Executive Summary
Huge efforts are being invested in enabling effective contact tracing of infected persons in order to encounter the COVID-19 pandemic. Many contact tracing apps have been proposed and deployed in the last months in China, South Korea, Singapore, Taiwan and several active development efforts are underway in Europe and in the US. While the privacy aspects in some countries were not of high priority, there has been a lively debate around privacy compliance in EU and US.
Some approaches like, e.g., one proposed by the MIT are based on tracking the GPS location of participating users. However, use of GPS for this purpose faces challenges, as it relatively inaccurate especially in indoor areas that are particularly important to capture accurately due to the higher contagion risk in enclosed spaces. Privacy of users is addressed in these approaches by allowing users to redact locations that they deem sensitive. However, this approach has its problems. For one, a lot of potential contacts are lost when places like homes and workplaces are redacted from released location traces, thus diminishing the utility of the system. On the other hand, even aggressive redaction of specific locations may not be sufficient for ensuring user privacy, as users may still be identifiable given additional information that, e.g., big social media companies or players like Google have on their users.
Therefore, we focus in this analysis on approaches utilising Bluetooth for sensing proximity between users. A number of proposals using this technology have been made each of them providing different levels of security and privacy to its users.
We present a summary of our detailed analysis of 4 currently debated contract tracing schemes relying on Bluetooth tracking, and compare them according to various criteria. These include PEPP-PT , DP-3T and TraceCORONA as well as a scheme recently proposed by Google and Apple.
As also pointed out by a joint statement of numerous security researchers recently, our analysis shows that the approach proposed by the initiative PEPP-PT has serious problems with regard to the level of privacy it provides to the users of the system. This applies in particular with regard to the potential misuse of tracing data by the organisation responsible for operating the system.
The approaches DP-3T and TraceCORONA provide much stronger privacy guarantees by decentralising the contact tracing to individual users of the system and thereby limiting the ability of a misbehaving central authority to inappropriately track the participating users.
In particular, TraceCORONA provides additional benefits in terms of the verifiability of epidemiological data, which users may voluntarily share with health research institutions. In addition, it provides also an opportunity to be resistant to attackers seeking to negatively affect the accuracy and correctness of epidemiological models used as a basis for political decision-making in crisis situations.
Finally, we also emphasize that a contact tracing app is only a small piece of the solution to the pandemic puzzle we are currently facing. We believe that in a democratic society we need a secure and privacy-preserving ecosystem to which tracing apps can dock and allow users to use services like secure messaging, secure document exchange to communicate securely with relevant stakeholders such as physicians, hospitals and other health organizations. The goal of TraceCORONA is to provide such a platform to which several stakeholders can connect to by providing their dedicated apps that can coexist on the platform. A central feature of the platform is also that users themselves can freely decide, if and which apps they want to use.
Contact
Prof. Dr.-Ing. Ahmad-Reza Sadeghi
Follow us on Twitter: @RealSystemSec