By Prof. Aggelos Kiayias Posted 23 April, 2020
In the last few weeks there was a spate of discussions and proposals on COVID-19 related “contact tracing” systems focusing on smartphone apps. The discussion ranged widely and included a flurry of system designs focusing on providing better privacy followed by papers that were critical of their security and even some that were dismissive of the general approach (links offered below).
This is well motivated. Contact tracing can be very useful if we want to lift the lockdown measures sooner rather than later. Without a comprehensive treatment and vaccination solution we need to be capable of keeping the disease in check via other means and contact tracing is an effective mechanism for doing that. The key point here is that manual contact tracing might be less effective by itself as it is labour intensive and people may not be able to identity all their contacts or, even if they do, they may not know how to notify them. As a result, automating the process, even as a complementary measure, makes a lot of sense especially in a country like the UK where smartphone penetration is very high at over 85%.
Despite the ingenious collective and constructive efforts by the security and privacy community on the design and engineering dimensions of the challenge, we are still missing pieces of the puzzle. It is an issue that quite often arises in work solving a problem that requires interdisciplinary expertise. Experts of one field make plausible assumptions and assessments about what the other field requires and proceed independently. In the end, a disconnect happens and while everyone believes they have solved the problem, it turns out the proposals are not fit for purpose.
This is not meant to be dismissive of the automated approach to contract tracing. On the contrary, I think sound security engineering and cryptography in particular has a key role to play (pun intended!) to the information flow problem that appears to be the core issue at hand, albeit finding the right cryptography is only one piece of the puzzle. The elephant in the room in this discussion is that in order to come up with the best possible realisation for a certain communication problem, one needs to define exactly what is the problem to be solved. And in this particular case, the problem holders are primarily the public health experts and field epidemiologists that lead the national and international efforts of our Covid-19 response and to a second degree, tech companies, security academics and the cyber security and privacy experts who will design and implement the system. Urgent and high impact interdisciplinary work is hard to do, and wider engagement is direly needed.
So instead of pointing to a solution, in the remaining I will attempt to promote dialogue offering a definition of what the problem appears to be, extracted from a variety of different sources and perspectives, aiming at a public and fast iterative process that will help us understand clearly what is to be solved. We can publicly debate whether this is the right problem to solve (input from public health experts and field scientists in epidemiology and virology would be needed here) and whether the proposals and systems proposed are up to par with cyber security and privacy standards (with input from information technology and cyber security experts being relevant at this stage).
A bare minimum contact tracing functionality in a nutshell is this: when someone becomes ill with COVID-19, the list of people who came into some close contact with them during a specified time window in the recent past should be notified so that they follow a specific medical protocol. What needs to be further specified here is (i) the semantics of becoming infected (e.g., is the individual supposed to self-assess or a medical professional should administer a test), (ii) the definition of close contact in both the space and time domains, (iii) the length of the time window that the list needs to be considered and finally (iv) the nature of the medical protocol to be followed and specifically what additional information flows need to take place.
This is at a bare minimum. Additional functionality may be needed. Other potentially actionable or medically relevant information about a case of infection could be helpful to medical professionals. For instance, we can request the generation and sharing of the “contact graph” of the infected person which may be useful from an epidemiology perspective; alternatively, one can ask for some aggregate statistics about such a graph for each infected patient. Or perhaps for the contact details of all the “nodes” in such a contact graph, thus enabling the contacts to be reachable even via conventional means outside the app. Expectedly, the more we ask, the more privacy “invasive” the contact tracing becomes. Covid-19 is a notifiable disease; but where exactly shall we draw the line between individual privacy and information sharing for the common good? It is these questions that critically require a multidisciplinary approach to ensure that no misalignment of incentives occurs in using the app. This is critical since any such misalignment would result in very few people using it which in turn will minimise its usefulness.
So, delineating the exact problem to be solved is paramount. Once the problem is understood, we can dive into sorting out all possible designs while striving for the minimum possible information leakage and the right incentive structure. And it is at this stage that cryptography can provide a way to argue about the security and privacy of a proposed system. It is important to keep in mind also that privacy loss is by far not the only concern with a contact tracing app; a comprehensive threat model would be needed that describes all the different ways of potential abuse and exploitation as well as how they are mitigated. Such model would consider threats coming from every angle and also factor in how the incentives of all participants align towards the system’s end goal.
To conclude, as anyone working in cyber security will tell you, no system is perfectly secure or private. Our objective is to navigate the design space and arrive at the best possible system architectures which will strike the right balance between privacy, usability and above all effectiveness in curbing the spread of the disease. This will require the collaboration of experts across different fields. And we should do it fast, because effective nation-wide contact tracing can help us get out of the lockdown, protect our healthcare system, and save lives.