Contact Tracing

Details
Category: On Corona Virus
Last Updated: Sunday, 25 October 2020 09:00

Tracing your contacts with others

Privacy

This is of great concern to many about Big Brother watching and legal enforcers using the info for their own purposes. Users usually fall into one of two camps.
One group may claim they have nothing to hide. They are wrong - would they reveal all their passwords to a third party?
The other opposes any form of intrusion and object to enforcers or non-authorised gaining access to encrypted data via a back-door or other method.
Fortunately, perfect forward encryption is un-crackable in any useful period of time as the keys are transient and only used once.

Where common keys are stored somewhere they can be passed on to authorities allowing data to later be decrypted. A typical example is where Apple claim that user's phones cannot be decrypted by them, which is true - the key is embedded in the phone's secure enclave chip which cannot be read, but phone backups stored at Apple are protected by their key, which authorities can request.  

The catch 22 in the time of Coronavirus is that while knowing patient identity is essential for limiting further transmission, once tracking is allowed it maybe impossible to later revoke or opt out.

A Private Solution 

Google and Apple between them have announced a solution for Android and Apple phones which is expected to be available as an API update to all their phones in May 2020. It will be up to Govt medical services to write a tracking App and to get access to that part of the API. Both have indicated that they are planning to write such an app themselves.

Rather than pass personal contact data to authorities, it advises the users themselves if they have been within range of an infected person. Neither person nor those who have been within range of them can know the identity of the other or anyone else. Authorities only get involved when transmission and infection has occurred. Thus the bulk of the data remains private to each user and authorities only see those suspected of confirmed infected and their possible contacts.

Google Maps Timeline

This is another service that is very useful and semi private to remember locations visited and the times and distance traveled. It can also be shared between others you trust, such as a partner. The author found this very useful to see each other as a dot on a map while in malls or when visiting non-familiar towns. It has also been able to avoid speed camera fines when one can prove that at the time of the alleged offence you where somewhere when checking this at a later date. (Its often very difficult to remember this even a few days later and next to impossible after a month when the ticked arrives. This happens a lot more often than you know.) Google also allows deletion of ones history after a period.

How it works

Each phone generates a permanent unique and private key at random to serve as the phones identity. Its size is so great (2^256) that a collision (two phones with the same one) won't ever occur and it's never ever revealed. This key is used to create smaller daily keys and from them tracing numbers (tokens) every 10 minutes with a time stamp. Each phone captures and saves the tokens of every other phone coming within a preset blue tooth range and time, typically 2 metres and a few minutes.  No external storage of the token immediately occurs. It remains private to each phone and tokens older than a period, typically 21 days, are deleted. Thus phone storage requirements are small, about 40 tokens per megabyte. For most people after 21 days this would amount to a single photo.

If some official was to examine your phone, these tokens are no more useful than disclosing what lotto numbers you picked in previous draws, other than knowing you bought a ticket.  i.e You came in contact with another unknown phone. (Not quite because Lotto themselves have them recorded so they know the winners and to prove that the ticket is valid, the outlet, and the time of sale. In the case of a lost ticket the EFTPOS transactions might also identify the owners bank account.)  In the case of the tokens, no-one else knows them or can identify the source phone.

For a full security analysis refer to podcast #762.   Security Now Contact Tracing    Also Available at GRC.com,  Itunes and youtube.

How does this help with tracing

When a person feels unwell and/or is tested positive for infection or antibodies, they become registered with the authorities and must then upload the captured tokens to an official server via the app. There would likely be a legal requirement to do this, possibly to get treatment. Everyone confirmed as infected has their recorded tokens made public on the official website. They are still useless without the phone they actually came from.  Only the phone that generated the token can identify them, so privacy is maintained. (i..e. Someone in NZ won lotto, but only that person and the lotteries commission know who, but everyone knows the numbers! [token]).

Periodically, daily? all phones with the app check the official server for any published tokens. Because each token was derived from their unique private ID key, only the originating phone can recognize them. If a match is found, the originating phone will immediately warn its owner that they have been in close contact with a now registered and infected person and can calculate the date and time it occurred from the token, which is now known as an exposure notification. At this point, they need to immediately self isolate and contact authorities and arrange for testing. When such a match occurs, it maybe that their phone number and details saved in the app are automatically uploaded, so they can then be identified and contacted by medical personnel. The authorities will only then know their identity along with all other phone owners who have also been in contact and who are now suspects for infection and must be tested.

Weaknesses

  • While highly unlikely, its theoretically possible for the smaller tracing numbers to be duplicated which could result in a false positive. Its not a real issue as they only exist for 14 days.
  • It requires the co-operation of the users themselves.
  • Every one must carry their phone when venturing outside their bubble and of course install the official app with Bluetooth enabled.
  • A person may be suffering from the flu or even healthy and report an infection.  However, to avoid cry wolf attempts, authorities would only make that owners' uploaded tokens public after confirmation of a genuine case. And possibly have similar penalties to falsely dialing 111.
  • Affected users loose their privacy once a reportable event occurs. It is a medical issue though and subject to confidentiality.
  • An infected person may decide to ignore their symptoms and rely on random testing, or just be asymptomatic.

Pluses and Minuses

  • - People won't load the app.
    This could be discouraged by either offering incentives or penalties. e.g Free public transport, receipt of the cash incentive, queue priority when shopping, etc. Large retailers, Bank ATM, might require to see tokens emitting when at a turnstile for entry, or even capture them for later store tracing. The tokens themselves are still of no use until someone generates an infection alert.
  • + Those receiving a tracing match could get different alert levels as appropriate. e.g Person reports sick, but the cause is unknown and those getting alerts can be advised to just self isolate pending further confirmation.
  • + Health authorities are not overwhelmed with contact tokens.
    They only get data on those of infected uses and those who have been in contact, or who maybe vulnerable and their contacts.
  • + It is expected that only approved organisations will be able to access the phone API and write apps which Google or Apple must approve of before publishing the App on their respective stores. Thus no fake sites or Apps possible. Not that the tokens are of use, but a person who registers on one as infected might be vulnerable to fraudulent offers and cures.
  • + Connections by apps to organisations sites would likely require use of a public key in the app so only the approved app can connect to the official site.
  • + Organisations might not accept token uploads until they send you a net-code or scan a QR code to further prevent cry wolf attempts.
  • - Organisations must still carry out random testing to catch asymptomatic people. Any found though could then upload their tokens for publishing and so on.
  • + Users should welcome the knowledge of finding out if they are at risk of infection.
  • - Not possible to enforce people to always carry their phone when out.
  • - Many don't yet have a phone.
  • - Increased phone battery drain may affect some. (If low energy Bluetooth is used it would be minimal.) 
  • + Its possible that the API might always enable Bluetooth in countries that have official apps available and contact tokens could be exchanged even if no app was installed. Thus these tokens could later be checked when the app is installed.
  • - The official app proposed for NZ may not use this API, in which case there will likely be no provable way such an app is genuinely private and users will need to make up their own minds in whether to trust any such claims.
  • - A tracing App alone is not enough. Using the APP is no guarantee of anything. It is subject to many false positives, such as close bluetooth proximity to a neighbour through the the wall, or someone in the next isle of a supermarket. However, the ability to identify all those possibly infected and test them is a huge advantage in reducing the R0 to manageable numbers, and that is currently the only possible option other than lock-down.
  • + The Bluetooth system developed by Apple and Google has been enhanced to reduce false positives: 
    Exposure time is now tracked in five minute intervals, with the maximum reported exposure time capped at 30 minutes.
    The API will now include information about the power level of the Bluetooth signal in the data that is exchanged between phones. This can be used in conjunction with the RSSI ("Received Signal Strength Indication") to more accurately estimate the distance between two phones when contact was made.

The NZ App

This currently does not use Bluetooth at all but is expected to be added in time, probably when phones are officially updated with the new API. For now it just allows one to locally record the details and time one enters the premises by recording the information in a QR code that the business displays.  This is similar to the Google location tracker, but more accurately identifies the business than would GPS location alone, which tend to be unreliable when indoors and signal is weak. Using them both together is probably a good idea.

CNBC Video

This 14 minute video covers much of the above and compares the various tracing systems used in various countries, some of which are very intrusive.
Google-and-apple-partner-to-fight-coronavirus-with-contact-tracing.html