Open-source contact tracing, part 1
One of the responses to the COVID-19 pandemic consists of identifying contacts of infected people so they can be informed about the risk; that will allow them to search for medical care, if needed. This is laborious work if it is done manually, so a number of applications have been developed to help with contact tracing. But they are causing debates about their effectiveness and privacy impacts. Many of the applications were released under open-source licenses. Here, we look at the principles of these applications and the software frameworks used to build them; part two will look into some applications in more detail, along with the controversies (especially related to privacy) around these tools.
COVID-19 tracing principles
The main goal of COVID-19 tracing applications is to notify users if they have been recently in contact with an infected person, so that they can isolate themselves or seek out testing. The creation of the applications is usually supported by governments, with the development performed by health authorities and research institutions. The Wikipedia page for COVID-19 apps lists (as of early June 2020) at least 38 countries with such applications in use or under development, and at least eight framework initiatives.
The applications trace the people that the user has had contact with for a significant period (for example, 15 minutes) with close physical proximity (a distance around one meter). The complete tracing system usually consists of an application for mobile phones and the server software.
For the distance measurement and detecting the presence of other users, GPS and Bluetooth are the technical solutions used in practice. GPS only appears in a small number of projects because it does not have enough precision, especially inside buildings. It also does not work in enclosed spaces like underground parking and subways.
Most countries have chosen to develop a distance measurement using Bluetooth, generally the Bluetooth Low Energy (BLE) variant, which uses less energy than the classical version. This is important as the distance measurement is done by mobile phones, and so Bluetooth will need to be active most of the time.
The Bluetooth protocol was not designed for these kinds of tasks, though, so research has been done on ways to measure distance accurately. A report [PDF] from the Pan-European Privacy-Preserving Proximity Tracing project shows that it is possible to measure distance using BLE signal strength, specifically received signal strength indication (RSSI). In a contact-tracing system using Bluetooth, the distance measurement is made by the two phones communicating using a specific message format. Since the formats differ between applications, communication is only guaranteed to work if both phones are using the same application.
Centralized versus decentralized
Storing and communicating contacts is the main functionality of COVID-19 tracing applications. Two main approaches exist: centralized and decentralized, while applications may mix ideas from both models.
To understand the difference between those two types of systems we need to take a look on how user identification works. Each user obtains a random global ID number either from the central authority in the centralized approach or as generated by the application for decentralized systems. Since this is the global identification for the user, it reveals their identity. To preserve privacy, this global ID is never exchanged with peers (i.e. other phones) when registering the encounters, though it may be known by the server. Instead, the global ID is used as a seed to generate temporary IDs using a cryptographic hash function (like SHA-256), or an HMAC, taking as an input the global ID and a changing value, like an increasing number or an identification of a time slot. Temporary IDs change frequently, for example every 15 minutes, and they are broadcast for the other users to register.
Centralized systems use a single server (usually controlled by the health authorities), which generates and stores the global IDs of users. When a user is infected, their contact log is uploaded to the health authorities. People who have been in contact then get notified. The technical solutions vary, from manual operation to one that is automated in the application. That process is handled by the health authorities; the user application just receives a result.
Decentralized systems rely on the user's phone to generate both the global and temporary IDs. In those systems, the global ID may also change periodically. When a user is infected, they should upload their temporary IDs, or the information needed to generate them, to a common server. Other users download the shared infection data and their applications search for a contact. This paper [PDF] provides details of a few different decentralized protocols.
The main difference between the two approaches is in who generates the IDs, whether the central server knows them and the identities associated with them, and who calculates the infection risk. Both solutions need a central server to exchange lists of IDs for infected people.
Frameworks
Development of a tracing system first requires a contact-tracing protocol and then an application. Applications are typically developed by the government agencies, and they use one of the existing frameworks (protocols) or create a new one. A number of such frameworks were developed, most of them have at least part of their code released as open source. Here we look at some of them that are, or have been, used in deployed applications.
Temporary Contact Numbers Protocol
The first framework released was the Temporary Contact Numbers Protocol (TCN), which was initially developed by Covid Watch, then maintained by the TCN Coalition. The source code for this decentralized framework, including the protocol and reference implementation, is available under the Apache software license.
Devices using TCN broadcast randomly generated, temporary contact IDs; at the same time, the devices record all of the received ones. The Covid Watch white paper [PDF] gives an overview of the protocol. The actual implementation uses numbers derived from periodically changed keys (the TCN project README provides the cryptographic details), to minimize the data set that needs to be sent when a person is infected. All of the keys that are generated by the user's device are sent to the central server only if the user gets infected.
The TCN framework allows for variations in the implementation; for example, whether or not a central health authority needs to verify an infection report. TCN is (or was) used in a number of tracing applications, including the US-based CoEpi and German ito.
Decentralized Privacy-Preserving Proximity Tracing
Decentralized Privacy-Preserving Proximity Tracing (DP-3T or DP3T) is a decentralized protocol, similar to TCN. It was developed by a number of European research institutions. Its white paper [PDF] describes the algorithm in detail and gives an overview of the security challenges.
The generation of seed values and temporary identifications is performed by the phone, which also computes the risk of infection. The phone only downloads the parameters needed to determine the infection risk (e.g. duration of contact, signal strength) from the health authorities. DP-3T includes a set of additional features to increase privacy. All phones running the application upload dummy contact data to minimize the risk of revealing infected users. It also has an option to allow the infected users to split and edit the report, for example to exclude certain days or time periods.
DP-3T source code is available under the Mozilla Public License 2.0 and the project includes a work-in-progress implementation using the Exposure Notification API.
Exposure Notification API
The Exposure Notification framework was released in April 2020 by Google and Apple. It seems to be inspired by TCN and DP-3T, and has many similarities with them. It uses the same type of periodically changing keys (the cryptographic specification [PDF] gives the details).
The protocol that was part of the application in TCN, DP-3T, or other frameworks, is implemented in Android and iOS, then provided as the Exposure Notification API [PDF]. It includes proximity detection and logging of the encountered keys, but not the notification of an infection; that part needs to be implemented in the application itself. The Exposure Notification API can be used only from applications provided by public health authorities. The specifications are available, but the source code of the implementation is not. The Google terms [PDF] include some specific requirements for the applications, including: only one application per country, that a public health authority must be responsible for all of the data stored, and that no advertising is allowed in the application.
A reference application for Android and an example server implementation are both available as source code under the Apache license. Since the release of the framework, applications that were ported to it include the Italian Immuni (source code under AGPL 3.0) and the Polish ProteGo Safe (source code under GPL 3.0). Another example is Covid Watch, which was one of the original supporters of TCN, but its application replaced TCN with the Exposure Notification framework in May 2020.
The Exposure Notification API solves one problem that many independent applications have encountered (the BlueTrace paper [PDF] describes the problem on page 7): on iOS, Bluetooth location measurement only works if the application is in the foreground. Since the French application does not use the API, the French government has asked Apple to allow background Bluetooth for other applications.
Applications and beyond
In this article, we explained the purpose of contact-tracing applications, the technology they use, and described the reasons they work this way. In the second article, which is coming soon, we will look deeper into some specific applications (that use existing frameworks or develop their own protocols). We will look at how they work, but also cover their open-source availability. Finally, we will consider the controversies and open questions about the deployment of these applications.
| Index entries for this article | |
|---|---|
| GuestArticles | Rybczynska, Marta |
Posted Jun 24, 2020 19:25 UTC (Wed)
by logang (subscriber, #127618)
[Link] (18 responses)
The apps will *always* have significant false positives and false negatives. For example, if I'm in my home, my neighbor may appear to be within 6 feet of me for a long duration even though we are actually separated by a wood wall; or if I'm at a restaurant with booths, or partitions between tables, I might be seen to infect the dinner at the next table when in fact this isn't possible. Meanwhile, the person I'm dining with might not be able to use the app so they're not counted or the server who only is in front of us for a minute at a time might not count depending on the policy that's chosen for infection time (which can never be accurately chosen).
The thing that really irks me is that some technological solitionist push these apps as if they are magic. If only the app had a 60% uptake, then it would be as good as a vaccine. This is clearly nonsense. Some are even mixing in the usual buzzwordy solutions: add an AI to warn people when it thinks that we shouldn't go out (even though we have nothing to train it with or evaluate it's performance), or add "blockchain" to solve the privacy problem (even though it's well known that blockchain offers zero privacy protection).
What we should be doing is not focusing on the technology so much and instead focus on the people. Health authorities should publish guidelines that ask citizens to help with the contact tracing problem by, for example, keeping a diary of who they interact with and voluntarily sending their diary for the past two to three weeks in case of infection. People can do this with pen and paper, or we can add technology to help. For example, you could design an optional app that helps a user record their interactions and reminds them to to fill in their diary at the end of the day. Such an app could then potentially add bluetooth contact tracing as an additional data source (ie. it could let the user know it saw a contact at a certain time of the day and the user could then annotate who/what that might have been). Such a scheme has a much better chance of being effective and also gives citizens something to do to feel engaged. Of course not everyone is going to voluntarily do this, but the same can be said of installing a magic app and people who don't have compatible hardware can still participate in some way. More over, the user will now know exactly what data they will be sending to the health authority, instead of some nebulous list of every other phone they might have been near at some point in time.
But it seems, instead, we live with the myth of magic technology where the world's problems can be solved simply by getting people to install an app on their phone and forget about it.
Posted Jun 24, 2020 21:24 UTC (Wed)
by kleptog (subscriber, #1183)
[Link] (11 responses)
Perfect is the enemy of good. The app does not have to be perfect to be effective. It's not going to replace standard contact tracing, it's going to help fill the gaps that cannot done by human interaction.
You get a signal you have been in the neighbourhood of someone who had it, you go to the testing station, get the results at the end of the day. This is vastly simpler that asking people to keep diaries. Currently only 1 in 10 people who turn up during contact tracing actually test positive anyway. So this app makes it 1 in 20, big deal.
> keeping a diary of who they interact with and voluntarily sending their diary for the past two to three weeks in case of infection.
How is this going to help with the people sitting behind you in the bus/train? Or those near you in a movie theatre/concert? Unless you're planning to continually ask the names of every person that stands near you, it's pointless. And frankly, I'm not going to hand out my contact details to random people on the bus.
People don't need diaries to recall which people they know they were near the last few days. It's the people they don't know that are the problem being solved here.
Personally I think the uptake will be higher amongst people who take public transport daily. Even if only those people did it (maybe <10% of the population) that would cover a significant part of the problem.
For me, the stupidest part of this is how the apps won't be compatible with each other. In Europe where millions of people cross borders daily this is completely brain-dead.
Posted Jun 24, 2020 21:42 UTC (Wed)
by logang (subscriber, #127618)
[Link] (10 responses)
I think physical distancing and encourage mask use in public is the better solution for random people on the bus, on the street or in a store. If it's not possible to keep distance in these situations then we need better policy to limit occupancy, etc.
Contact tracing allows us to go out and public and actually interact with people as it is the real interactions that need tracing the most. Having a conversation with someone, face to face, with no mask (ie. because you are eating or drinking) caries a far higher risk than being a few feet away from people in public while wearing a mask. And if you can remember every conversation you've had in the past three weeks, then great, you don't need a diary.
It also seems a bit contradictory that you won't hand out your contact information on a bus, but you advocate for letting an App do exactly that, or have an App tell a central authority about every interaction you have.
Posted Jun 24, 2020 23:28 UTC (Wed)
by iabervon (subscriber, #722)
[Link] (2 responses)
In particular, unless I choose to reveal my secret key: (a) nobody can contact me at all without me going looking for messages for me; (b) nobody can tell I'm the same person an hour later. Even if I reveal my secret key, nobody can tell who my contacts are, aside from each of my contacts being able to tell that they're one of them, and even they can't tell it was me unless they remember (and knew) who they were around at that time.
As far as whether it's beneficial: I haven't gotten tested at all, like 90% of the people in my state. I'm 99% sure that I haven't gotten infected more than 2 weeks ago, since I've got a bunch of housemates, and none of us have have symptoms. There's unused capacity to test more people here, but we can't test everybody at once (for social distancing reasons, if nothing else). It would be useful if the system told 5000 people a day to get tested, even if only 5% of those tests came back positive, since we could easily test 5000 more people every day and our current positive rate is only 1.9%. It would be a somewhat more useful application of 5000 tests than each person randomly deciding to get tested one out of every 2000 days, even if our masks were 95% effective at making our contacts safe.
Posted Jun 25, 2020 19:53 UTC (Thu)
by Wol (subscriber, #4433)
[Link] (1 responses)
I've been tested twice, been positive twice, and NEVER had any symptoms. So I don't think your logic is good ...
Cheers,
Posted Jun 25, 2020 21:56 UTC (Thu)
by iabervon (subscriber, #722)
[Link]
Posted Jun 25, 2020 4:05 UTC (Thu)
by marcH (subscriber, #57642)
[Link] (6 responses)
Right, and to lower the reproduction number we need every practical tool we can find for any sort of situation because there's no miracle cure yet. I realize this is an alien concept in today's very binary world.
> In my opinion we are a long way from "good"
"good" is anything that lowers the reproduction number - no matter by how little. This has been explained in pretty much every set of recommendations from any serious agency.
Compared to all the other, massive economic losses caused by the virus, the cost of these apps is negligible. So to describe them as "bad" you must prove that they have not just _zero_ impact on the reproduction number but also that they have serious issues like for instance security issues.
> you won't hand out your contact information on a bus, but you advocate for letting an App do exactly that, or have an App tell a central authority about every interaction you have.
Did you read the article?
Posted Jun 25, 2020 16:19 UTC (Thu)
by logang (subscriber, #127618)
[Link] (5 responses)
If this is how it was talked about by officials and in the media it would make a lot more sense to me, but, it's not. It's usually discussed as an effective solution to the problem, not a tool that might help a little but might also be minimally effective. Other countries apps are lauded as the reason they controlled the virus while ignoring everything else they are doing or the local conditions.
I'd also caution against assuming the net gain is positive. The efficacy is questionable and the hidden costs could be a lot higher than you think. For example, people could assume the app is more effective than it is and forgo physical distancing or mask wearing because of it. This would be highly detrimental. The way the technology is designed and presented goes against fostering civic behavior and instead
We also need to ensure we don't drown out or defund more effective sources of information like manual contact tracing and ensure testing bandwidth targets the reliable information before the more questionable sources. There may be random outbreaks that swamp the ability to test all the contacts and the first tests that get skipped must be the ones generated by the app.
Posted Jun 26, 2020 9:31 UTC (Fri)
by marcH (subscriber, #57642)
[Link] (4 responses)
Seems like a very broad generalization.
Granted: for a lot of "free" media "you are the product" so they're required to make sensational claims one way or the other to keep your attention (= the product). For more serious media and officials it seemed nowhere that bad to me.
> Other countries apps are lauded as the reason they controlled the virus while ignoring everything else they are doing or the local conditions.
I've read or heard a number of stupid things on this topic but never this one yet. Where was that?
> For example, people could assume the app is more effective than it is and forgo physical distancing or mask wearing because of it. This would be highly detrimental
This is the usual logic to diminish pretty much any safety measure and I bet it's verifiable in some cases. In this case however, contact tracing does absolutely nothing to protect you personally. It merely warns you that you might have been infected so you can voluntarily stop further infecting others.
This is similar to wearing home-made mask BTW. Most people are aware they're meant to protect others, not themselves. Yet most people wear one where I live even in places where they're not mandatory.
> We also need to ensure we don't drown out or defund more effective sources of information like manual contact tracing and ensure testing bandwidth targets the reliable information before the more questionable sources.
I don't have any numbers but I can't imagine the cost of operating this app being more than negligible compared to these other things that require manpower and/or "hardware". Again, none of these are mutually exclusive.
Posted Jun 26, 2020 12:45 UTC (Fri)
by pizza (subscriber, #46)
[Link] (3 responses)
You are fortunate to live amongst folks that take personal safety and social responsibility so seriously.
Here (Florida, USA) folks are protesting their right to "breathe the way God intended" (I wish I was making that up)
Anecdotally, I'd say under 10% of the folks I've encountered over the past week were wearing a mask.
Posted Jun 26, 2020 15:14 UTC (Fri)
by marcH (subscriber, #57642)
[Link]
If some parts of the USA had not been trying so hard to remove it from their education then it would have been easier to suppress this stupid and very immoral thought: natural selection.
Slightly less immoral and much more logical: how about a tough reality check?
> You are fortunate to live amongst folks that take personal safety and social responsibility so seriously.
One of the few things living here taught me: people outside the USA know it but vastly underestimate how diverse they are. Although the current president made that much more obvious, so maybe that perception has become more accurate.
Posted Jun 26, 2020 17:53 UTC (Fri)
by Wol (subscriber, #4433)
[Link] (1 responses)
Compared to the US, pretty much all the rest of the world are commie socialists :-)
As I've said so often, there are three things humanity wants, personal freedom, the ability to be rich, and a caring society. Because the first one is codified in the US constitution, and these three are a "pick any two" situation, that means looking after others gets de-emphasised.
Because other countries don't have this, we find it much easier to emphasise looking after other people at the expense of some personal freedom.
Cheers,
Posted Jun 26, 2020 19:18 UTC (Fri)
by marcH (subscriber, #57642)
[Link]
I think you missed my point about how diverse the states and even the places are. BTW I recommend looking at these two maps side by side, the data is visually striking: 1. 2016 election per county, 2. population density per county.
The other fact often underestimated outside the US is how much autonomy the states have. COVID numbers and policies (including contact tracing apps!) are a great reminder of that.
I've met a number of Americans who moved purely because they didn't like the state they lived in.
Posted Jun 24, 2020 23:04 UTC (Wed)
by droundy (subscriber, #4559)
[Link]
It does have the downside mentioned in the article that iOS users have to keep it in the foreground.
Posted Jun 29, 2020 9:50 UTC (Mon)
by gdt (subscriber, #6284)
[Link]
Posted Jul 21, 2020 0:54 UTC (Tue)
by gerdesj (subscriber, #5446)
[Link] (3 responses)
I don't believe this. I have played around with iBeacons etc and the margin of error I found was at least five metres, probably more. Is the phone in your front or back pocket? Is it face to you or away? Left or right side? What sort of reflections/sinks are there near you? Are you wearing jeans or ... whatever.
BTLE was designed for advertising. As you shimmy into sight with your hipster phone into a shopping centre, the shops who paid enough would be allowed to dump shed loads of ads at you. Lovely.
Your phone with all of it's incredible technology is absolutely useless for this use case.
Posted Jul 21, 2020 1:06 UTC (Tue)
by Cyberax (✭ supporter ✭, #52523)
[Link] (2 responses)
Posted Jul 28, 2020 15:25 UTC (Tue)
by gioele (subscriber, #61675)
[Link] (1 responses)
iBeacon, that is a class of BLE devices, is born exactly to 1) track phones and 2) push notifications to them. https://en.wikipedia.org/wiki/IBeacon https://medium.com/@the_manifest/a-beginners-guide-to-bea... At the beginning you needed to install a specific listener app to receive these push notifications, but that feature is now integrated in iOS and Android https://blog.beaconstac.com/2018/01/how-to-run-a-proximit....
It is technically incorrect to say that you can push ads (or any kind of notification) over BLE. But it is correct to say that BLE is a fundamental part of iBeacon, whose whole purpose is to send unsolicited notifications to your mobile phone and that most BLE implementations in post-2018 mobile phones are iBeacon-enabled. Ergo, one can argue that BLE can be used to push ads.
Posted Jul 28, 2020 18:54 UTC (Tue)
by Cyberax (✭ supporter ✭, #52523)
[Link]
Of course, you can install a specific listener app to get notifications. But why would anyone do that?
Posted Jun 25, 2020 4:33 UTC (Thu)
by alison (subscriber, #63752)
[Link] (4 responses)
Posted Jun 25, 2020 6:12 UTC (Thu)
by cyphar (subscriber, #110703)
[Link] (1 responses)
Posted Jun 25, 2020 13:56 UTC (Thu)
by alison (subscriber, #63752)
[Link]
"this global ID is never exchanged with peers (i.e. other phones) when registering the encounters, though it may be known by the server. Instead, the global ID is used as a seed to generate temporary IDs using a cryptographic hash function".
Unfortunately, there has never been a credible scheme to distribute certificates. Imagining car dealers or gas stations perform certificate redistribution boggles the mind. There was also contention about certificate revocation for fear of griefer cars or simple base stations reporting ghost road blockages or accidents.
Posted Jun 26, 2020 6:26 UTC (Fri)
by mrybczyn (subscriber, #81776)
[Link] (1 responses)
There are protections against false reporting, and they depend on the application itself. In some applications the verification of the test result is manual, for example. In others it got automated, for example by using codes that get delivered with the positive test result. We'll cover that in part 2.
Note also that in most of the application you can remove your data from the phone and/or from the system.
Posted Jun 26, 2020 8:29 UTC (Fri)
by t-v (guest, #112111)
[Link]
Posted Jun 25, 2020 9:04 UTC (Thu)
by Karellen (subscriber, #67644)
[Link] (5 responses)
What? How?
Or, what exactly do you mean by "it reveals their identity"?
Posted Jun 25, 2020 10:49 UTC (Thu)
by kleptog (subscriber, #1183)
[Link] (1 responses)
It's this sort of sloppy language that makes it so hard to have sensible discussions about privacy. It matters what has been revealed to who.
Consider the statement "John from Conneticut living at house number 42 was at the beach last Tuesday". Is this violating anyone's privacy? Only if you have some database of people with locations that allow you to identify the person. But suppose it matches 50 people, have you compromised the privacy of those 50 people a little bit?
If one department of the government has such a database of names, but the statement is given to another department, have you revealed something to "the government"? Surely it's only revealed if the information is combined. Is the fact that they *could* combine the information but *don't* relevant here? Is the fact it refers to last Tuesday different from it referring to now?
There is a shitload of nuance here that doesn't really get discussed, and the language people use is very black and white. Social media / the news cycle doesn't like nuance because it doesn't score points. But only by better describing what we mean by privacy can we actually discuss what the suitable trade-offs are.
Posted Jun 26, 2020 6:42 UTC (Fri)
by mrybczyn (subscriber, #81776)
[Link]
Posted Jun 26, 2020 6:33 UTC (Fri)
by mrybczyn (subscriber, #81776)
[Link] (2 responses)
This is usually a random value taken from the random pool of the device or server generating it.
In centralized system this number is linked to some information about the user, for example in the Singaporean application, the central server stores phone numbers of the users with their global IDs.
In the decentralized systems it is mostly just kept on your phone and published only if you get infected.
Posted Jun 26, 2020 11:24 UTC (Fri)
by kleptog (subscriber, #1183)
[Link]
Posted Jun 26, 2020 18:32 UTC (Fri)
by Karellen (subscriber, #67644)
[Link]
But in the centralized case, doesn't the central server already know who you are? If so, how does a random number that's been assigned to you "reveal your identity" to any entity who didn't already know who you were?
...so how would this random number "reveal your identity" in any way that wouldn't be wouldn't be revealed anyway?
I'm still not understanding the privacy leak here. Sorry, I'm honestly not trying to be snarky or anything, I just feel like I must be missing something really big and obvious.
Open-source contact tracing, part 1
Open-source contact tracing, part 1
Open-source contact tracing, part 1
Open-source contact tracing, part 1
Open-source contact tracing, part 1
Wol
Open-source contact tracing, part 1
Open-source contact tracing, part 1
Open-source contact tracing, part 1
>"good" is anything that lowers the reproduction number - no matter by how little. This has been explained in pretty much every set of recommendations from any serious agency.
undermines it with the promise of an easy, but less than effective, solution.
Open-source contact tracing, part 1
Open-source contact tracing, part 1
Open-source contact tracing, part 1
Open-source contact tracing, part 1
Wol
Open-source contact tracing, part 1
Open-source contact tracing, part 1
Open-source contact tracing, part 1
Open-source contact tracing, part 1
Open-source contact tracing, part 1
Uhh... Whut? There's no way BTLE can be used to push ads.
Open-source contact tracing, part 1
>
> Uhh... Whut? There's no way BTLE can be used to push ads.
Open-source contact tracing, part 1
Open-source contact tracing, part 1
Open-source contact tracing, part 1
Open-source contact tracing, part 1
Open-source contact tracing, part 1
Open-source contact tracing, part 1
Open-source contact tracing, part 1
Each user obtains a random global ID number [...] Since this is the global identification for the user, it reveals their identity.
Open-source contact tracing, part 1
Open-source contact tracing, part 1
Open-source contact tracing, part 1
Open-source contact tracing, part 1
Open-source contact tracing, part 1
In centralized system this number is linked to some information about the user,
In the decentralized systems it is mostly just kept on your phone and published only if you get infected.