Unified research on privacy-preserving contact tracing and exposure notification

The probability of transmitting the virus, but this has not been properly measured.

Q: What would it take for contact tracers to consider bluetooth contact tracing more than a speculative technology? What should an app developer be able to show?

See questions from contact tracers in the section below

Q: How accurate would the distance and duration of contact measures need to be? Can you put a number on this, a guess or a max?

Some jurisdictions are using “15 minutes face to face” as a heuristic, less than that would be a casual contact

Q: If an app user is alerted that they’ve had significant contact with someone who tested positive for COVID-19 during their infectious incubation period, what anonymous automated messages should we send them?

From Covid Watch: Our privacy-preserving system is designed to alert people early who could *choose* to call their public health agencies, not for contact tracers to track them down directly. We’d like to know what automated messages are best to send in this case. What do we instruct people to do? Currently: Call this # to inquire about testing, start wearing a mask outside, and self-isolate. [a][b]

Questions that Contact Tracers have for App Developers

Q: from one jurisdiction’s public health officials: can you reliably identify close contacts for us? Not just the same cafe or restaurant, but who was actually close to the patient for some time?

Covid Watch Response: Yes, using bluetooth, we have a notion of both duration of contact and proximity, accurate possibly to 1-2 meters.[c]

GPS: see the section on types and sources of data below.

Q: What percentage of the population have to be using this for us to have a high expectation of finding close contacts?

The answer depends on many variables, such as how accurate each phone’s sensors are, how good the user interface on the app is, on adoption among laboratories and health authorities that are doing testing. In one simulation that varies across these variables: if an app needs to be installed on both user’s phones at the time of exposure, at least 50-70% of users should have it to make a significant difference. For apps that can use retrospective data for diagnosed patients, impact might be seen from 30-40% penetration.

Q: What percentage of the population have to be using a Contact Tracing App in order to effectively contain the outbreak ?

According to Monte Carlo simulations for a Bluetooth contact tracing approach effective damping of the epidemics outbreak occurs with an overall efficiency of 60-70% (see Fig.6). This overall efficiency parameter considers users adhesions and other technical aspects (e.g. smartphones or bluetooth shutdown).

Questions that App Developers have for other App Developers

* [iOS] How are app developers going to continuously background scan and record specific BLE advertisements while a potential tracer app runs in background mode on Apple iOS? To my knowledge, iOS effectively prevents exactly this scenario for battery reasons. (I am aware of implementations from around 2013, however, things have massively changed since then.) I have heard suggestions that Apple can grant special Entitlements to allow third-party apps using APIs which are also used by “Find my”, so that effectively BLE Proximity Tracing can be implemented without the need for an iOS update – but none has been confirmed, yet.[d][e][f]

Notes on types & sources of data

Around the world, various initiatives are exploring or using the following types of data:

* Cell tower triangulation (not particularly accurate, but may be sufficient for correlational uses such as recognizing users who are in the same vehicle)

* Assisted GPS (accurate enough to put people in specific buildings, but with a fairly high error rate unless there’s lots of time average)

* IP addresses -- complicated, but correspond to street addresses for devices that are using residential WiFi networks

* WiFi triangulation (improves on assisted GPS -- accurate enough to often, but not always, place people in specific businesses)

* Wifi proximity estimation (accurate on its own to within 2.5 - 3m 90% of the time, perhaps 1.5m on average)

* Bluetooth proximity (seems to be accurate to within 1-2m?)

* Apple and Google will be shipping an API to use this method in mid-May 2020

* A September 2020 evaluation of this API’s ability to sense proximity.

* Previous notes:

* Both Covid Watch and TraceTogether have encountered difficulties in interworking between Android and iOS. Covid Watch resolved this issue and partially resolved the iOS-iOS issues. More Info

* Audio proximity [g][h](cf google nearby but tbd whether there’s a way to do this in the background)[i][j][k][l]

* Hybrids of the above[m][n][o]

* Eg: IOS and Android default location system [which is a hybrid of cell tower, assisted GPS and WiFi triangulation?]

* The fact that various troves of mobile location data are already sitting around in various places (eg Google Maps Timeline, or where it’s been gathered by apps with varying levels of user awareness) makes it enticing, because it allows apps to do some amount of retrospective tracing at the time they are installed or activated and thereby considerably reduces the number of users the app needs to be effective.

* Precise locational check-ins, e.g., via QR code

* Some human contact tracing efforts turn to previously installed surveillance equipment to identify unknown contacts, such as:

* Video surveillance footage

* Facial recognition systems

* Potentially, previously installed IMSI catchers / cell site simulators could be used for this purpose too [though there are no reports of their use for public health purposes?]

* Korea’s tracing operation is a relatively extreme example of reliance on surveillance methods

* In general most privacy groups discourage the deployment of the above systems under most circumstances

Notes on Privacy Preservation[p]

“Anonymization” or “de-identification” of a mobile (eg GPS) location history is difficult to do correctly. Given the weak epidemiological case for this kind of data at present (at least until testing latency is down to hours, not days) we would presently advise apps for most purposes not to try to collect GPS location for automated contact matching[q][r].

(Note 2020-03-30: one location expert at a tech company told us that they think that in some cases the combination of GPS+WiFi might be accurate enough to identify close contacts, because reflections that increase lat/long error don’t necessarily impact proximity measurements to the same degree-- both devices may observe similar reflections. This may be especially true on higher end devices that shipped in the last 2-3 years)[s][t]

For apps that are trying to do it anyway, we recommend reaching out to cryptographic privacy experts (openmined.org for instance has a team available to help other projects) to ensure that de-identification processes are secure[u].

Colm MacCárthaigh, who works on cryptography and privacy at Amazon, has written up a cryptographic sketch of how to do minimally disclosing contact identification using GPS/SSID location matching. The scheme avoids sharing any searchable location data and records only “pairings” of people being in the same place at the same time (to any degree of fidelity of place or time that is needed[v]).

Bluetooth and similar proximity based tracing methods (as opposed to using cell phone tower locations to triangulate or otherwise locate a phone) have been identified as the most likely to produce effective warnings to exposed individuals without extremely high false positive rates[w][x][y][z][aa][ab][ac][ad] (which are inherently harmful). However, because they cannot be correlated against any location data, they need to be enabled on a significant fraction of devices before this provides a high likelihood of tracing contacts.[ae][af][ag][ah][ai][aj][ak]

* Apps that are being deployed for bluetooth contact tracing are using a range of cryptographic identity protections. Singapore’s TraceTogether app, for instance, has rotating encrypted IDs that are controlled server-side, so the government’s server can decrypt IDs for and notify exposed individuals. This is a reasonably good level of privacy protection, but stronger models are also available.

Decentralized Bluetooth protocols like those developed at Covid Watch and CoEpi in early March, now under the TCN coalition umbrella, are the standard for privacy-preservation. Similar protocols that preserve-privacy were also later developed by DP3T, PACT (Washington), and PACT (Ron Rivest). These are also likely functionally the same in terms of privacy protection as the APIs to be released by Google/Apple in May, given that Google/Apple open source their implementation and it is found to be in accordance with the specs.

In terms of privacy protection, the best case scenario is: decentralized Bluetooth-only like TCN, PACT, DP3T, and the upcoming Google/Apple APIs. Worse: decentralized Bluetooth plus GPS data handed to contact tracers (like the MIT SafePaths model). Even worse: centralized Bluetooth (like Singapore, and what Australia is considering).

Apple’s built-in Find My app is an example of a similar but stronger privacy model: it uses bluetooth to detect nearby devices, but does so without Apple ever knowing which devices were near each other.

Another approach based on asymmetric encryption was proposed by Proximity. Daily asymmetric encrypted strings (phone number, timestamp, contact duration) in a decentralized system.

The Covid Watch project is working on an open source library in addition to their own app. This library can be included in many apps and offers similar levels of anonymit