At the initiative of the European Commission and in line with the Toolbox for Tracing Apps published in April 2020, representatives of the NGI community set up a technical review facility that provides independent security and privacy analysis of COVID-19 related technology. The Emergency Tech Review Facility is a collaborative, community-focussed effort to quickly and transparently analyse COVID-19 tech solutions.
The COVID pandemic has triggered an impressive amount of innovation. However, this fast-moving innovation requires proper scrutiny – and COVID contact tracing apps turn a regular cell phone into a low-grade medical device. As technologists, we must aim to “do no harm”. So how do we find the right balance between the potential dangers and the benefits from these solutions?
“We saw many different initiatives spring up in parallel, initially without much coordination. All of us felt that we structurally needed more information to make a sound judgment,” states Michiel Leenaars, Director of Strategy at NLnet Foundation. “Rather than do this at small scale, we agreed with the European Commission that it made a lot more sense to create a pan-European facility to bring together the relevant knowledge – and to help push the most promising ones forward”.
What is the main role you see for reviewfacility.eu?
“We will uncover security and privacy threats, so people can make informed decisions about whether or not to use contact tracing apps. We also need to minimize the potential damage from improper design and implementation”, says Dr. Melanie Rieback, CEO and Co-founder of Radically Open Security, whose company will be performing the technical security work for the EC Review Facility. The platform will offer both “quick scans” and longer security audits on COVID-19 tracking apps of EU member states. Their work should give some insight into the quality of the solutions.
“From my end, I cannot emphasise enough the importance of bringing together a broad and diverse community to work together on these issues”, says Leenaars. ” The field is evolving so fast it’s beyond any single experts’ capability. Without pooling insights and best practices – which is what Reviewfacility.eu is all about – we won’t get anywhere. We need all the qualified eyeballs we can get. From our end we do everything to provide a neutral, independent facility where people can bring knowledge and jointly work on the development of reliable solutions – or at the very least inform better decision making by governments. Don’t forget that several countries have actually withdrawn their apps – a ‘no go’ or ‘abort mission’ is actually a valid outcome if the alternative is broken”.
Do you just do security reviews, or are there any other services?
“Actually, we have a broader mission”, says Leenaars. “The great thing about the fact that most of the efforts are open source, is that we can help apps become better in other ways too. We are offering independent security and privacy analysis, but also can help with localisation and internationalisation, accessibility, copyright compliance, protocol verification, reproducible builds and packaging, etcetera”.
Rieback adds: “Through the EC, member states can approach us for security audits. It’s primarily meant for contact tracing apps, but we can also audit other things.” The aim is to help these projects move forward in the most responsible way possible. Because even when the first shock waves of the pandemic subside, we might be left with this technology for a very long time.
If you are interested to help out, you are invited to join in on the crowdsourced mission of reviewfacility.eu to map out the solutions and problems of emergency tech solutions like contact tracing apps – even for a small task. It takes the collaborative work of many to arrive at trustworthy solutions that serve everyone, and only one subject to call out the emperor’s new clothes. And since everything happens out in the open, it is a great place for novices to learn and for experts to contribute their skills and knowledge. Go to reviewfacility.eu or join in one of the chat rooms at participate.reviewfacility.eu. Or take a look at the forum, which offers room to freely discuss topics ranging from ethical aspects of tracing technology, privacy considerations to more technical exchanges of ideas and experiences.