Any views expressed within media held on this service are those of the contributors, should not be taken as approved or endorsed by the University, and do not necessarily reflect the views of the University in respect of any particular issue.
The latest conversations, stories and opinions of the Blockchain Technology Lab
COVID-19, contact tracing from a security and privacy perspective

COVID-19, contact tracing from a security and privacy perspective

In the last few weeks there was a spate of discussions and proposals on COVID-19 related “contact tracing” systems focusing on smartphone apps. The discussion ranged widely and included a flurry of system designs focusing on providing better privacy followed by papers that were critical of their security and even some that were dismissive of the general approach (links offered below).

This is well motivated. Contact tracing can be very useful if we want to lift the lockdown measures sooner rather than later. Without a comprehensive treatment and vaccination solution we need to be capable of keeping the disease in check via other means and contact tracing is an effective mechanism for doing that. The key point here is that manual contact tracing might be less effective by itself as it is labour intensive and people may not be able to identity all their contacts or, even if they do, they may not know how to notify them. As a result, automating the process, even as a complementary measure, makes a lot of sense especially in a country like the UK where smartphone penetration is very high at over 85%.

Despite the ingenious collective and constructive efforts by the security and privacy community on the design and engineering dimensions of the challenge, we are still missing pieces of the puzzle. It is an issue that quite often arises in work solving a problem that requires interdisciplinary expertise. Experts of one field make plausible assumptions and assessments about what the other field requires and proceed independently. In the end, a disconnect happens and while everyone believes they have solved the problem, it turns out the proposals are not fit for purpose.

This is not meant to be dismissive of the automated approach to contract tracing. On the contrary, I think sound security engineering  and cryptography in particular has a key role to play (pun intended!) to the information flow problem that appears to be the core issue at hand, albeit finding the right cryptography is only one piece of the puzzle. The elephant in the room in this discussion is that in order to come up with the best possible realisation for a certain communication problem, one needs to define exactly what is the problem to be solved. And in this particular case, the problem holders are primarily the public health experts and field epidemiologists that lead the national and international efforts of our Covid-19 response and to a second degree, tech companies, security academics and the cyber security and privacy experts who will design and implement the system. Urgent and high impact interdisciplinary work is hard to do, and wider engagement is direly needed.

So instead of pointing to a solution, in the remaining I will attempt to promote dialogue offering a definition of what the problem appears to be, extracted from a variety of different sources and perspectives, aiming at a public and fast iterative process that will help us understand clearly what is to be solved. We can publicly debate whether this is the right problem to solve (input from public health experts and field scientists in epidemiology and virology would be needed here) and whether the proposals and systems proposed are up to par with cyber security and privacy standards (with input from information technology and cyber security experts being relevant at this stage).

A bare minimum contact tracing functionality in a nutshell is this: when someone becomes ill with COVID-19, the list of people who came into some close contact with them during a specified time window in the recent past should be notified so that they follow a specific medical protocol. What needs to be further specified here is (i) the semantics of becoming infected (e.g., is the individual supposed to self-assess or a medical professional should administer a test), (ii) the definition of close contact in both the space and time domains, (iii) the length of the time window that the list needs to be considered and finally (iv) the nature of the medical protocol to be followed and specifically what additional information flows need to take place.

This is at a bare minimum.  Additional functionality may be needed. Other potentially actionable or medically relevant information about a case of infection could be helpful to medical professionals. For instance, we can request the generation and sharing of the “contact graph” of the infected person which may be useful from an epidemiology perspective; alternatively, one can ask for some aggregate statistics about such a graph for each infected patient. Or perhaps for the contact details of all the “nodes” in such a contact graph, thus enabling the contacts to be reachable even via conventional means outside the app. Expectedly, the more we ask, the more privacy “invasive” the contact tracing becomes. Covid-19 is a notifiable disease; but where exactly shall we draw the line between individual privacy and information sharing for the common good? It is these questions that critically require a multidisciplinary approach to ensure that no misalignment of incentives occurs in using the app. This is critical since any such misalignment would result in very few people using it which in turn will minimise its usefulness.

So, delineating the exact problem to be solved is paramount. Once the problem is understood, we can dive into sorting out all possible designs while striving for the minimum possible information leakage and the right incentive structure. And it is at this stage that cryptography can provide a way to argue about the security and privacy of a proposed system. It is important to keep in mind also that privacy loss is by far not the only concern with a contact tracing app; a comprehensive threat model would be needed that describes all the different ways of potential abuse and exploitation as well as how they are mitigated. Such model would consider threats coming from every angle and also factor in how the incentives of all participants align towards the system’s end goal.

To conclude, as anyone working in cyber security will tell you, no system is perfectly secure or private. Our objective is to navigate the design space and arrive at the best possible system architectures which will strike the right balance between privacy, usability and above all effectiveness in curbing the spread of the disease. This will require the collaboration of experts across different fields. And we should do it fast, because effective nation-wide contact tracing can help us get out of the lockdown, protect our healthcare system, and save lives.

by Prof. Aggelos Kiayias 
Posted 23 April, 2020

One comment

  1. Moti

    But looking at epidemiology needs and at technology (not just privacy and security but mobile options and capabilities, performance of all kinds, communication, accuracy, etc.etc.) is exactly what was done (at least in industry), and looking at Contact Tracing only as a component in the containment stage (post mitigation).
    This was the start when no one thought about it; once it started everyone is happy to join a fashion (but it is the nature of things).
    Then efforts luckily extended to a big groups of many people with many skills and companies joined efforts which is unusual, and consulting with gov’s etc. and being very directed at getting things done and have utility (while at the same time, not losing 20 years of privacy research completely in the real world due to dire needs).
    At the end, everyone who tried to solve the problem technologically and with practical intent while taking into account other issues (societal and political) did the right thing (contributing in your professional capacity is the best thing that can be done), and all who contributed here and there at some level, their work should be welcome. At the end, not all works will be used but understanding the domain of what modern technology can do is important. Using the Internet, TV, and Radio for informing people on the pandemic is a must in the modern world (was not done in 1917-18), and using available technology in assisting (say in Contact Tracing which is a part of the diagnostic protocol) is a must as well. In earlier times we had no such technologies and it is important to work on it… Did all academic work useful? for sure not in this case or in any case, but we need to try and something good can help (even if the help is only part of a big solution)!

Leave a Reply

Your email address will not be published. Required fields are marked *


Report this page

To report inappropriate content on this page, please use the form below. Upon receiving your report, we will be in touch as per the Take Down Policy of the service.

Please note that personal data collected through this form is used and stored for the purposes of processing this report and communication with you.

If you are unable to report a concern about content via this form please contact the Service Owner.

Please enter an email address you wish to be contacted on. Please describe the unacceptable content in sufficient detail to allow us to locate it, and why you consider it to be unacceptable.
By submitting this report, you accept that it is accurate and that fraudulent or nuisance complaints may result in action by the University.