“Contact Tracing makes it possible to combat the spread of the COVID-19 virus by alerting participants of possible exposure to someone who they have recently been in contact with, and who has subsequently been positively diagnosed as having the virus.” – Apple
The conventional deterrent from the adoption of contact tracing is the lack of privacy controls. Apple has to be involved when privacy is vital, and in time we are living today, having a framework that allows for privacy-focused contact tracing to limit the spread of novel viruses is extremely important. Apple and Google collaboratively have put a structure in place for enabling contact tracing while preserving privacy.
Below is a simplified explanation of how contact tracing would work using a mobile device, as described in the specification.
- Use of Bluetooth LE (Low energy) for proximity detection (no use of location-based services which would be essential for preserving privacy)
- Generation of daily tracing keys using a one-way hash function
- Generation of rolling proximity identifiers that change every ~15 minutes and based on daily tracing key.
- Advertise self proximity identifiers and discover foreign proximity identifiers.
- User decides when to contribute to contact tracing
- If diagnosed with COVID-19, the user consents to upload a subset of daily tracing keys.
To detect if one may have come in contact with a COVID-19 positive individual, they would:
- Download COVID-19 positive daily tracing keys
- Contact tracing app computes time-based proximity identifiers from the downloaded daily tracing keys on the local device
- Checks if this local device has previously recorded any of these identifiers
The above mechanism of determining if one has come in contact with a COVID-19 positive person preserves privacy by:
- Ensuring that the contact tracing keys cannot be reverse-engineered into computing identifying information of the originating device.
- Not associating GPS or other location services with the keys
- Performing verification of being in contact with another COVID-19 positive person on a local mobile device.
The specification is preliminary, and there is a strong attempt to ensure privacy of individuals are protected within this framework. COVID-19 positive information uploaded onto central servers also DO NOT contain any personally identifiable information. The detection itself is a decentralized process as it gets computed locally on an individual’s device. Central entities are not in control of either detecting or informing people in this entire process.
All of this works very well if everyone does their civic duty and report when they are positive.
For a broad adoption of contact tracing, there are opportunities for further improvement though. The specification should talk about server(s) responsible for collecting uploaded information. A (mobile) device generates daily tracing keys, and although the keys themselves do not have any mechanism to be associated with that device by an external process, uploading these keys from the same mobile device opens up the possibility of linking information. IP address of a device that uploads anything to a server is always known to it. Applications that are going to use the above privacy framework additionally need to consider connectivity related exposure while uploading information to central servers. The specification should have a section and considerations on protection and controls for exposure of privacy as a result of connectivity.
Another area of improvement could be on controls around potential abuse of this Contact Tracing mechanism. As per the specification, a person who has tested positive for COVID-19 opts-in and uploads their daily tracing key information to central servers. The intent is for others who have been in proximity with them, know, and take actions to self-quarantine to limit the spread. Pranksters or other entities may use it to cause general disruptions by falsely claiming to be COVID-19 positive to unnecessarily or intentionally cause disruption. If such actions happen at a large scale, it will severely impact reliability, credibility, and adoption of contact tracing.
Preserving Privacy is not an easy problem to solve, and larger mindshare is needed to solve these challenges.
[Detailed specification at Apple’s website]