privacy-preserving proximity tracing · decentralized proximity tracing provides high privacy...

Soluciones tecnológicas para combatir el COVID-19

DecentralisedPrivacy-Preserving Proximity Tracing

Prof. Carmela Troncoso EPFL, Switzerland

Security and Privacy Engineering Laboratory27 May 2020 1

Outline

• Digital proximity tracing (Digital support for Manual contact tracing)

• Decentralised proximity tracing

• Exposure Estimation (Notify When Needed)

• Other proximity tracing architectures

2

Why Proximity tracing?Supporting the containment strategy for the COVID-19

3

TTIQ Strategy

Infected

no symptoms no symptoms

Contagious

symptomatic

Pre-symptomatic transmission

Tested

4

Isolated

“Easy” to implement

Stop spread

Tracingidentify contacts exposed to

symptoms

Quarantine

Manual Contact Tracing

Effective contact tracing is an important cornerstone of the TTCQ strategy.

Goal: Identify individuals who have been exposed to an infected person during the contagious window.

Health authority Infected Individual

1) Positive test result

Contact

2) Reconstruct list of contacts

3) Ask to quarantine

5

Contagious

Manual Contact Tracing

Contacts

Missed 6

Problems: Manual interviews are slow and resource intensive. Contact lists are often incomplete due to contacts with strangers or because patients can not recall all contacts over the last two weeks.

Decentralized Privacy-preserving Proximity TracingA digital complement to Manual Contact Tracing

7

How it works - Installation

A`

Iu&^#&980

kbdf4933&

Jhbd**@65

...

8

The App creates a secret every day and from this key it derives random identifiers that it broadcasts via Bluetooth

A random identifier is used for a limited amount of time

Without the key, no-one can link two identifiers

How it works - Walking around

Iu&^#&980

9

When a phone with the app hears a random identifier from a nearby app, it records having seen that number.

BSEEN

NUMBERS

...

Iu&^#&980

Kja&#^@hkSEEN

NUMBERS

...

Lyvdka((@

Lyvdka((@

SEEN

NUMBERS

...

Lyvdka((@

Kja&#^@hk

A is nearby B: records B’s number

B is nearby A and C: records A,C’s number

C is nearby B: records B’s numberA`

C

A

ACA

ACA

Iu&^#&980

kbdf4933&

Jhbd**@65

...

10

How it works - Upon positive diagnosis

When a user is diagnosed positive, if they consent, they upload their keys (their numbers)

These numbers:

- Are not related to A’s identity

- Are not related to the locations A visited

- Are not related to other people A has interacted with or has seen

11

How it works - Proximity tracing

All phones download latest COVID-positive numbers and check whether they have been exposed

Each phone checks internally:

- Whether they have seen any of the numbers

- Whether the exposure to these numbers has been long and close enough (Mathias will explain in a minute)

- If yes, show a notification for the userB C

Iu&^#&980

kbdf4933&

Jhbd**@65

...

Iu&^#&980

kbdf4933&

Jhbd**@65

...

12

How it works - Notification

Example: SwissCovid (currently on Pilot phase in Switzerland)

13

Security and Privacy

Only information that ever leaves the phone are the random numbers (not identity, no location, not information about others) broadcasted during the contagious period

Can we be 100% sure no attack is possible? 100% security in practice is hard to guarantee!

Best practices throughout the process

14

Just a piece of the puzzle...

Energy consumption

App

Health system

Law

Societal impact

Epidemiology

Proto

col

(cryp

to)

Mobile OS

Notification & risk exposure

Protection of the server and traffic

CDN secure usage

Authorization & Integration in Health System

User experience & User acceptance

Wireless communicationHW constraints

DP-3T is a interdisciplinary team (30+ researchers, 10 countries) with a wide variety of expertise: Privacy, Systems, Cryptographers, Wireless sec, SW Sec, Req. engineering,

Epidemiologists, Ethicists, Law experts

15

Mobile OS: what about Google / Apple?

- Joint effort to support Apps for Contact Tracing

- Why?- Apple: access to BLE in background- Google: BLE interoperability- Efficient use of battery

- Main decision: DP3T-like protocol - Only COVID positive numbers will leave the phone- Privacy-concious!

- SwissCOVID runs over Google/Apple Exposure Notification API

Interoperability: beyond borders

• What happens when users travel from one country to another?

• e.g., hundreds of thousands of workers commuting to Switzerland from Italy, France, or Germany

• How would residents be informed about potential risks originating from foreigners visiting the country?

• And how would residents be informed about visiting travelers being COVID positive?

Image from: https://www.laliberte.ch/news/archives/fait-du-jour/ces-frontaliers-qui-ont-trouve-l-eldorado-16716

16

Centralised architectures

• Envisioned Approach:• Each country operates its own backend

• Users configure their application to receive notifications from countries that they travel to

• The homeland backend server of an infected user forwards the relevant data to the backend servers of the countries they recently traveled to

Image from: https://drive.google.com/file/d/1mGfE7rMKNmc51TG4ceE9PHEggN8rHOXk/edit

17

Exposure EstimationEstimating exposure based on BLE advertisements

18

Why do we need exposure estimation?

Notifications should be sent to users that have been exposed to the virus for prolonged time (more than 15 minutes). Given BLE signals we need to estimate exposure. This does not require to precisely measure distance. We need to represent current epidemiological parameters (within ~2m).

Approach: estimate the probability of being exposed to other users within 2m given the attenuation of BLE advertisements of COVID-positive users that have been observed

19Pr[d<2m | attenuation]

Correlation between attenuation and distance

20

Figure: Alan Bensky, “Wireless Positioning, Technologies and Applications”, Artech House, 2008

• Transmitter sends with transmission power “TX” (e.g., -15 dB)• Receiver registers signal with power “RSS” (e.g., -65 dB)• Transmitter encodes transmission power in advertisement• Attenuation: TX-RSS (e.g., -15dB - -65dB = 50dB)

Estimating the probability d<2m

21

Static (LoS/NLoS) tests(up to 15 phones)

Dynamic (LoS/NLoS) controlled tests(real situations)

From exposure estimation to notification

ES = 1.0*Tatt[<50] + 0.5*Tatt[50..55]

22

Notify users if ES >= 15 (minutes)

2m

Challenge: estimation on Google/Apple API

Juggling imprecision of exposure estimation

• Different devices introduce noise-> Calibration

• Variations in implementations introduce noise-> Testing

• Different situations (LoS / NLoS) -> Trade-off based on measurements

23

Other proximity tracing technologiesDifferent privacy models

24

Existing alternatives

• Centralized BLE-bases architectures:• StopCOVID (France), TraceTogether (Singapore), NTK (ex-Germany)

• GPS-based architectures• COVI (Canada), China or South Korea

25

Centralized BLE alternatives

• Two key operations for privacy:

Key generation: the key defines the random numbers

Exposure estimation: where risk is computed (requires knowing observed random identifiers)

26

TraceTogether / NTK / StopCOVID

27

• Key and random identifier generation

Iu&^#&980

kbdf4933&

Jhbd**@65

...

A`

B

thaHH32%

0P;#@111

kdaf$%ss

...

Privacy issues- Server can decide on

random numbers for users.

- Server can link random numbers without user revealing keys

TraceTogether / NTK / StopCOVID

Iu&^#&980

28

When a phone with the app hears a random identifier from a nearby app, it records having seen that number.

BSEEN

NUMBERS

...

Iu&^#&980

Kja&#^@hkSEEN

NUMBERS

...

Lyvdka((@

Lyvdka((@

SEEN

NUMBERS

...

Lyvdka((@

Kja&#^@hk

A is nearby B: records B’s number

B is nearby A and C: records A,C’s number

C is nearby B: records B’s numberA`

C

TraceTogether / NTK / StopCOVID

29

• Upon COVID-positive test Privacy issues

- Uploading of data from others.

- Server learns social network, co-locations

- Cannot use Google/Apple API

A

ACA

ACA

SEEN

NUMBERS

...

Lyvdka((@

TraceTogether / NTK

30

• Seen individuals are sent a notificationPrivacy issues

- Server needs mapping from identifiers to phones (or a third party to do the mapping).

Epidemiological issues

- Inferring exposure may be difficult (and require more linkage)

B

C

StopCOVID

31

• Individuals poll for notificationPrivacy issues

- Server sees contacts of a person

(and the server generated the keys)

* Proposed countermeasures, not implemented

B

C

SEEN

NUMBERS

...

Iu&^#&980

Kja&#^@hk

SEEN

NUMBERS

...

Lyvdka((@

Summary

32

SummaryDecentralized Proximity Tracing provides high privacy guarantees

First privacy-by-design product developed at large scale with collaboration of key players in the mobile industry

An important piece in the Swiss strategy to contain the COVID-19

Pilot ongoing!

33