In recent weeks my colleagues at CriticalBlue/Approov have been following the race to build contact tracing smartphone apps in the worldwide fight against COVID-19. Such apps are a powerful weapon in controlling the growth of infection by automating the scaling of the contact tracing process.
By tracking interactions between people, the apps allow instant user notification for anyone who has recently been in close proximity with anyone later diagnosed with COVID-19. This allows immediate social distancing or self isolation measures to be instituted for that potential infected user, slowing the spread of the virus.
These apps were not widely available during the initial phase of the pandemic, but they may still have a crucial role to play as we emerge from social lockdowns. We have some specific suggestions about how this can be achieved while maintaining anonymity.
Contact tracing apps are primarily based on the collection of time and location data of users, allowing historical interactions to be recognized and then communicated. Data may be extracted from existing app feeds or telecom provider location data.
Alternatively, a purpose built app that specifically tracks location may be employed. Such extreme measures may need to be taken to save lives, but this application of data tracking brings with it huge issues of privacy. Moreover, the location data collected may be of relatively poor quality, especially for indoor locations without GPS line of sight.
Recently there have been numerous discussions about using Bluetooth for this purpose. This is a ubiquitous standard for short range communication that can, in principle, be co-opted to directly measure the proximity and duration between devices, and by extension their owners.
It also has many advantages in terms of preserving privacy as explained in this great Bluetooth tracking and COVID-19 tech primer.
In late March, the Singapore Government launched the TraceTogether app. This is an opt-in Bluetooth tracing app. It appears the app works by assigning each app user with sets of randomized IDs that are advertised over Bluetooth, and detected by other devices via scanning.
The developers have thought hard about privacy, although it is still necessary for the app user to register their phone number with the Ministry of Health.
We have also been thinking about this particular problem for some weeks and are now contributing our ideas on the topic. We hope they can help those working on these problems. We have posted a repository here with a whitepaper.
In particular we have been thinking about how an improved privacy model allows a true peer-to-peer communication model where anonymity and full privacy is maintained throughout. There is no requirement to disclose contact information to any central authority.
On a more practical implementation level, we are also suggesting the use of a standard called iBeacon for Bluetooth communication. This is a way for devices to broadcast a fixed identity to phones that are moving near them.
The primary application is really for advertising purposes. A user can walk up to an iBeacon in a shop, for instance, and the detection of the proximity causes some notification to pop up on their phone. iBeacons are not really designed to transmit other data. However, they do have great software support on both iOS and Android, and allow beacon detection even when a phone is locked.
We think they can be leveraged to help with the usability of these contact tracing apps. We also think that this type of technology can help with practical evaluation of social distancing measures.
We are interested in speaking to any groups currently building privacy preserving contact tracing apps. We believe we can usefully contribute to building a Software Development Kit (SDK) that implements the protocol we have outlined.
Of course, the success of such apps requires a high percentage of the population to be using the same app, or at least ones observing the same protocol or providing interoperability. We really welcome the efforts of PEPP-PT to make this a reality.
Whatever protocol and approach ultimately proves the most successful, it will require some backend API endpoints that the apps communicate with. We have significant expertise in this area and could contribute to ongoing efforts. It can be easy to forget some of the basic principles of API security when rushing to build such a needed solution.
API endpoints must scale to population-wide data collection while also being protected against malicious attacks by bad actors wanting to undermine the system. Given the likely relevance of these apps in the near future and their potential role in gradually allowing us to exit lockdown, we are really talking about issues of national security.
Unfortunately, there is potentially a tradeoff between allowing anonymity in the app versus the measures that need to be taken to protect its backend components. We hope though that this consideration doesn’t push us into a world where personal privacy is severely compromised. We will publish more blog posts and resources as we learn more.
Please take a look at our Privacy Preserving Proximity whitepaper. We welcome any and all feedback at the Approov bluetooth-p6 repo. We hope to contribute to the fight against COVID-19.