Proximity tracing and contextual integrity

8 min readApr 11, 2020


A week ago I have published simple instructions on how to make open source software for proximity-tracing, in particular how to embed a cryptographic protocol that is privacy preserving.

My previous post was very successful in engaging a large audience of developers and entrepreneurs to focus on mobile-app designs that can help cope with the COVID-19 emergency.

It was my first time trending for the #privacy topic on linkedin!

Today I will engage with the reasoning behind these developments: why they are important and how we may want to deploy proximity-tracing systems. All along this post I will briefly challenge some polarizing beliefs forming around the concepts of privacy and urgency by adding the context of local and global monitoring, the governance of these systems and more in general sharing my opinion about the state of emergency in which we are all stuck for a while.

We want to break free

Let me start with a disclaimer: I have been going through my quarantine in Italy and I’m in stuck in a military-enforced total lockdown since March 11th. I’m also keeping in close contact with medics and know fairly well the situations in hospitals over here. It doesn’t matter if you believe or not this virus is a serious threat: when a lockdown is declared, everyone is affected.

and that’s how I feel going through my days

There is a sort of reality-gap sooner or later most of us will be forced to leap over: that of the dramatic disruption of everyone’s life, regional and national economy and all sorts of family activities.

I’m not saying that “if you haven’t experienced this you know nothing”, but make sure you understand it well before drawing the conclusion that proximity-tracing is evil. Then make up your mind about an exit strategy.

Because we will all need an exit strategy: imagine how to handle the logistic curve after the inflection and what will be everyday life after this emergency. It is clear that the macro-economical tsunami that is going to hit everyone’s shore is so big that there isn’t a hill high enough to be careless.

Imagine surfing the logistic curve

Lets start sketching the needs of the exit scenarios: they are all, in a way or another, related to restart the activity in crowded spaces for which “telework” cannot work forever. Schools, factories, offices… and lets be honest, we also need to be back in pubs and hit again some dance-floor.

Let me give you another use-case for proximity-tracing, that of moving across borders: if I want to travel back from Italy to The Netherlands, how can I demonstrate through all border controls that I’ve diligently made my quarantine here, even tested myself and all my inmates before leaving, not been exposed to any infection on the way and ultimately how can I avoid doing another quarantine upon arrival?

We need solutions to these and more scenarios and we need them fast because, while having to contain the pandemic, we cannot block all economic, didactic and production activities, we cannot stop our lives and imagine living in a bunker for a year: at least over here in Europe the demographic density is too high for long-term isolation plans, besides the fact we don’t deem it sexy enough for our life styles.

I believe that proximity-tracing has incentives for its use and does not need to be obligatory.

Lets face the reality of the emergency and accept the fact that people will want to opt-in into proximity-tracing to gain freedom.

It’s wrong to think of mandatory deployments of such apps: when the baseline condition of a population is the lockdown, then the incentive to adopt the app is more than enough.

What we need to make sure is that all this tech respects the right to be forgotten and is enabled by privacy-preserving systems thanks to innovations in the field of cryptography and mobile computing.

What are the risks

Of course thinking of a nation-wide, Europe-wide or even World-wide proximity-tracing system should give the shivers to anyone relying on privacy for political and professional reasons, also medics are affected by the very existence of such systems, discriminating them as subjects at risks for going in and out of hospitals. As in any system of this kind exceptions should be contemplated and the open-world assumption applied ad-hoc to special cases, while general privacy requirements should be applied: here is a great round-up by the Chaos Computer Club.

And even in case of the best thought (IMHO) “Decentralized Privacy-Preserving Proximity Tracing” design (DP-3T) there are risks to be taken into account.

Just recently Moxie twitted a concise round-up of what can be reasonably considered critical in the protocol design announced as Apple/Google proximity-tracing joint effort and fairly similar to DP-3T:

These concerns have to be taken very seriously: even if DP-3T and similar distributed approaches follow brilliantly the privacy by design principles we sketched in the DECODE project there are strong risks of data correlation on large numbers, especially when the system is ran by tech-giants that already hold a vast quantity of people’s private data and profit from their oligopoly on what should be considered, more than ever, knowledge commons.

To balance Privacy and Urgency

I’m sharing all my reasoning here as I believe is important to go beyond the rhetorical polarization between privacy and urgency. The mediation is made possible when adding a new dimension to the discourse which is about context and scale of the system. To do this I propose the application of Helen Nissenbaum’s concept of Privacy as Contextual Integrity.

it is NOT OK to have “one app to trace them all” (artwork by Jason Ivens)

Assuming we all know well the value of privacy and considered the stakeholders at this point it doesn’t really matters how much more decentralized is a privacy-preserving design compared to another, but how far reaching are the risks of data correlation and exploitation by oligopolies whose business model is historically based on data-exploitation.

It is important to add the local/global axis to the privacy/urgency equation and start considering it a relevant variable when pondering new emergency policies that can align European nation states around an inter-operable protocol, but leave behind the idea of a single app for everyone.

Don’t trust profit-driven organisations to manage data. Systems engineered for a social purpose should be governed according to social concerns and priorities.

What we need big-tech corporations to provide different constituencies with is the access to build and distribute purpose-driven applications adhering to principles of privacy and decentralization. Bluntly put, all they need to do is provide fair access to the digital infrastructure: because that is not really there, locked away from developers by means of app market policies and low-level hardware access locks.

I believe is very bad if Google+Apple will develop the app and provide this service to the world. But they aren’t! providing an SDK is a good contribution to our needs!

Companies are welcome to improve their APIs and grant community and public-sector developers access to markets. Thanks to new technologies nor companies (TELCOs) nor States need to provide a world-wide service for tracing. If a private central entity does (i.e. TELCO state monopoly or mega-corp) should be addressed as an anti-trust issue and seen as an attempt of data-grabbing because their data-correlation capacity is immense. If a public central entity does (State, Police etc.) it should be seen as a violation of civil rights.

Is monitoring all we need?


We need to make authenticated data portable across policy frameworks while identities must be disposable.

When adopting emergency lockdown measures that extend roles of public-order to poorly trained people or even worst military units, then the risks of power being exercised in deviance from the norm are very high and they go from street-level discrimination up to a coup d’etat in case of large scale civil unrest. These scenarios must be avoided at all costs.

Emergency measures must be applied in the most neutral way possible: no judgement shall be made outside of courtroom and criminal imputations should be the very last resort.

We need zero-knowledge proof credentials and localized adaptable open source frameworks for on-site and on-line authentication.

People trying their best to comply with the situation and protect their family must be guaranteed that no-one wearing a uniform will prevaricate the role and take advantage. If you think I’m exaggerating here is just because you haven’t seen from close what happened in Egypt in the past 20 years.

Over here we have been printing and carrying “self-certification” sheets of paper mandatory to negotiate and sign ad-hoc declarations with police or military units stopping us on the streets; a criminal penalty accusation can be inflicted at any time when we are deemed in violation of rules that have been changing every week.

going on like this we may end up wearing our self-certified declarations as t-shirts

In fact this is my biggest fear for the South of Italy and the Mediterranean poorer areas in general: knowing well my land of birth and its bitter roots that peasant societies dip into social banditry, considering the economic shock we will all witness, the credit crunch hitting low GDP zones and the liquidity in the hands of Mafia, I must admit what worries me is a coming emergency of political nature.

This is a tough time for policy makers: this is not an exercise and there is no room for mistakes, it may well be Europe’s final exam.