Cybernetica Proposes Privacy-Preserving Decentralised Architecture for COVID-19 Mobile Application for Estonia

Cybernetica proposed privacy-preserving decentralised COVID-19 mobile application for Estonia and is supervising the consortium on the secure implementation and developing of the mobile application to tackle the spread of COVID-19 in Estonia. The consortium is led by the Ministry of Social Affairs and in addition to Cybernetica includes Bytelogics, Fujitsu Estonia, Guardtime, Icefire, Iglu, Mobi Lab, Mooncascade, and Velvet.

Countries all over the world are trying to stop the spread of coronavirus through the development of contact tracing applications. These differ in terms of principles and methods for collecting and processing user data, while both centralised, as well as decentralised solutions are being developed in Europe.

Cybernetica analysed the published architectures for mobile phone contact tracing and found a decentralised solution proposed by the DP-3T project to be most in line with the Estonian e-government philosophy. Thus, our suggestion was to adopt the DP-3T protocol and extend it according to Estonian needs.

DP-3T is developed by an international team of scientists and engineers led by École Polytechnique Fédérale de Lausanne (EPFL) in Switzerland. Other European countries planning to build on DP-3T include Austria, Finland, Germany, Italy, Portugal, and Switzerland. In May 2020, the project announced its cross-border interoperability proposal co-authored by Cybernetica.

„Privacy is the core value on which we are building this tool. We are glad to be working with like-minded countries who will be deploying similar systems. In time, this will simplify cross-border contact tracing and allow our people to visit our neighbours for work, trade or leisure,“ explains Dan Bogdanov, Member of Board at Cybernetica and the head of the consortium’s security team.

The process starts with the users voluntarily downloading Estonia’s official application to their mobile phones. For the system to function, users must carry their phones with them. Contact tracing works over Bluetooth Low Energy signals – a mobile phone generates temporary identifiers with a lifespan of a few hours and distributes them via Bluetooth connections. The phones in the same Bluetooth radius save these temporary keys locally on the device with the time of detection.

Users who have received a diagnosis for COVID-19, enter the information to the app that, with the user’s consent, will confirm it with the Estonian Healthcare Information System. Then, the phone will share a key with the service operator (Estonian government) who will forward it to other app users. This key enables to derive all the temporary keys that the infected user was in contact with, but not their owner. This way, other users will not know who exactly was infected, but are aware that they were near such a person.

„Now that Estonia has brought down the hammer on COVID-19, the dance of re-opening our society begins. Contact tracing is essential for us to contain the virus as life returns back to normal, and digital tools such as the DP-3T app will likely prove a useful companion to more traditional methods,“ says Priit Tohver, Advisor for Digital Services Innovation at the Ministry of Social Affairs.