Implementing a secure contact tracing system

Contact tracing means identifying people who have been in close proximity to each other for a certain duration of time. In recent days the COVID19 pandemic has brought this topic into the attention of governments trying to contain the outbreaks of the disease. However, there have been widespread concerns about the user’s data and privacy being compromised via the contact tracing app. The following report provides a useful database and analysis of the currently available apps that do contact tracing:
https://www.technologyreview.com/2020/05/07/1000961/launching-mittr-covid-tracing-tracker/

As can be seen from the above report, a large chunk of those apps are considered invasive and do not clearly outline how they actually work, and what they do with the potentially sensitive data that they capture from the user’s device.

A possible design for a transparent and secure contact tracing solution

The Bluetooth and GPS enabled smartphones carried by the population are the most commonly used devices for contact tracing. The following method can be adopted for implementing a contact tracing solution:
  1. It is assumed that a person when moving about in the community will most likely be carrying his/her smartphone along.
  2. Thus, the proximity of two smartphones can be a reasonable approximation of the physical proximity of the two individuals carrying those devices.
  3. Develop an app which can scan for other devices in its proximity. Each installation of this app is assigned a secure and globally unique ID to distinguish one person from another.
  4. This app is distributed to the people in communities that we want to monitor.
  5. Once deployed in the community, the app can monitor its proximity to other devices that have this app installed.
  6. When a person carrying this app is diagnosed as COVID19 positive, his app can transmit this information along with its GUID to a central server. The server can then notify everyone else with the app about this event. The individual apps can then run an algorithm to determine if they too have an exposure due to being in proximity to the affected one.
Following are the major design issues that need to be addressed in such a solution:
  1. How to reliably detect the close proximity of two devices? We are interested in detecting a proximity of 10 feet and lower.
  2. How to ensure that the app does not cause major resource draining on the user’s smartphones? For example, impact on battery, and unnecessarily keeping the radio ON is of prime concern.
  3. Should the proximity data storage, and its processing for determining the exposure be done on the user device itself, or at a central server?
  4. How to ensure that the users are in complete control of their privacy, and at the same time the government epidemic management personnel are also able to know about the exposure events?
  5. How to detect and handle malicious or accidental false alarms?
    1. Consider a case of two adjoining houses with a shared wall, or two houses on adjacent storeys.
    2. A phone with the app deliberately taken to a COVID19 quarantine facility, and then shipped around a densely populated area.
The first three issues are primarily technology issues, while for the last two a careful process design is as crucial as the technical design.
  1. For detecting the proximity one can leverage the Nearby Connections API (https://developers.google.com/nearby/connections/overview) on Android.
  2. Resource usage by the app can be optimized by using some heuristics about movement patterns of the users. For example, when it is night time and when the user is at home, we can limit the scanning of proximity.
  3. Manual overrides, and schedule based enabling/disabling of proximity tracking should be provided in the app.
  4. The COVID19 incubation period (plus some buffer days) in a person can be taken as the upper limit on the data retention period on the app. For example, we can keep only the most recent 20 days of proximity data on the app.

Ensuring user’s data security and privacy

  1. A fundamental assumption in our design is that:

    i) The onus is on the users for the following:
       - Reporting the detection or the symptoms of COVID19
       - Checking if the user has had an exposure due to being in proximity with an infected person.
    That is, the users themselves are responsible to watch their own health and well being.

    ii) The government does not access the proximity data traces of the app.

  2. The app does not capture any PII of the user. Not even the device identification etc.
  3. Each installation of the app will have a secure GUID which will be generated by the app itself.
So how will the government find out about the outbreaks via this app? This can be handled via a combination of technology and processes at the healthcare providing facilities as follows:
  1. First, the government can make this app mandatory for everyone or for at least those who wish to get medical assistance or certain services. Since this app does not capture any PII, the users are unlikely to have any privacy concerns.
  2. On noticing the COVID19 symptoms a user is most likely to visit a healthcare provider. If detected positive for infection, the healthcare provider can require the user’s app to securely publish his positive diagnosis status to the central server.

    Note that, no PII is ever sent to the server. Only the GUID of the app, and the broad location will be shared. For example, instead of sharing the precise location of the device, the app will provide the name of the ward in a municipality, or name of the village etc. which should be enough for the pandemic management agencies to take necessary containment steps in that area.

    The public will get confidence in the government’s intent when they see that it is not interested in peeking into citizen’s privacy. It will encourage the public to adopt the protocol and be proactive in participation.
  3. On receiving a positive infection event, the central server will push the data (basically just the GUID) about the infected app to everyone. Alternatively, the app can itself poll the server at regular intervals.
  4. On receiving the notification, the app can run an algorithm to check if it too has come in contact with that person. If yes, the app will advise alert the user to seek medical attention, and also notify the central server about the newly detected exposure. The server in turn will send a fresh round of notifications to everyone. The process continues until no new exposure is determined.
  5. If the exposure rate is higher than a threshold, the central server can alert the appropriate government agencies. The data about current exposures can also be made available via website to the general public.

Comments

Popular posts from this blog

Data leakage possibilities with Aadhaar based e-KYC systems

Cost of ownership for a car