security. Will people trust that their data will be deleted within 15 days? Will people think that tracking their moves and with whom they make contact be used for COVID-19 tracking only? Could hackers get in steal information? Will that trust vary by region or politics?