privacy-preserving proximity tracing · decentralized proximity tracing provides high privacy...
TRANSCRIPT
Soluciones tecnológicas para combatir el COVID-19
DecentralisedPrivacy-Preserving Proximity Tracing
Prof. Carmela Troncoso EPFL, Switzerland
Security and Privacy Engineering Laboratory27 May 2020 1
Outline
• Digital proximity tracing (Digital support for Manual contact tracing)
• Decentralised proximity tracing
• Exposure Estimation (Notify When Needed)
• Other proximity tracing architectures
2
Why Proximity tracing?Supporting the containment strategy for the COVID-19
3
TTIQ Strategy
Infected
no symptoms no symptoms
Contagious
symptomatic
Pre-symptomatic transmission
Tested
4
Isolated
“Easy” to implement
Stop spread
Tracingidentify contacts exposed to
symptoms
Quarantine
Manual Contact Tracing
Effective contact tracing is an important cornerstone of the TTCQ strategy.
Goal: Identify individuals who have been exposed to an infected person during the contagious window.
Health authority Infected Individual
1) Positive test result
Contact
2) Reconstruct list of contacts
3) Ask to quarantine
5
Contagious
Manual Contact Tracing
Contacts
Missed 6
Problems: Manual interviews are slow and resource intensive. Contact lists are often incomplete due to contacts with strangers or because patients can not recall all contacts over the last two weeks.
Decentralized Privacy-preserving Proximity TracingA digital complement to Manual Contact Tracing
7
How it works - Installation
A`
Iu&^#&980
kbdf4933&
Jhbd**@65
...
8
The App creates a secret every day and from this key it derives random identifiers that it broadcasts via Bluetooth
A random identifier is used for a limited amount of time
Without the key, no-one can link two identifiers
How it works - Walking around
Iu&^#&980
9
When a phone with the app hears a random identifier from a nearby app, it records having seen that number.
BSEEN
NUMBERS
...
Iu&^#&980
Kja&#^@hkSEEN
NUMBERS
...
Lyvdka((@
Lyvdka((@
SEEN
NUMBERS
...
Lyvdka((@
Kja&#^@hk
A is nearby B: records B’s number
B is nearby A and C: records A,C’s number
C is nearby B: records B’s numberA`
C
A
ACA
ACA
Iu&^#&980
kbdf4933&
Jhbd**@65
...
10
How it works - Upon positive diagnosis
When a user is diagnosed positive, if they consent, they upload their keys (their numbers)
These numbers:
- Are not related to A’s identity
- Are not related to the locations A visited
- Are not related to other people A has interacted with or has seen
11
How it works - Proximity tracing
All phones download latest COVID-positive numbers and check whether they have been exposed
Each phone checks internally:
- Whether they have seen any of the numbers
- Whether the exposure to these numbers has been long and close enough (Mathias will explain in a minute)
- If yes, show a notification for the userB C
Iu&^#&980
kbdf4933&
Jhbd**@65
...
Iu&^#&980
kbdf4933&
Jhbd**@65
...
12
How it works - Notification
Example: SwissCovid (currently on Pilot phase in Switzerland)
13
Security and Privacy
Only information that ever leaves the phone are the random numbers (not identity, no location, not information about others) broadcasted during the contagious period
Can we be 100% sure no attack is possible? 100% security in practice is hard to guarantee!
Best practices throughout the process
14
Just a piece of the puzzle...
Energy consumption
App
Health system
Law
Societal impact
Epidemiology
Proto
col
(cryp
to)
Mobile OS
Notification & risk exposure
Protection of the server and traffic
CDN secure usage
Authorization & Integration in Health System
User experience & User acceptance
Wireless communicationHW constraints
DP-3T is a interdisciplinary team (30+ researchers, 10 countries) with a wide variety of expertise: Privacy, Systems, Cryptographers, Wireless sec, SW Sec, Req. engineering,
Epidemiologists, Ethicists, Law experts
15
Mobile OS: what about Google / Apple?
- Joint effort to support Apps for Contact Tracing
- Why?- Apple: access to BLE in background- Google: BLE interoperability- Efficient use of battery
- Main decision: DP3T-like protocol - Only COVID positive numbers will leave the phone- Privacy-concious!
- SwissCOVID runs over Google/Apple Exposure Notification API
Interoperability: beyond borders
• What happens when users travel from one country to another?
• e.g., hundreds of thousands of workers commuting to Switzerland from Italy, France, or Germany
• How would residents be informed about potential risks originating from foreigners visiting the country?
• And how would residents be informed about visiting travelers being COVID positive?
Image from: https://www.laliberte.ch/news/archives/fait-du-jour/ces-frontaliers-qui-ont-trouve-l-eldorado-16716
16
Centralised architectures
• Envisioned Approach:• Each country operates its own backend
• Users configure their application to receive notifications from countries that they travel to
• The homeland backend server of an infected user forwards the relevant data to the backend servers of the countries they recently traveled to
Image from: https://drive.google.com/file/d/1mGfE7rMKNmc51TG4ceE9PHEggN8rHOXk/edit
17
Exposure EstimationEstimating exposure based on BLE advertisements
18
Why do we need exposure estimation?
Notifications should be sent to users that have been exposed to the virus for prolonged time (more than 15 minutes). Given BLE signals we need to estimate exposure. This does not require to precisely measure distance. We need to represent current epidemiological parameters (within ~2m).
Approach: estimate the probability of being exposed to other users within 2m given the attenuation of BLE advertisements of COVID-positive users that have been observed
19Pr[d<2m | attenuation]
Correlation between attenuation and distance
20
Figure: Alan Bensky, “Wireless Positioning, Technologies and Applications”, Artech House, 2008
• Transmitter sends with transmission power “TX” (e.g., -15 dB)• Receiver registers signal with power “RSS” (e.g., -65 dB)• Transmitter encodes transmission power in advertisement• Attenuation: TX-RSS (e.g., -15dB - -65dB = 50dB)
Estimating the probability d<2m
21
Static (LoS/NLoS) tests(up to 15 phones)
Dynamic (LoS/NLoS) controlled tests(real situations)
From exposure estimation to notification
ES = 1.0*Tatt[<50] + 0.5*Tatt[50..55]
22
Notify users if ES >= 15 (minutes)
2m
Challenge: estimation on Google/Apple API
Juggling imprecision of exposure estimation
• Different devices introduce noise-> Calibration
• Variations in implementations introduce noise-> Testing
• Different situations (LoS / NLoS) -> Trade-off based on measurements
23
Other proximity tracing technologiesDifferent privacy models
24
Existing alternatives
• Centralized BLE-bases architectures:• StopCOVID (France), TraceTogether (Singapore), NTK (ex-Germany)
• GPS-based architectures• COVI (Canada), China or South Korea
25
Centralized BLE alternatives
• Two key operations for privacy:
Key generation: the key defines the random numbers
Exposure estimation: where risk is computed (requires knowing observed random identifiers)
26
TraceTogether / NTK / StopCOVID
27
• Key and random identifier generation
Iu&^#&980
kbdf4933&
Jhbd**@65
...
A`
B
thaHH32%
0P;#@111
kdaf$%ss
...
Privacy issues- Server can decide on
random numbers for users.
- Server can link random numbers without user revealing keys
TraceTogether / NTK / StopCOVID
Iu&^#&980
28
When a phone with the app hears a random identifier from a nearby app, it records having seen that number.
BSEEN
NUMBERS
...
Iu&^#&980
Kja&#^@hkSEEN
NUMBERS
...
Lyvdka((@
Lyvdka((@
SEEN
NUMBERS
...
Lyvdka((@
Kja&#^@hk
A is nearby B: records B’s number
B is nearby A and C: records A,C’s number
C is nearby B: records B’s numberA`
C
TraceTogether / NTK / StopCOVID
29
• Upon COVID-positive test Privacy issues
- Uploading of data from others.
- Server learns social network, co-locations
- Cannot use Google/Apple API
A
ACA
ACA
SEEN
NUMBERS
...
Lyvdka((@
TraceTogether / NTK
30
• Seen individuals are sent a notificationPrivacy issues
- Server needs mapping from identifiers to phones (or a third party to do the mapping).
Epidemiological issues
- Inferring exposure may be difficult (and require more linkage)
B
C
StopCOVID
31
• Individuals poll for notificationPrivacy issues
- Server sees contacts of a person
(and the server generated the keys)
* Proposed countermeasures, not implemented
B
C
SEEN
NUMBERS
...
Iu&^#&980
Kja&#^@hk
SEEN
NUMBERS
...
Lyvdka((@
Summary
32
SummaryDecentralized Proximity Tracing provides high privacy guarantees
First privacy-by-design product developed at large scale with collaboration of key players in the mobile industry
An important piece in the Swiss strategy to contain the COVID-19
Pilot ongoing!
33