In recent weeks we have been following the race to build contact tracing smartphone apps in the worldwide fight against COVID-19. Such apps are a powerful weapon in controlling the growth of infection by automating the scaling of the contact tracing process. By tracking interactions between people, the apps allow instant user notification if they have recently been in close proximity with anyone later diagnosed with COVID-19. This allows immediate social distancing or self isolation measures to be instituted for that potential infected user, slowing the spread of the virus. It would have been better if these apps were widely available during the initial phase of the pandemic, but they may still have a crucial role to play as we eventually emerge from full lockdown We have some specific suggestions about how this can be achieved while maintaining citizen anonymity.
The contact tracing apps are primarily based on the collection of time and location data of users, allowing historical interactions to be recognised and then communicated. Data may be extracted from existing app feeds or telecom provider location data. Alternatively, a purpose built app that specifically tracks location may be employed. Such extreme measures may need to be taken to save lives, but this application of data tracking brings with it huge issues of privacy. Moreover, the location data collected may be of relatively poor quality, especially for indoor locations without GPS line of sight.
Recently there have been numerous discussions about using Bluetooth for this purpose. This is a ubiquitous standard for short range communication that can, in principle, be co-opted to directly measure the proximity and duration between devices, and therefore their owners. It also has many advantages in terms of preserving privacy as explained in this great Bluetooth tracking and COVID-19 tech primer.
In late March the Singapore Government launched the TraceTogether app. This is an opt-in Bluetooth tracing app as explained here. It appears the app works by assigning each app user with sets of randomized IDs that are advertised over Bluetooth, and detected by other devices via scanning. The developers have thought hard about privacy, although it is still necessary for the app user to lodge their phone number with the Ministry of Health. Thus the privacy is only as good as you believe the security of that to be.
We have also been thinking about this particular problem for some weeks and are now contributing our ideas on the topic. We hope they can help those working on these problems. We have posted a repository here with a whitepaper. In particular we have been thinking about how an improved privacy model allows a true peer-to-peer communication model where anonymity and full privacy is maintained throughout. There is no requirement to disclose contact information to any central authority.
On a more practical implementation level, we are also suggesting the use of a standard called iBeacon for Bluetooth communication. This is a way for devices to broadcast a fixed identity to phones that are moving near them. The primary application is really for advertising purposes. A user can walk up to an iBeacon in a shop, for instance, and the detection of the proximity causes some notification to pop up on their phone. iBeacons are not really designed to transmit other data. However, they do have great software support on both iOS and Android, and allow beacon detection even when the phone is locked. We think they can be leveraged to help with the usability of these contact tracing apps. We also think that this type of technology can help with practical evaluation of social distancing measures.
We are interested in speaking to those groups currently building privacy preserving contact tracing apps. We believe that we could usefully contribute to building a Software Development Kit (SDK) that implements the protocol we have outlined. Of course, the success of such apps requires a high percentage of the population to be using the same app, or at least ones observing the same protocol or at least providing interoperability. We really welcome the efforts of PEPP-PT to make this a reality.
Whatever protocol and approach ultimately proves the most successful, it will require some backend API endpoints that the apps communicate with. We obviously have expertise in this area too and could contribute to the ongoing efforts. It is also important to not forget some of the basic principles of API security when rushing to build a solution. Not only do the API endpoints need to provide population-level scale, they also need to be protected against malicious attacks by bad actors that might want to undermine the system. Given the likely relevance of these apps in the near future and their potential role in gradually allowing us to exit lockdown, we are really talking about issues of national security. Unfortunately, there is potentially a tradeoff between allowing anonymity in the app versus the measures that need to be taken to protect its backend components. We hope though that this consideration doesn’t push us into a world where personal privacy is severely compromised. We will publish another blog about this particular topic shortly.
Please see our whitepaper here. We really welcome your feedback and hope we can contribute to the fight against COVID-19.