The Problem with the Apple / Google Tracing Solution

As discussed in the previous blog post, the tracing process should be based on distributed contact verification. In this context, the three most notable tracing concepts proposed so far are the API proposed by Apple and Google, the Swiss-led DP-3T project proposal, and TraceCORONA developed by the Technische Universität Darmstadt, which I represent.

Of these, Apple’s and Google’s proposal is the weakest in terms of privacy properties, as it requires infected individuals to publish all Bluetooth proximity identifiers they have used during the days they may have been infectious to all devices participating in the system. It is thus possible for all applications and entities involved in the system to potentially track the movements (and thus de-anonymise) any infected persons during these days.

The Swiss-led DP-3T project’s design 2 provides better protection for infected individuals, as the local identifiers used by the infected person are only revealed to the background system in this model. Therefore, other users of the system will not be able to misuse proximity identifiers of users for tracking their movements. However, in the DP-3T design 2, it is possible to track infected persons by (mis)using the data stored in the backend system, as all proximity identifiers revealed by infected persons are known to the backend system.

Unlike almost all other proposed tracing models, the TraceCORONA tracing model is not based on frequently changing pseudonymous proximity identifiers, but on strong cryptographic Encounter Tokens that are unique to each encounter between two users. The cryptographic features of encounter tokens are such that even having unauthorised access to information in the backend system, the Encounter Token cannot be associated with the proximity data that devices beacon out via Bluetooth and may be collected with Bluetooth sensors. For this reason, identification of a contact is only possible for the actual devices that were involved in the contact and tracking of infected users is thus not possible even using backend system information. A comparison of the features of TraceCORONA and a detailed comparison with other major tracing application models is available here.

Tags: , , , ,

Leave a Reply

Your email address will not be published. Required fields are marked *