Open-source contact tracing, part 1 [LWN.net]

June 24, 2020

This article was contributed by Marta Rybczyńska

One of the responses to the COVID-19 pandemic consists of identifying contacts of infected people so they can be informed about the risk; that will allow them to search for medical care, if needed. This is laborious work if it is done manually, so a number of applications have been developed to help with contact tracing. But they are causing debates about their effectiveness and privacy impacts. Many of the applications were released under open-source licenses. Here, we look at the principles of these applications and the software frameworks used to build them; part two will look into some applications in more detail, along with the controversies (especially related to privacy) around these tools.

COVID-19 tracing principles

The main goal of COVID-19 tracing applications is to notify users if they have been recently in contact with an infected person, so that they can isolate themselves or seek out testing. The creation of the applications is usually supported by governments, with the development performed by health authorities and research institutions. The Wikipedia page for COVID-19 apps lists (as of early June 2020) at least 38 countries with such applications in use or under development, and at least eight framework initiatives.

The applications trace the people that the user has had contact with for a significant period (for example, 15 minutes) with close physical proximity (a distance around one meter). The complete tracing system usually consists of an application for mobile phones and the server software.

For the distance measurement and detecting the presence of other users, GPS and Bluetooth are the technical solutions used in practice. GPS only appears in a small number of projects because it does not have enough precision, especially inside buildings. It also does not work in enclosed spaces like underground parking and subways.

Most countries have chosen to develop a distance measurement using Bluetooth, generally the Bluetooth Low Energy (BLE) variant, which uses less energy than the classical version. This is important as the distance measurement is done by mobile phones, and so Bluetooth will need to be active most of the time.

The Bluetooth protocol was not designed for these kinds of tasks, though, so research has been done on ways to measure distance accurately. A report [PDF] from the Pan-European Privacy-Preserving Proximity Tracing project shows that it is possible to measure distance using BLE signal strength, specifically received signal strength indication (RSSI). In a contact-tracing system using Bluetooth, the distance measurement is made by the two phones communicating using a specific message format. Since the formats differ between applications, communication is only guaranteed to work if both phones are using the same application.

Centralized versus decentralized

Storing and communicating contacts is the main functionality of COVID-19 tracing applications. Two main approaches exist: centralized and decentralized, while applications may mix ideas from both models.

To understand the difference between those two types of systems we need to take a look on how user identification works. Each user obtains a random global ID number either from the central authority in the centralized approach or as generated by the application for decentralized systems. Since this is the global identification for the user, it reveals their identity. To preserve privacy, this global ID is never exchanged with peers (i.e. other phones) when registering the encounters, though it may be known by the server. Instead, the global ID is used as a seed to generate temporary IDs using a cryptographic hash function (like SHA-256), or an HMAC, taking as an input the global ID and a changing value, like an increasing number or an identification of a time slot. Temporary IDs change frequently, for example every 15 minutes, and they are broadcast for the other users to register.

Centralized systems use a single server (usually controlled by the health authorities), which generates and stores the global IDs of users. When a user is infected, their contact log is uploaded to the health authorities. People who have been in contact then get notified. The technical solutions vary, from manual operation to one that is automated in the application. That process is handled by the health authorities; the user application just receives a result.

Decentralized systems rely on the user's phone to generate both the global and temporary IDs. In those systems, the global ID may also change periodically. When a user is infected, they should upload their temporary IDs, or the information needed to generate them, to a common server. Other users download the shared infection data and their applications search for a contact. This paper [PDF] provides details of a few different decentralized protocols.

The main difference between the two approaches is in who generates the IDs, whether the central server knows them and the identities associated with them, and who calculates the infection risk. Both solutions need a central server to exchange lists of IDs for infected people.

Frameworks

Development of a tracing system first requires a contact-tracing protocol and then an application. Applications are typically developed by the government agencies, and they use one of the existing frameworks (protocols) or create a new one. A number of such frameworks were developed, most of them have at least part of their code released as open source. Here we look at some of them that are, or have been, used in deployed applications.

Temporary Contact Numbers Protocol

The first framework released was the Temporary Contact Numbers Protocol (TCN), which was initially developed by Covid Watch, then maintained by the TCN Coalition. The source code for this decentralized framework, including the protocol and reference implementation, is available under the Apache software license.

Devices using TCN broadcast randomly generated, temporary contact IDs; at the same time, the devices record all of the received ones. The Covid Watch white paper [PDF] gives an overview of the protocol. The actual implementation uses numbers derived from periodically changed keys (the TCN project README provides the cryptographic details), to minimize the data set that needs to be sent when a person is infected. All of the keys that are generated by the user's device are sent to the central server only if the user gets infected.

The TCN framework allows for variations in the implementation; for example, whether or not a central health authority needs to verify an infection report. TCN is (or was) used in a number of tracing applications, including the US-based CoEpi and German ito.

Decentralized Privacy-Preserving Proximity Tracing

Decentralized Privacy-Preserving Proximity Tracing (DP-3T or DP³T) is a decentralized protocol, similar to TCN. It was developed by a number of European research institutions. Its white paper [PDF] describes the algorithm in detail and gives an overview of the security challenges.

The generation of seed values and temporary identifications is performed by the phone, which also computes the risk of infection. The phone only downloads the parameters needed to determine the infection risk (e.g. duration of contact, signal strength) from the health authorities. DP-3T includes a set of additional features to increase privacy. All phones running the application upload dummy contact data to minimize the risk of revealing infected users. It also has an option to allow the infected users to split and edit the report, for example to exclude certain days or time periods.

DP-3T source code is available under the Mozilla Public License 2.0 and the project includes a work-in-progress implementation using the Exposure Notification API.

Exposure Notification API

The Exposure Notification framework was released in April 2020 by Google and Apple. It seems to be inspired by TCN and DP-3T, and has many similarities with them. It uses the same type of periodically changing keys (the cryptographic specification [PDF] gives the details).

The protocol that was part of the application in TCN, DP-3T, or other frameworks, is implemented in Android and iOS, then provided as the Exposure Notification API [PDF]. It includes proximity detection and logging of the encountered keys, but not the notification of an infection; that part needs to be implemented in the application itself. The Exposure Notification API can be used only from applications provided by public health authorities. The specifications are available, but the source code of the implementation is not. The Google terms [PDF] include some specific requirements for the applications, including: only one application per country, that a public health authority must be responsible for all of the data stored, and that no advertising is allowed in the application.

A reference application for Android and an example server implementation are both available as source code under the Apache license. Since the release of the framework, applications that were ported to it include the Italian Immuni (source code under AGPL 3.0) and the Polish ProteGo Safe (source code under GPL 3.0). Another example is Covid Watch, which was one of the original supporters of TCN, but its application replaced TCN with the Exposure Notification framework in May 2020.

The Exposure Notification API solves one problem that many independent applications have encountered (the BlueTrace paper [PDF] describes the problem on page 7): on iOS, Bluetooth location measurement only works if the application is in the foreground. Since the French application does not use the API, the French government has asked Apple to allow background Bluetooth for other applications.

Applications and beyond

In this article, we explained the purpose of contact-tracing applications, the technology they use, and described the reasons they work this way. In the second article, which is coming soon, we will look deeper into some specific applications (that use existing frameworks or develop their own protocols). We will look at how they work, but also cover their open-source availability. Finally, we will consider the controversies and open questions about the deployment of these applications.

Index entries for this article
GuestArticles	Rybczynska, Marta

to post comments

Open-source contact tracing, part 1

Posted Jun 24, 2020 19:25 UTC (Wed) by logang (subscriber, #127618) [Link] (18 responses)

There are so many problems with contact tracing apps it's not even funny. The apps will not be effective even if the privacy/protocol problem was solved (or we accepted the privacy invasion), the bluetooth distance finding problem was solved, and the myriad of other issues the apps have (like some platforms require the app to be open to work at all, or the require a newer version of the OS so potential users with older hardware are shut out). It's no wonder the number of people installing these apps are low.

The apps will *always* have significant false positives and false negatives. For example, if I'm in my home, my neighbor may appear to be within 6 feet of me for a long duration even though we are actually separated by a wood wall; or if I'm at a restaurant with booths, or partitions between tables, I might be seen to infect the dinner at the next table when in fact this isn't possible. Meanwhile, the person I'm dining with might not be able to use the app so they're not counted or the server who only is in front of us for a minute at a time might not count depending on the policy that's chosen for infection time (which can never be accurately chosen).

The thing that really irks me is that some technological solitionist push these apps as if they are magic. If only the app had a 60% uptake, then it would be as good as a vaccine. This is clearly nonsense. Some are even mixing in the usual buzzwordy solutions: add an AI to warn people when it thinks that we shouldn't go out (even though we have nothing to train it with or evaluate it's performance), or add "blockchain" to solve the privacy problem (even though it's well known that blockchain offers zero privacy protection).

What we should be doing is not focusing on the technology so much and instead focus on the people. Health authorities should publish guidelines that ask citizens to help with the contact tracing problem by, for example, keeping a diary of who they interact with and voluntarily sending their diary for the past two to three weeks in case of infection. People can do this with pen and paper, or we can add technology to help. For example, you could design an optional app that helps a user record their interactions and reminds them to to fill in their diary at the end of the day. Such an app could then potentially add bluetooth contact tracing as an additional data source (ie. it could let the user know it saw a contact at a certain time of the day and the user could then annotate who/what that might have been). Such a scheme has a much better chance of being effective and also gives citizens something to do to feel engaged. Of course not everyone is going to voluntarily do this, but the same can be said of installing a magic app and people who don't have compatible hardware can still participate in some way. More over, the user will now know exactly what data they will be sending to the health authority, instead of some nebulous list of every other phone they might have been near at some point in time.

But it seems, instead, we live with the myth of magic technology where the world's problems can be solved simply by getting people to install an app on their phone and forget about it.

Open-source contact tracing, part 1

Posted Jun 24, 2020 21:24 UTC (Wed) by kleptog (subscriber, #1183) [Link] (11 responses)

> The apps will *always* have significant false positives and false negatives.

Perfect is the enemy of good. The app does not have to be perfect to be effective. It's not going to replace standard contact tracing, it's going to help fill the gaps that cannot done by human interaction.

You get a signal you have been in the neighbourhood of someone who had it, you go to the testing station, get the results at the end of the day. This is vastly simpler that asking people to keep diaries. Currently only 1 in 10 people who turn up during contact tracing actually test positive anyway. So this app makes it 1 in 20, big deal.

> keeping a diary of who they interact with and voluntarily sending their diary for the past two to three weeks in case of infection.

How is this going to help with the people sitting behind you in the bus/train? Or those near you in a movie theatre/concert? Unless you're planning to continually ask the names of every person that stands near you, it's pointless. And frankly, I'm not going to hand out my contact details to random people on the bus.

People don't need diaries to recall which people they know they were near the last few days. It's the people they don't know that are the problem being solved here.

Personally I think the uptake will be higher amongst people who take public transport daily. Even if only those people did it (maybe <10% of the population) that would cover a significant part of the problem.

For me, the stupidest part of this is how the apps won't be compatible with each other. In Europe where millions of people cross borders daily this is completely brain-dead.

Open-source contact tracing, part 1

Posted Jun 24, 2020 21:42 UTC (Wed) by logang (subscriber, #127618) [Link] (10 responses)

In my opinion we are a long way from "good"; "perfect" is a pipe dream.

I think physical distancing and encourage mask use in public is the better solution for random people on the bus, on the street or in a store. If it's not possible to keep distance in these situations then we need better policy to limit occupancy, etc.

Contact tracing allows us to go out and public and actually interact with people as it is the real interactions that need tracing the most. Having a conversation with someone, face to face, with no mask (ie. because you are eating or drinking) caries a far higher risk than being a few feet away from people in public while wearing a mask. And if you can remember every conversation you've had in the past three weeks, then great, you don't need a diary.

It also seems a bit contradictory that you won't hand out your contact information on a bus, but you advocate for letting an App do exactly that, or have an App tell a central authority about every interaction you have.

Open-source contact tracing, part 1

Posted Jun 24, 2020 23:28 UTC (Wed) by iabervon (subscriber, #722) [Link] (2 responses)

You're not actually handing out your contact information with the good scheme. You're giving out a random number that you could use to tell anyone who got it that you want them to know one particular thing, and you pick a different one every 15 minutes. It's a random phone number that only makes outgoing calls, and I give it out so that people who get it know to pick up and get the message. Furthermore, I can't call anyone in particular (even if I got a number from them), I can only call the entire population of the country, and they block calls from every number they don't recognize.

In particular, unless I choose to reveal my secret key: (a) nobody can contact me at all without me going looking for messages for me; (b) nobody can tell I'm the same person an hour later. Even if I reveal my secret key, nobody can tell who my contacts are, aside from each of my contacts being able to tell that they're one of them, and even they can't tell it was me unless they remember (and knew) who they were around at that time.

As far as whether it's beneficial: I haven't gotten tested at all, like 90% of the people in my state. I'm 99% sure that I haven't gotten infected more than 2 weeks ago, since I've got a bunch of housemates, and none of us have have symptoms. There's unused capacity to test more people here, but we can't test everybody at once (for social distancing reasons, if nothing else). It would be useful if the system told 5000 people a day to get tested, even if only 5% of those tests came back positive, since we could easily test 5000 more people every day and our current positive rate is only 1.9%. It would be a somewhat more useful application of 5000 tests than each person randomly deciding to get tested one out of every 2000 days, even if our masks were 95% effective at making our contacts safe.

Open-source contact tracing, part 1

Posted Jun 25, 2020 19:53 UTC (Thu) by Wol (subscriber, #4433) [Link] (1 responses)

> As far as whether it's beneficial: I haven't gotten tested at all, like 90% of the people in my state. I'm 99% sure that I haven't gotten infected more than 2 weeks ago, since I've got a bunch of housemates, and none of us have have symptoms.

I've been tested twice, been positive twice, and NEVER had any symptoms. So I don't think your logic is good ...

Cheers,
Wol

Open-source contact tracing, part 1

Posted Jun 25, 2020 21:56 UTC (Thu) by iabervon (subscriber, #722) [Link]

None of my house of 5 adults who haven't been taking any precautions around each other have gotten symptoms, and our area only has around a 5% rate of having been infected. So I'm not entirely sure, but 99% sure seems about right.

Open-source contact tracing, part 1

Posted Jun 25, 2020 4:05 UTC (Thu) by marcH (subscriber, #57642) [Link] (6 responses)

> Having a conversation with someone, face to face, with no mask (ie. because you are eating or drinking) caries a far higher risk than being a few feet away from people in public while wearing a mask.

Right, and to lower the reproduction number we need every practical tool we can find for any sort of situation because there's no miracle cure yet. I realize this is an alien concept in today's very binary world.

> In my opinion we are a long way from "good"

"good" is anything that lowers the reproduction number - no matter by how little. This has been explained in pretty much every set of recommendations from any serious agency.

Compared to all the other, massive economic losses caused by the virus, the cost of these apps is negligible. So to describe them as "bad" you must prove that they have not just _zero_ impact on the reproduction number but also that they have serious issues like for instance security issues.

> you won't hand out your contact information on a bus, but you advocate for letting an App do exactly that, or have an App tell a central authority about every interaction you have.

Did you read the article?

Open-source contact tracing, part 1

Posted Jun 25, 2020 16:19 UTC (Thu) by logang (subscriber, #127618) [Link] (5 responses)

>Right, and to lower the reproduction number we need every practical tool we can find for any sort of situation because there's no miracle cure yet. I realize this is an alien concept in today's very binary world.
>"good" is anything that lowers the reproduction number - no matter by how little. This has been explained in pretty much every set of recommendations from any serious agency.

If this is how it was talked about by officials and in the media it would make a lot more sense to me, but, it's not. It's usually discussed as an effective solution to the problem, not a tool that might help a little but might also be minimally effective. Other countries apps are lauded as the reason they controlled the virus while ignoring everything else they are doing or the local conditions.

I'd also caution against assuming the net gain is positive. The efficacy is questionable and the hidden costs could be a lot higher than you think. For example, people could assume the app is more effective than it is and forgo physical distancing or mask wearing because of it. This would be highly detrimental. The way the technology is designed and presented goes against fostering civic behavior and instead
undermines it with the promise of an easy, but less than effective, solution.

We also need to ensure we don't drown out or defund more effective sources of information like manual contact tracing and ensure testing bandwidth targets the reliable information before the more questionable sources. There may be random outbreaks that swamp the ability to test all the contacts and the first tests that get skipped must be the ones generated by the app.

Open-source contact tracing, part 1

Posted Jun 26, 2020 9:31 UTC (Fri) by marcH (subscriber, #57642) [Link] (4 responses)

> If this is how it was talked about by officials and in the media it would make a lot more sense to me, but, it's not. It's usually discussed as an effective solution to the problem, not a tool that might help a little but might also be minimally effective.

Seems like a very broad generalization.

Granted: for a lot of "free" media "you are the product" so they're required to make sensational claims one way or the other to keep your attention (= the product). For more serious media and officials it seemed nowhere that bad to me.

> Other countries apps are lauded as the reason they controlled the virus while ignoring everything else they are doing or the local conditions.

I've read or heard a number of stupid things on this topic but never this one yet. Where was that?

> For example, people could assume the app is more effective than it is and forgo physical distancing or mask wearing because of it. This would be highly detrimental

This is the usual logic to diminish pretty much any safety measure and I bet it's verifiable in some cases. In this case however, contact tracing does absolutely nothing to protect you personally. It merely warns you that you might have been infected so you can voluntarily stop further infecting others.

This is similar to wearing home-made mask BTW. Most people are aware they're meant to protect others, not themselves. Yet most people wear one where I live even in places where they're not mandatory.

> We also need to ensure we don't drown out or defund more effective sources of information like manual contact tracing and ensure testing bandwidth targets the reliable information before the more questionable sources.

I don't have any numbers but I can't imagine the cost of operating this app being more than negligible compared to these other things that require manpower and/or "hardware". Again, none of these are mutually exclusive.

Open-source contact tracing, part 1

Posted Jun 26, 2020 12:45 UTC (Fri) by pizza (subscriber, #46) [Link] (3 responses)

> This is similar to wearing home-made mask BTW. Most people are aware they're meant to protect others, not themselves. Yet most people wear one where I live even in places where they're not mandatory.

You are fortunate to live amongst folks that take personal safety and social responsibility so seriously.

Here (Florida, USA) folks are protesting their right to "breathe the way God intended" (I wish I was making that up)

Anecdotally, I'd say under 10% of the folks I've encountered over the past week were wearing a mask.

Open-source contact tracing, part 1

Posted Jun 26, 2020 15:14 UTC (Fri) by marcH (subscriber, #57642) [Link]

> Here (Florida, USA) folks are protesting their right to "breathe the way God intended" (I wish I was making that up)

If some parts of the USA had not been trying so hard to remove it from their education then it would have been easier to suppress this stupid and very immoral thought: natural selection.

Slightly less immoral and much more logical: how about a tough reality check?

> You are fortunate to live amongst folks that take personal safety and social responsibility so seriously.

One of the few things living here taught me: people outside the USA know it but vastly underestimate how diverse they are. Although the current president made that much more obvious, so maybe that perception has become more accurate.

Open-source contact tracing, part 1

Posted Jun 26, 2020 17:53 UTC (Fri) by Wol (subscriber, #4433) [Link] (1 responses)

> You are fortunate to live amongst folks that take personal safety and social responsibility so seriously.

Compared to the US, pretty much all the rest of the world are commie socialists :-)

As I've said so often, there are three things humanity wants, personal freedom, the ability to be rich, and a caring society. Because the first one is codified in the US constitution, and these three are a "pick any two" situation, that means looking after others gets de-emphasised.

Because other countries don't have this, we find it much easier to emphasise looking after other people at the expense of some personal freedom.

Cheers,
Wol

Open-source contact tracing, part 1

Posted Jun 26, 2020 19:18 UTC (Fri) by marcH (subscriber, #57642) [Link]

> Compared to the US,...

I think you missed my point about how diverse the states and even the places are. BTW I recommend looking at these two maps side by side, the data is visually striking: 1. 2016 election per county, 2. population density per county.

The other fact often underestimated outside the US is how much autonomy the states have. COVID numbers and policies (including contact tracing apps!) are a great reminder of that.

I've met a number of Americans who moved purely because they didn't like the state they lived in.

Open-source contact tracing, part 1

Posted Jun 24, 2020 23:04 UTC (Wed) by droundy (guest, #4559) [Link]

I know this doesn't address most of your concerns, but NOVID (http://novid.org) addresses the distance measuring in a nice way using ultrasound, which doesn't penetrate walls so easily. My workplace is supposedly using it for at least a couple of buildings. Hopefully it will do at least some good for exposures that won't show up in a diary (e.g. the guy coughing in the next stall in the restroom, all the other students in a classroom).

It does have the downside mentioned in the article that iOS users have to keep it in the foreground.

Open-source contact tracing, part 1

Posted Jun 29, 2020 9:50 UTC (Mon) by gdt (subscriber, #6284) [Link]

Australia has rejected the Apple+Google Exposure Notification API, as information about possible infection is disclosed to the phone's user rather than to the state's contact tracing agency. Australian public health officials have a firm view that the news of a possible infection should come from a public health contact tracer, not from a computer program.

Open-source contact tracing, part 1

Posted Jul 21, 2020 0:54 UTC (Tue) by gerdesj (subscriber, #5446) [Link] (3 responses)

"the bluetooth distance finding problem was solved"

I don't believe this. I have played around with iBeacons etc and the margin of error I found was at least five metres, probably more. Is the phone in your front or back pocket? Is it face to you or away? Left or right side? What sort of reflections/sinks are there near you? Are you wearing jeans or ... whatever.

BTLE was designed for advertising. As you shimmy into sight with your hipster phone into a shopping centre, the shops who paid enough would be allowed to dump shed loads of ads at you. Lovely.

Your phone with all of it's incredible technology is absolutely useless for this use case.

Open-source contact tracing, part 1

Posted Jul 21, 2020 1:06 UTC (Tue) by Cyberax (✭ supporter ✭, #52523) [Link] (2 responses)

> BTLE was designed for advertising. As you shimmy into sight with your hipster phone into a shopping centre, the shops who paid enough would be allowed to dump shed loads of ads at you. Lovely.
Uhh... Whut? There's no way BTLE can be used to push ads.

Open-source contact tracing, part 1

Posted Jul 28, 2020 15:25 UTC (Tue) by gioele (subscriber, #61675) [Link] (1 responses)

> > BTLE was designed for advertising. As you shimmy into sight with your hipster phone into a shopping centre, the shops who paid enough would be allowed to dump shed loads of ads at you. Lovely.
>
> Uhh... Whut? There's no way BTLE can be used to push ads.

iBeacon, that is a class of BLE devices, is born exactly to 1) track phones and 2) push notifications to them. https://en.wikipedia.org/wiki/IBeacon https://medium.com/@the_manifest/a-beginners-guide-to-bea... At the beginning you needed to install a specific listener app to receive these push notifications, but that feature is now integrated in iOS and Android https://blog.beaconstac.com/2018/01/how-to-run-a-proximit....

It is technically incorrect to say that you can push ads (or any kind of notification) over BLE. But it is correct to say that BLE is a fundamental part of iBeacon, whose whole purpose is to send unsolicited notifications to your mobile phone and that most BLE implementations in post-2018 mobile phones are iBeacon-enabled. Ergo, one can argue that BLE can be used to push ads.

Open-source contact tracing, part 1

Posted Jul 28, 2020 18:54 UTC (Tue) by Cyberax (✭ supporter ✭, #52523) [Link]

You can use any protocol to push notifications. The phones are not at all obliged to act on them, and none of the current phones (even with the tracker apps) do that.

Of course, you can install a specific listener app to get notifications. But why would anyone do that?

Open-source contact tracing, part 1

Posted Jun 25, 2020 4:33 UTC (Thu) by alison (subscriber, #63752) [Link] (4 responses)

The article is only part 1, but is there no revocation protocol? Otherwise it seems inevitable that some griefer will somehow alert every single ID that they've been exposed.

Open-source contact tracing, part 1

Posted Jun 25, 2020 6:12 UTC (Thu) by cyphar (subscriber, #110703) [Link] (1 responses)

The idea behind the Apple/Google API is that you have to have a (cryptographically) signed assertion by your national health authority that you actually did test positive. I'm not sold that this would be done correctly by national health authorities (not to mention that it would require all testing clinics and GP offices to have the keys, so you might as well just publish it in the local newspaper) but that is their proposed solution to the griefing problem. But along the same lines, the scheme also doesn't help if we discover (as we did in the US) that a batch of testkits were bad, resulting in a massive false positive rate.

Open-source contact tracing, part 1

Posted Jun 25, 2020 13:56 UTC (Thu) by alison (subscriber, #63752) [Link]

The whole discussion reminds me of that around Dedicated Short-Range Communication and the Basic Safety Message in automotive vehicle-to-vehicle communication (IEEE 1609, SAE J7235 and IETF 793/768), where every auto was to host a certificate store and issue high-repetition rate messages about its pose, velocity and fundamental status (e.g., airbag is deployed). The certificates were to be short-lived and replenishable so that a given vehicle could have a private global ID but communicate with temporary IDs that change every 10 minutes. The scheme was similar to

"this global ID is never exchanged with peers (i.e. other phones) when registering the encounters, though it may be known by the server. Instead, the global ID is used as a seed to generate temporary IDs using a cryptographic hash function".

Unfortunately, there has never been a credible scheme to distribute certificates. Imagining car dealers or gas stations perform certificate redistribution boggles the mind. There was also contention about certificate revocation for fear of griefer cars or simple base stations reporting ghost road blockages or accidents.

Open-source contact tracing, part 1

Posted Jun 26, 2020 6:26 UTC (Fri) by mrybczyn (subscriber, #81776) [Link] (1 responses)

I'm the author of the article.

There are protections against false reporting, and they depend on the application itself. In some applications the verification of the test result is manual, for example. In others it got automated, for example by using codes that get delivered with the positive test result. We'll cover that in part 2.

Note also that in most of the application you can remove your data from the phone and/or from the system.

Open-source contact tracing, part 1

Posted Jun 26, 2020 8:29 UTC (Fri) by t-v (guest, #112111) [Link]

Will there be coverage of the government-blessed German app?
https://github.com/corona-warn-app

Open-source contact tracing, part 1

Posted Jun 25, 2020 9:04 UTC (Thu) by Karellen (subscriber, #67644) [Link] (5 responses)

Each user obtains a random global ID number [...] Since this is the global identification for the user, it reveals their identity.

What? How?

Or, what exactly do you mean by "it reveals their identity"?

Open-source contact tracing, part 1

Posted Jun 25, 2020 10:49 UTC (Thu) by kleptog (subscriber, #1183) [Link] (1 responses)

> Or, what exactly do you mean by "it reveals their identity"?

It's this sort of sloppy language that makes it so hard to have sensible discussions about privacy. It matters what has been revealed to who.

Consider the statement "John from Conneticut living at house number 42 was at the beach last Tuesday". Is this violating anyone's privacy? Only if you have some database of people with locations that allow you to identify the person. But suppose it matches 50 people, have you compromised the privacy of those 50 people a little bit?

If one department of the government has such a database of names, but the statement is given to another department, have you revealed something to "the government"? Surely it's only revealed if the information is combined. Is the fact that they *could* combine the information but *don't* relevant here? Is the fact it refers to last Tuesday different from it referring to now?

There is a shitload of nuance here that doesn't really get discussed, and the language people use is very black and white. Social media / the news cycle doesn't like nuance because it doesn't score points. But only by better describing what we mean by privacy can we actually discuss what the suitable trade-offs are.

Open-source contact tracing, part 1

Posted Jun 26, 2020 6:42 UTC (Fri) by mrybczyn (subscriber, #81776) [Link]

I agree that this subject is complicated and far for binary. We'll get to back to the global IDs in part 2 in more detail.

Open-source contact tracing, part 1

Posted Jun 26, 2020 6:33 UTC (Fri) by mrybczyn (subscriber, #81776) [Link] (2 responses)

I'm the author of the article, so let me answer your questions.

This is usually a random value taken from the random pool of the device or server generating it.

In centralized system this number is linked to some information about the user, for example in the Singaporean application, the central server stores phone numbers of the users with their global IDs.

In the decentralized systems it is mostly just kept on your phone and published only if you get infected.

Open-source contact tracing, part 1

Posted Jun 26, 2020 11:24 UTC (Fri) by kleptog (subscriber, #1183) [Link]

By the way, thanks for writing on this. I'm really interested in how different countries have approached it and this may be a once-in-a-lifetime chance to test whether this idea can work. This virus has just the sweet-spot that makes this feasible (for something as infectious as the measles no app will save you).

Open-source contact tracing, part 1

Posted Jun 26, 2020 18:32 UTC (Fri) by Karellen (subscriber, #67644) [Link]

In centralized system this number is linked to some information about the user,

But in the centralized case, doesn't the central server already know who you are? If so, how does a random number that's been assigned to you "reveal your identity" to any entity who didn't already know who you were?

In the decentralized systems it is mostly just kept on your phone and published only if you get infected.

...so how would this random number "reveal your identity" in any way that wouldn't be wouldn't be revealed anyway?

I'm still not understanding the privacy leak here. Sorry, I'm honestly not trying to be snarky or anything, I just feel like I must be missing something really big and obvious.