In a bold and ambitious collaboration, Apple and Google are developing a smartphone platform that tries to track the spread of the novel coronavirus at scale and at the same time preserve the privacy of iOS and Android users who opt in to it.
The cross-platform system will use the proximity capabilities built into Bluetooth Low Energy transmissions to track the physical contacts of participating phone users. If a user later tests positive for COVID-19, the disease caused by the coronavirus, she can choose to enter the result into a health department-approved app. The app will then contact all other participating phone users who have recently come within six or so feet of her.
The system, which Google and Apple described here and here respectively, applies a technological approach to whats known as contact tracing, or the practice of figuring out everyone an infected individual has recently been in contact with. A recently published study by a group of Oxford researchers suggested that the novel coronavirus is too infectious for contact tracing to work well using traditional methods. The researchers proposed using smartphones, since theyre nearly ubiquitous, dont rely on faulty memories of people who have been infected, and can track a nearly unlimited number of contacts of other participating users.
Mitigating the worst
But while mobile-based contact tracing may be more effective, it also poses a serious threat to individual privacy, since it opens the door to central databases that track the movements and social interactions of potentially millions, and possibly billions, of people. The platform Apple and Google are developing uses an innovative cryptographic scheme that aims to allow the contact tracing to work as scale without posing a risk to the privacy of those who opt into the system.
Privacy advocates—with at least one notable exception—mostly gave the system a qualified approval, saying that while the scheme removed some of the most immediate threats, it may still be open to abuse.
“To their credit, Apple and Google have announced an approach that appears to mitigate the worst privacy and centralization risks, but there is still room for improvement,” Jennifer Granick, surveillance and cybersecurity counsel for the American Civil Liberties Union, wrote in a statement. “We will remain vigilant moving forward to make sure any contact tracing app remains voluntary and decentralized, and used only for public health purposes and only for the duration of this pandemic.”
Unlike traditional contact tracing, the phone platform doesnt collect names, locations, or other identifying information. Instead, when two or more users opting into the system come into physical contact, their phones use BLE to swap anonymous identifier beacons. The identifiers—which in technical jargon are known as rolling proximity identifiers—change roughly every 15 minutes to prevent wireless tracking of a device.
As the users move about and come into proximity with others, their phones continue to exchange these anonymous identifiers. Periodically, the users devices will also download broadcast beacon identifiers of anyone who has tested positive for COVID-19 and has been in the same local region.
In the event someone reports to the system that she has tested positive, her phone will contact a central server and upload identifiers of all the users she has come into contact with over the last 14 days. The server then pushes a notification to the affected users.
The following two slides help illustrate at a high level how the system works.
Apple and Google are providing other assurances, including:
- Explicit user consent required
- Doesnt collect personally identifiable information or user location data
- List of people youve been in contact with never leaves your phone
- People who test positive are not identified to other users, Google or Apple
- Will only be used for contact tracing by public health authorities for COVID-19 pandemic management
- Doesnt matter if you have an Android phone or an iPhone—works across both
How it works (in theory)
Jon Callas, a cryptography expert and senior technology fellow at the ACLU, told me that the scheme is similar to the way raffle tickets work, with one party getting half of a paper ticket, the other party getting the other half, and—in theory at least—no one else being the wiser. When two phone users come into physical proximity, they BLE transmitters exchange tickets. Callas said that a similar COVID-19 tracking scheme known as the Pan-European Privacy-Preserving Proximity Tracing appears to work roughly the same way.
“I keep a list of all the tickets I have,” he said. “If Alice tests positive, she releases her tickets and if ones that I have match, I know I had a contact with a positive person.” Callas went on to caution that ambiguities in the flow of both the Apple-Google platform and the Pan-European Privacy-Preserving Proximity Tracing leave open the possibility of abuse because its not yet clear which parties get access to which tickets.
“If Alice releases the tickets she sent and the ones she received, she's outing the people who were near her,” he said.
Callas said he was involved in development of a third tracking scheme known as PACT, short for Private Automatic Contact Tracing. By contrast, he said, it has assurances that parties can only release sent tickets.
Begging to differ
Moxie Marlinspike, a hacker and developer who has both broken advanced crypto schemes and built them, was among the most vocal critics of the scheme as laid out. In a twitter thread that analyzed the way the APIs and cryptography interacted, he raised serious doubts about the plan.
"So first obvious caveat is that this is 'private' (or at least not worse than BTLE), *until* the moment you test positive," he wrote in one tweet. "At that point all of your BTLE mac addrs [BLE MAC addresses] over the previous period become linkable. Why do they change to begin with? Because tracking is already a problem."
So it takes BTLE privacy a ~step back. I don't see why all of the existing beacon tracking tech wouldn't incorporate this into their stacks.
At that point adtech (at minimum) probably knows who you are, where you've been, and that you are covid+.
— Moxie Marlinspike (@moxie) April 10, 2020
Marlinspike, who is the creator of the Signal encrypted messenger app and the CEO of of the the company that stewards it, said the next weakness is the amount of data that might have to be transmitted to user phones:
Second caveat is that it seems likely location data would have to be combined with what the device framework gives you.
Published keys are 16 bytes, one for each day. If moderate numbers of smartphone users are infected in any given week, that's 100s of MBs for all phones to DL
That seems untenable. So to be usable, published keys would likely need to be delivered in a more 'targeted' way, which probably means… location data.
That seems untenable. So to be usable, published keys would likely need to be delivered in a more 'targeted' way, which probably means… location data.
— Moxie Marlinspike (@moxie) April 10, 2020
Another possible weakness: trolls can frequent certain areas and then report a false infection, leading large numbers of people to think they may have been exposed. A variation is relaying BLE IDs collected from a hospital or other targeted area.
Technologist and privacy advocate Ashkan Soltani provided additional privacy critiques in this Twitter thread:
In my opinion – these types of data are poor proxies for the ground truth we really seek: actual #COVID19 infection rates — which can only be truly known by widespread testing. If we had testing in place, it would make the need to pursue these privacy-invasive techniques moot
— ashkan soltani (@ashk4n) Read More – Source
[contf] [contfnew]
arstechnica
[contfnewc] [contfnewc]
The post Apple and Google detail bold and ambitious plan to track COVID-19 at scale appeared first on News Wire Now.
