A Proposal for a Very Ordinary Covid Tracking App, and Some Thoughts in General

As we look forward to "flattening the curve", there is a lot of discussion about how to keep it that way. We do not have a vaccine, and comments about the miracles of warm weather, disinfectant, and ant-malaria drugs aside, it seems evident that we will need some way to manage the continued presence of COVID-19.

One of the suggestions on this, which the Australian Government is currently exploring, is to make use of our smart-devices to allow us to tell if we have been in proximity to someone who may have been contagious but not yet symptomatic. Ideally this would also make it easier for people to be notified that they should get tested.

There are not really any technical problems with this solution, or at least there will not be once it is easier to keep bluetooth scanning going when devices are in sleep mode. There are, however, a few non-technical issues which are causing people some trouble. These centre around privacy and potential abuse of the data and come down to two questions. Is the application going to grab too much data about me? When this data is uploaded is it adequately protected and what are the possibilities for its abuse? This is not just an "Evil Government" issue either, what happened in the UK with "News of the World" is still within memory. The reality is that if something is worth enough to someone, there are some people who will sell it for a price.

There is a lot of discussion about the current proposal on privacy alread, and I don't wish to add to that here. That said, it is worth observing that if you do not collect data, there is no need to protect it, and that it might be worth having an approach which can be used across international boundaries as the virus is clearly unaware of them - introducing personal data will only cause a roadblock to this.

The current proposal, of course is colored by what has already been done elsewhere, so it's understandable how it has come about. However, is there possibly a safer solution? Ideally all such an application would do is alert a user to the risk of exposure. It should not share anything without the users permission, and it should only require the minimal amount of data needed to do the job for which it is designed.

The stated goal for the application discussed here is it will provide a mechanism to alert the owner of the device to a possible exposure to COVID-19. If this really is all that is required, it turns out there is no need to be sending encrypted data as there is no personal data required to alert someone to an exposure. There are some, perhaps unexpected, benefits as well.

Some Background if you need it

Before we look at the steps involved, it would be a good idea just to briefly mention some of the techniques required to make this happen.

Cryptography as an area does not just encompass encryption, there is another area which covers what are referred to as "zero-knowledge proofs". Not to be confused with a proof of zero-knowledge, of which there are already plenty of examples, a zero-knowledge proof in cryptography is simply a computed value which shows that the person who originally computed the proof had to know at least some of the inputs before hand, allowing a second party to compute the same value, but only if the first party makes all the inputs available. As esoteric as they might sound, these proofs have been applied to things as diverse as electronic voting and on-line gambling.

One of the core components of these is what cryptographers refer to as a commitment. The utility of a commitment is that the commitment is calculated in such a way that if someone keeps one of the input values secret from us, they cannot change their mind later. Likewise, we cannot tell what the secret input value was until the other party decides to tell us. Calculations like this are made possible using one way cryptographic functions commonly referred to as message digests which allow for the creation of seemingly random values that can be only be reproduced by the same input values they were given before.

There is plenty more discussion of such things on WikiPedia, however getting back to our need to track contacts with people that may have contracted COVID-19, commitments provide us with a way of allowing someone to record that we have been near them while at the same time allowing us to not tell them who we are. As we can create a secret for the purposes of identifying ourselves to them later, it also means that even when we tell them that we were near them, we still do not have to tell them who we are, but we can prove that what we say is true. Interestingly, as this means that we no longer need to expose any of our personal data this now means we can go public when we are infected, without any risk to our personal data by that action. This is because it is not really us who is going public, just something we happen to have on our device.

How To Do It

The protocol for making this possible is quite simple and breaks down into 4 steps.

1. User downloads application, application generates 2 random numbers, one to use as the device identifier and one to use as a secret.
2. Two users running the application spend more than 15 minutes within bluetooth range, the applications generates commitments to their respective secrets and exchange them.
3. One of the users finds themselves diagnosed with COVID-19, they provide their device ID and secret to the testing clinic who upload it to a public location.
4. The other user, whose device is using the application to monitor the public location recognises the device ID as one it has seen, downloads the associated secret and verifies the commitment is for the secret published. Once this is done, it alerts the user to the possible exposure to COVID-19.

After step 4 the user will organise a test for themselves. Well, at least you hope they would. They can just as easily ignore a phone call telling them they need a test or claim the device was not with them in any situation as well though. Any way we dress this up we are still relying on people to do the right thing. We might as well embrace it. Besides this also means that people tasked with contact tracing don't have to call people who may have been exposed. The phone will notify an exposed user for them, automatically. As an added bonus, the phone/device in this context does not have to belong to an actual person - it might be associated with a place where people don't necessarily have devices, but need to monitor for exposure as well.

There are, of course, some technical considerations that been glossed over. How big should the random numbers be for example? 256 bits each would give as about 10 raised to the 77 worth of possibilities, and we can also go bigger. There is no point in keeping contacts more than 14 days so the application should just overwrite it. There are other considerations as well, for example generating a commitment requires another random number, but they are all issues that are well within the range of current technology. As you have, hopefully, also noticed there is no requirement to use personal data and the notified user is protected as well, they find out about their exposure through a discovery process rather than been told.

Why is this Here?

COVID-19 has given rise to some interesting demonstrations of human behaviour in recent history. In Australia the most famous one probably involves toilet paper, so I guess, as an Australian, I am hopping to show we have moved to other considerations! Looking at this behaviour, and other panic buying, has often involved discussions about peoples desperation to feel that in a crisis situation they need to find things to do where they can at least feel like they are protecting themselves. Despite this, as a COVID-19 tracking application would obviously be a useful tool in our arsenal, one of the concerns, even in Singapore, with the current tracking applications is that the application up take is low, possibly too low to be really useful.

This idea is also to help you protect yourself and others. What authority it may exercise is totally under the control of the owner of the device running it. Perhaps uptake for such an application would be much broader. Panic buying aside, a minimalist approach like this may be really "more us", and even part of the better angels of us, and see more widespread use.

Some Comments on the Australian App

COVIDSafe, the first edition, was released 26th April. In terms of technology decompilation indicates that it appears to do what it says it does. The core design issue still remains though. The app asks for your phone number so that a contact tracer can get in touch with you later. This has 3 consequences:

1. The phone number has to be protected in remote storage for later retrieval.
2. A contact tracer has to recover the phone number at a later date in order to get in touch with the app user.
3. The app conditions users to expect people they have no hope of identifying to call them on their phone at some time later.

Item 1. is only necessary to make items 2. and 3. possible.

Item 2. is really a double handling of the information as well as an extra burden on a worker whose time would be better spent dealing with things the app does not.

Item 3. means that we can expect a new range of phone scams based on people being fooled into thinking they are talking to contact tracers. People who, as the conversation will probably start with them being told they may have been exposed to the virus, are likely to be very vulnerable (given they've already been worried enough to download the app).

While I grant these consequences are likely unintended, I think they will all present real problems in the future. It would be a cleaner line of communication if the app communicated directly with the user. After all, they've been told to keep it running, there's no doubt the message will get through.

Some other recent developments

• a colleague in a LinkedIn conversation suggested using the ability to use a pseudonym on registration as a means to provide a way of forcing a person calling as a contact tracer to identify themselves. If you're going to use the app, it's a good idea to do this, but I am not sure how many people will think of it (and clever a workaround as it is, the fact it is needed does raise a few questions...)
• unfortunately the evening of the 27th also saw people spoofing SMSs which pretended to be associated with the app - I'm hoping we don't see something like that too often. Spoofing thousands of phones telling people via SMS they need to come in for a test is not going to either improve confidence in the app or help the broader cause of managing the virus. While the app is relying on the use of phone numbers, the risk of exploits like this remains.

Details on the Apple/Google APIs have been published and appear here The APIs to support this are meant to start appearing sometime in May. It does look like an interesting solution.

Some technology principals for tracing apps from the ACLU. The current Apple/Google proposal is looked at as part of this.

For some more in-depth analysis of the Australian App and tracking apps in general, a series of articles have just appeared starting with Why should you install the covidsafe app? (part 1).

Bruce Schneier has also provided some thoughts on his blog.

It's becoming obvious this issue is a lot less straight forward than anyone has really thought.

24 May, 2020 - There's a discusssion scheduled on the COVIDSafe App for May 26, sponsored by the Australian Academy of Science, ANU, and HMI. Details on: Evenbrite

25 May, 2020 - A review document of where things are at 4 weeks in has been posted on Google Docs

16 June, 2020 - Some more recent analysys on COVIDSafe and contact tracing. https://github.com/vteague/contactTracing.

Downloading the application and installing it is really a personal decision, but if you do I would also recommend registering with a pseudonym so you have some chance of being able to identify legitimate callers. Hopefully, once the process of contact tracing is better understood the application will no longer rely on a phone number, but for now we can expect some people to try and exploit this situation and being able to identify the caller is the only defence you have.

Finally: Please feel free to email me with comments/suggestions or pointers to relevant work and I will add links here (I'd think at this stage a few people might have drawn the same/similar/better ideas and conclusions).