Send email Copy Email Address
Sebastian Klöckner

Contact Tracing App for the SARS-CoV-2 pandemic

CISPA’s withdrawal from PEPP-PT and ongoing contribution to DP-3T

CISPA is involved in the efforts to develop privacy-aware contact tracing technology for fighting the SARS-CoV-2 pandemic. Our goal is to develop a working, secure and private-by-design solution as quickly as possible.

A contact tracing app is not a cure, nor can it prevent infections. But it could be a building block within a larger framework of governmental measures to slow the spread of the SARS-CoV-2 pandemic. Currently, contact tracing has to be done manually by public health authorities for each infected individual. A contact tracing app could support this process to help notify additional contacts that may be at risk.

As of April 18th 2020, CISPA made the decision to withdraw from PEPP-PT. PEPP-PT was established as an umbrella to coordinate and communicate among several different projects and approaches for the development of a contact tracing app using Bluetooth Low Energy proximity measurement. CISPA joined PEPP-PT together with the other partners developing a decentralised approach named DP-3T (“Decentralized Privacy-Preserving Proximity Tracing”).

Any contact tracing app can only make a meaningful contribution if it is widely adopted by the population, if it is absolutely trustworthy and transparent in its governance, functionalities, and risk, and if it meets accepted security standards. At the very minimum, any such app needs to adhere to core principles of secure software development, such as full transparency of the system as well as privacy-enhancing by design (data-protection-by-design), i.e., the system must be technologically limited to the epidemiologically necessary function of informing at-risk contacts of an infected person.

The direction that PEPP-PT has taken until now is not in line with our view. Together with the lack of transparency and clear governance, we could not in good faith continue participating in PEPP-PT. After consulting with other leading security institutions who shared these concerns, CISPA therefore decided to withdraw from PEPP-PT.

CISPA together with other leading security and privacy scientists worldwide is confident that only a state-of-the-art decentralised, privacy-by-design technology with strong security guarantees can offer adequate safeguards and gain the necessary trust of the public. Moreover, such a technology is about to be released for deployment: CISPA will continue its work on DP-3T with its partners and will push strongly for deployment. At CISPA the research and development for DP-3T is led by CISPA faculty Prof. Cas Cremers.

You can learn more on DP-3T here:

The proposed architecture and code are open source and open for public review and feedback. We invite everyone to test and review the alpha version of the D3-PT apps.