Centralized vs. decentralized corona tracing apps: Two perspectives from the front lines

Insights, Interviews

12th June 2020

Interview with Chris Boos, Founder and CEO arago GmbH, and Prof. Gerhard Fettweis, Vodafone Chair Mobile Communications at TU Dresden

Florian: Chris, you are one of the Internet pioneers, coding since your childhood in the 80ies. With your company arago you have had a stellar growth phase in the last years. KKR, one of the leading PE companies worldwide has invested EUR 50m in your company and you are advising the German Government on its digital strategy. AI is your domain of expertise and you have been heavily involved with PEPP-PT, the „Pan-European Privacy-Preserving Proximity Tracing“ project. This tracing App makes a lot of sense and German Chancellor Merkel told the press on April 1st that she also would use this app a consortium was working on. It was said the app would be released within 10 days or so. It is June 10th now and we are still waiting for the app. What went wrong?

Chris: Some people were quoted saying that software is never on time, but I think this one goes deeper. Many countries now have released or are testing their version of proximity tracing apps already. In Germany we had a switch from an app developed by the science community, which was very close to the principles advocated by PEPP-PT. Then a fight — something that is normal in science, because that is the way to improve — split the consortium and held everything up. With public pressure, decision makers, who have to focus on the adoption rates of the app, had to reconsider and tasked the two largest German tech companies with building the app. I must say, both Telekom and SAP did a good job here and next week we will see an app. They did a good job because they involved the people who had built up the knowledge and could contribute their experience. They did a good job because they also involved startup initiatives. They did an even better job, because they really created it from scratch, but did not lose experience while doing so, and following public pressure open sourced the whole thing. To me this is a proof point that large companies can run agile projects and work with startups very well.

Yet with the difficult public and political situation anyone building an App in Germany also had to make sure all the i’s are dotted and the t’s are crossed and larger companies are much better at that than small ones. Last but not least in Germany people decided to use the approach promoted by Apple and Google and of course it is easier for companies that already have long standing relationships here to get better results in collaboration much faster.

Having said that, I understand why the app is coming next week and not a month ago. What really went wrong is the communication about the crypto protocols underlying the proximity tracing approach. This was a fight taken to the political and even personal levels and it created a lot of insecurity which was completely unnecessary.

What really went wrong is that we lost what PEPP-PT stood for in the beginning — the interoperability between different approaches, at least in the first releases of local apps. Some people actually believed that the entire world would be using the same protocol. I think we were more realistic in the beginning, focusing on making various approaches from different countries interoperable.

I very much believe it is necessary for people with considerable responsibility to take the decisions on what approach to use. Not only in crypto, but also in all the other areas of technology and pandemic management, and I believe the German government made a good decision switching to the decentralized model after public pressure mounted, because adoption is key. But if we had done this without a debate that went personal and if we had kept the focus on interoperability, we would be in a much better place now from a European and global perspective.

Florian: Gerhard, what has been your role in these tracing app efforts so far and what is your view of the process so far?

Gerhard: My role was simple. Chris Boos and Thomas Wiegand from the Fraunhofer Heinrich Hertz Institute met and discussed whether technology could be used to fight Covid-19. An app like the one in Singapore — but GDPR compliant to comply with European privacy laws. When Thomas came up with an idea and discussed the solution with RKI President Wieler one afternoon, Thomas called me on March 7 to get me on board. It was a Saturday evening at 23.30. He asked me if I could bring my radio and electronics and startup expertise to the table to help build a network of enthusiasts that would build a solution. I accepted immediately and activated a team of excellent people the next day.

We were all like on steroids. We worked 24/7 with little sleep. We were enthusiastically driven by helping Germany, Europe and the world get out of the crisis. Unfortunately, the bottom line is that this storm of enthusiasm to bring people together who want to do something good leads to the fact that you may become blind concerning some participants as well as outside forces, and that the process was not structured enough. Every morning we coordinated 12 sub teams for technology, strategy and implementation. That went well but controlling wasn’t implemented on non-technical issues. We were not on alert to notice that some people were there with a separate agenda. Therefore, we did not build up a strategy to be prepared to react tactically and immediately to people who want to undermine you. We were not strong enough in that respect.

On Friday April 24, around five minutes into the interview on the German TV ZDF Morgenmagazin, Minister of Health Spahn said (in German) concerning an App based on Google/Apple APIs: “The basic belief that data stored by Apple and Google (…) is better protected than data stored in Germany on (government) servers — also state-controlled — (…) is difficult for me to comprehend. I don’t understand this belief.” This debate must also be conducted.

On Sunday April 26 morning, however, a complete U-turn was announced, presumably following influence by Apple and Google. This caused a delay of at least eight weeks, since our app had already undergone major tests and was just days from launch. What I really don’t understand is that Germany, if it deems necessary to follow the Google/Apple approach, did not decide to launch our app immediately and replace it by the Google and Apple solution as a software update once their solution is ready. This would have given Germany immediate measurement data on proximity behavior of infected people, and how the opening of restrictions possibly leads to changes.

With the so far published approach by Apple and Google it is clear that they must have encountered an energy consumption challenge. The proposal proposes the Bluetooth scanning to happen only every 5 mins (spec v1.2). However, we found out in our tests and joint discussions with epidemiologists that we needed a scan much more frequently (e.g. every 10 seconds). And we were able to implement this with reducing the battery-discharge span by only 10–20%.

Florian: You have an app in mind which includes Bluetooth technology to better localize the other people you have been close to. Island has had a GPS based App live since 1st of April and they seem to absolutely have controlled the virus. OK, it is a very small country and Reykjavik only counts about 120‘000 inhabitants. But still — it seems to work, and they must have found a good solution to protect people’s data. Taiwan, Singapore and South Korea are much larger and have dealt with it too. What are we missing here in Europe to make this app fly and why are we — again — putting so much power into the hands of Apple and Google instead of going our own way?

Gerhard: There are many systems that function in compliance with GDPR. With my Barkhausen Research Institute we work on the topic of creating a “Trustworthy Internet”. And we want to enable Europe to play a major role. My experience from the corona app situation is that we must accelerate the vision of my institute. Europe must take its digital destiny into our hands and become independent on processor platforms, operating systems, and wireless networks. This is exactly the focus of my institute. Only if we become self-sufficient we can build self-confidence and are not forced by big internet companies to follow their interests.

Why is Germany now following Apple and Google? The answer to this question eludes my imagination. We now have a super centralized system where two companies (not governments) are allowed to collect proximity behavior of people. Via the operating system they have full access and can find out which people of different companies meet in a room at what time. I believe this is questionable. Trust in such a system could only be built if the full source code of the operating systems and the compilers were made public. If this does not happen this leaves us with the question on how to turn the situation back once the Corona crisis is over. How will we deal with the privacy issue then?

Chris: Many countries have working approaches. Some of the most successful ones do not care about privacy at all. I believe that privacy is key, and this is actually why the original initiative PEPP-PT was founded — to achieve a successful outcome without abandoning privacy. If you directly identify and point out infected people that is obviously discriminating against people who should get our help, not our mistrust. Using GPS is not directly a privacy problem, but from location data identity can be resolved very quickly, so this opens the door to infringe on privacy. Which technology should be used has to be an equilibrium between how to best protect us from getting sick or infecting others and our privacy. I think privacy is the baseline — period. But if privacy can be protected at a high level, then managing the pandemic has to be put before using the best possible privacy.

So, a legitimized government can make this decision on behalf of their people. Having their world focus on a standard set from the corporate world is nothing new, but this may be a more sensitive topic. I believe Apple and Google both started the entire initiative wanting to help and the people in the project teams are just doing that. But if we are worried about what governments would do with such mechanisms in the future, we need to have the same worries in the corporate world — only there is no parliament for checks and balances in the corporate world. Apple and Google are doing a good job with the heavy restrictions they put on using their APIs, but as I said things that are out there are out there, and if we mistrust the government, we must also look at corporates the same way. There is no easy solution for this. Trust is a currency we have long tried to replace with transparency, which does not work in the long run.

Florian: Switzerland was part of the consortium but left. Why?

Chris: I already mentioned that the fight about crypto was blown out of proportion. All the protocols suggested by PEPP-PT were strong on privacy and all protocols have potential attack vectors. But what was done by the group advocating the decentralized approach was very sad. It was taken to a personal level. You don’t want to read what I was called on Twitter and this is not a way to have a scientific debate. There is a difference between a hard debate and a mud fight and I believe we really have to get that right, if we want to have good outcomes for many things, because our ability to fight about an outcome in a productive way is our ability to achieve good outcomes in minimal time. The protocols designed by the teams at ETHZ and EPFL are very good in privacy. They are weak on generating data for pandemic management, and a country should be able to set their own priorities. The NTK protocol created by Fraunhofer AISEC and the ROBERT protocol created by INREA are also strong on privacy — not as strong as the ones from ETHL and EPFL — and they allow anonymized data creation for pandemic management. This makes a lot of sense to have both options to choose from and this is the only thing I ever said.

Florian: You were very well on track with half a dozen of European countries willing to implement the interoperable app and then overnight all this fell apart.

Gerhard: As I said, the German Minister of Health was also very much in favor on Friday, but two days later on Sunday he claimed to have changed his mind due to a letter signed by 300 scientists. The referenced letter calls for a decentral storing of tracing data. All solutions do that, ours as well. However, in case of a positive COVID-19 test, the Google and Apple approach wants the phone of the infected person to send-out its ID and an alarm to all other phones. Each phone then requires to search through its contact tracing history to see if an encounter happened. This way Google and Apple have direct access to your proximity behavior.

Chris: From my point of view many things came together. The mud campaign against people like myself, public pressure etc. But what really made it fall apart was that people who had put in months of their lives into getting a privacy protecting and interoperable way of having many solutions were all of a sudden afraid to lose their jobs in science or not make money with their companies. So, everybody started focusing their own activities on their core business — which for most people is not proximity tracing. This fear is what worries me most. It shows that in Europe we have a real problem in iterating on things. We have a problem with learning from failures, because a failure or a mud campaign can threaten your entire career. So, you put your head down and do something else. This is so incredibly sad and dangerous.

Florian: Then a journalist from German magazine Stern accused you, Chris, on very different issues. All together the article suggests that you use a complicated tax shielding structure in order to avoid paying any taxes, that you are lying about your revenues and are under prosecution. Are you hiding something to avoid paying taxes and what is your answer to all other allegations?

Chris: Anyone reading these articles will see that things are blown out of proportion. Any company and especially investors will try to legally minimize tax payments. What of course was never mentioned is that at arago we are proud to actually produce AI in Germany and create local jobs for all levels of IT talent, not just the 160 IQ people. Anyone who has talked to me about revenue will know that we never quoted any, because in the B2B world — which is what is left for ambitious companies to take in digital technology, as the B2C world is already taken — traction is much more important. And about projects that failed, well some projects do. They can fail because of technology, but that is rarely the case. Most projects fail because not all ingredients are in place. But is that bad? Do we have to go to any project participant and shout at them? No. Not the ones who were brave and tried to reinvent themselves and not the ones supplying modern tech approaches to do so. This is the only way forward and if we don’t get the ability to actually try out something, learn from failure and then try again, we are all in trouble.

Having said that, these publications are definitely a witch hunt. I have been quoted completely out of context, confidential information was leaked that we could never comment, and I have been attacked on all levels. This is unfair and hurtful.

But I very strongly believe that the type of AI we produce at arago — a problem solving system that can be applied to many domains — is a key building block for getting industrialized economies into the digital age, and this is what we need in Europe.

Florian: Sorry to hear all this. So — let’s go back to the tracing apps. It seems obvious that if this app would be widely used, we could re-open the economy much faster and better localize the virus and manage its growth with heavy testing and local isolation. The UK is introducing a two-week quarantine for people traveling into the UK. A day later France responded to it asking British people to self-isolate for two weeks as well. All this probably could be avoided with an interoperable app. Do you see this solution coming and if not — what should be done?

Chris: It will come. But later than we anticipated. The standardization and interoperability work that was done in PEPP-PT was given to an industry standardization group as part of the ETSI. So, this is on its way of becoming an official European standard and a lot of people producing apps in Europe are talking to each other to make sure that eventually there will be interoperability. Unfortunately, this will take quite some time now.

Florian: You must have been in close exchange with several governments and their respective health institutions. What is your view on the Robert Koch Institute and their collaboration with the government in comparison to other countries, and what do you expect on a global level with respect to the tracing app efforts?

Chris: I think most CDCs handled the sudden attention very well. Robert Koch Institut definitely stepped up to the task. They were criticized for having many initiatives that could potentially be misunderstood and mixed up by people. But if there is no time things have to be worked on in parallel streams. I had the best experience with them. What I really want to emphasize is the 2nd level of government, the administration. There are people many of us make fun of, but in this crisis they stepped up. It was the administration that executed well in an unknown situation and this is not mainly due to structure, but it is because there are many people working in the administration who went above and beyond their call of duty to get this done.

Florian: And now we have France with a centralized approach while Germany has the decentralized one. What is your personally preferred version and how will both interoperate?

Chris: This really depends on the abilities. If you have good data analytics, I would prefer a centralized version, because it will send way fewer people into isolation. But if a country does not have that ability, I would prefer a decentralized version.

Gerhard: I am personally convinced of our approach. The cooperation with the French and the British has worked perfectly well. We all learned from each other and helped each other. In the end, all solutions are a combination of all systems. Will they be interoperable? I very much hope so. The European standardization institution “ETSI”, which also created GSM, has started a new industry standardization group named “ISG E4P” addressing exactly this: interoperability to allow international roaming. Hopefully this will be the framework for another international success as GSM.

Florian: The most important question probably is if people will use the app at all and what incentives will they to do so. How do you see that?

Gerhard: All public discussions initialized by Google and Apple and their European scientific partners have not helped to strengthen confidence. If this continues it will become even more difficult. Let’s take for instance the discussion on penetration. It’s wrong that at least 60% of the population has to be signed up as users. What has been found out e.g. by Dr. Fraser from the UK and his team is that when we only rely on an app (i.e. no masks, no distancing), then we require 60% penetration for the reproduction rate R0 to fall below 1.0. This is amazing! The app, however, will probably never be used as the only sensible means. When jointly used with other measures, much lower penetration numbers have a positive effect.

Chris: Everybody should install the local apps and be part of the movement. I do not believe in incentivizing this through tax breaks etc. it is a question of behaving respectfully and taking your responsibility in the community you live in. By using the app you are protecting others and yourself. it should be a no brainer to use it.

Florian: How do you see the benefit for users of a tracing app today? Does it not have more downside than upside to the individual?

Gerhard: Yes — a user today only sees reduced battery life after installing the app. There is no true incentive. It therefore is a pity that the window of opportunity was not used around Easter during the lockdown. However, a second chance could come: Many epidemiologists say that the big second wave will come in autumn. If this becomes imminent, governments could threaten that if the app is not installed across the board at penetration level X by date Y, there will have to be a second lockdown. This threat could work as an incentive.

Florian: Last question — if you had three wishes related to the corona crisis — what would they be?

Gerhard: (1) A vaccine, (2) a medication, as e.g. a cocktail like against HIV, and (3) that we as a global and social community get prepared in a completely different way against pandemics and no longer have to go into such a lockdown.


1. Debate and collaboration without getting personal. Accept that there are many solutions and learn to collaborate instead of wanting to win. Because you may always win a battle, but the war for global sustainability can only be won if we work together and act in solidarity.

2. Get to a culture in Europe where we learn to fail and then learn from failing. Generally, the topic of lifelong learning I believe is what is behind this. We need to accept that we constantly have to improve.

3. Move away from egotism to an approach based on solidarity. It’s the only way. Put facts before feelings, put community before self and truly collaborate on a global scale.

If we can learn these three things from corona all the suffering may have achieved something sustainable.

Florian: Thank you very much for our discussion, Chris and Gerhard, and thank you for all the hard work you and all your colleagues have done during the past months — all around the globe.

This interview was originally published on Medium on June 12th, 2020.

Press enter or esc to cancel