An Empirical Evaluation of Bluetooth-Based Decentralized
Total Page:16
File Type:pdf, Size:1020Kb
1 An Empirical Evaluation of Bluetooth-based Decentralized Contact Tracing in Crowds Hsu-Chun Hsiao, Chun-Ying Huang, Bing-Kai Hong, Shin-Ming Cheng, Hsin-Yuan Hu, Chia-Chien Wu, Jian-Sin Lee, Shih-Hung Wang, Wei Jeng This work has been submitted to the IEEE for possible publication. Copyright may be transferred without notice, after which this version may no longer be accessible. Abstract—Digital contact tracing is being used by many coun- duration of such exposure, their mobility trajectories over time, tries to help contain COVID-19’s spread in a post-lockdown whether masks were worn, and whether the contact occurred world. Among the various available techniques, decentralized indoors or outdoors. contact tracing that uses Bluetooth received signal strength indi- cation (RSSI) to detect proximity is considered less of a privacy With the escalating scale of the COVID-19 pandemic, the risk than approaches that rely on collecting absolute locations via vast numbers of new cases identified via testing each day GPS, cellular-tower history, or QR-code scanning. As of October exceed the capacity of traditional contact tracing, the failures 2020, there have been millions of downloads of such Bluetooth- of which have been extensively reported [1]. Some local based contract-tracing apps, as more and more countries officially health services have even abandoned their former practice of adopt them. However, the effectiveness of these apps in the real world remains unclear due to a lack of empirical research that directly communicating with the close contacts of a case. Thus, includes realistic crowd sizes and densities. This study aims to governments are turning to digital contact tracing that utilizes fill that gap, by empirically investigating the effectiveness of mobile providers or mobile applications to help identify po- Bluetooth-based contact tracing in crowd environments with a tential contacts by means of GPS data, cell-tower connection total of 80 participants, emulating classrooms, moving lines, and history, QR-code scanning, and so forth. other types of real-world gatherings. The results confirm that Bluetooth RSSI is unreliable for detecting proximity, and that this However, large-scale collection of citizens’ digital footprints inaccuracy worsens in environments that are especially crowded. by governments has sparked concerns about mass surveillance. In other words, this technique may be least useful when it is Accordingly, to enhance the privacy of digital contact tracing, most in need, and that it is fragile when confronted by low- a number of decentralized approaches have been developed, cost jamming. Moreover, technical problems such as high energy capable of detecting close proximity between phones (and consumption and phone overheating caused by the contact- tracing app were found to negatively influence users’ willingness thus, presumably, those phones’ owners) without needing to to adopt it. On the bright side, however, Bluetooth RSSI may report each phone’s location to a centralized server. Many still be useful for detecting coarse-grained contact events, for of them use Bluetooth received signal strength indication example, proximity of up to 20m lasting for an hour. Based on our (RSSI) as a proxy for distance. The core of these apps is the findings, we recommend that existing contact-tracing apps can be periodic broadcasting via Bluetooth of anonymized, frequently re-purposed to focus on coarse-grained proximity detection, and that future ones calibrate distance estimates and adjust broadcast changing tokens (e.g., broadcasting every 100-270 ms and frequencies based on auxiliary information. changing every 15 minutes [2], [3]). These tokens contain no information about the phone or its owner, and each phone Keywords-Private contact tracing, COVID-19, Bluetooth RSSI stores the sent as well as received tokens. Thus, a user, Alice, arXiv:2011.04322v2 [cs.CY] 24 May 2021 who has tested positive can voluntarily publish all the tokens her phone sent during her potential transmission period (e.g., I. INTRODUCTION the past 14 days), such that another user, Bob, can download For decades, contact tracing has been known as an effective the tokens published by infected people and determine for method for controlling the spread of infectious diseases. In himself whether he has encountered any of them, and for how the traditional contact-tracing model, trained personnel use in- long, by matching them to his own phone’s received tokens. person or telephone interviews to identify and list those who Bob can then voluntarily seek help from health authorities have had meaningful exposure to diagnosed individuals during if his risk of exposure is considered high. Many apps of this a disease’s likely transmission period. The risk levels of those kind have built-in risk-estimation models, and may recommend contacts can then be determined based on factors such as the different measures (e.g., self-monitoring, commencing a 14- physical distances between them and the infected people, the day quarantine, or seeking medical attention) based on the risk levels they calculate. H.-C. Hsiao, H.-Y. Hu, C.-C. Wu J.-S. Lee, S.-H. Wang, W. Jeng are with As countries lift their lockdowns and reopen facilities, National Taiwan University, Taipei, Taiwan. there is a rush to deploy these Bluetooth-based decentralized C.-Y. Huang is with National Chiao Tung University, Hsinchu, Taiwan. S.-M. Cheng, B.-K. Hong are with National Taiwan University of Science contact-tracing apps. As of October 2020, some 20 countries and Technology, Taipei, Taiwan. and six U.S. states have adopted them. The EU is currently 2 planning a Europe-wide coronavirus-tracing network, based on example, contacts within 20m that last for at least an hour. The new infrastructure that will enable data-sharing between na- sampled phone users said they were more willing to use the tional contact-tracing apps [4]. In addition, Apple and Google similar apps 1) when in crowded environments and 2) while are planning to jointly release a new system called Exposure contact tracers from health departments were also using them. Notification Express, aimed at local health authorities that have not built their own apps [5]. II. BACKGROUND AND RELATED WORK Nevertheless, few studies have gauged the effectiveness of We summarize several representative privacy-preserving these apps in practice, with existing evaluations of Bluetooth- contact-tracing methods and previous studies that review them. based contact-tracing techniques relying on either simulation with mathematical models, or experiments involving either mobile devices only, or a very limited number of partici- A. Privacy-preserving contact tracing for COVID-19 pants. Accordingly, the present work empirically investigates There are two major approaches to privacy-preserving con- the effectiveness of Bluetooth-based contact tracing, in two tact tracing. The first adopts a decentralized design intended phases. In Phase 1, we will examine whether Bluetooth RSSI to minimize the amount of data that needs to be sent to a can reliably predict distance in a controlled experimental centralized server. The other applies cryptographic algorithms setting. Then, in Phase 2, based on estimated distances be- to protect sensitive user data. tween pairs of participants’ phones over time, we compare a) Decentralized design: The former approach is exem- detected proximity and contact events in a semi-controlled plified by Safe Path [6], DP3T [7], and Covid-Watch [3]. event: a real-world academic gathering, the ground truth of Safe Path logs a user’s movement routes in his/her mobile which will be carefully recorded. We recruited a total of 80 device and only exports that data to health authorities if that participants to use one Bluetooth-based contact-tracing app, user is diagnosed with the virus. When this happens, the which we modified from Covid-Watch-TCN, in our controlled exported dataset is first redacted to ensure privacy, and then (30 participants) and semi-controlled (50 participants) settings. is broadcast to other users to allow them to self-determine Our modifications allowed us to collect ground-truth data their likelihood of having been exposed. Rather than capturing and the phones’ usage logs. After both experimental phases and storing route information, DP3T and Covid-Watch contin- were completed, we also conducted a followup survey with uously broadcasts ephemeral Bluetooth identities, which are participants to enrich the data we had already obtained. published to other relevant users in the event of a positive This paper will address the following questions: diagnosis, again to aid their individual risk calculations. Many of them have been deployed in the wild, but their effectiveness • RQ1. Can the app reliably estimate the distance between is yet to be investigated, partially due to the lack of empirical its users based on Bluetooth RSSI under different crowd studies. parameters, e.g., standing still vs. walking, with or with- b) Cryptographic algorithms: The second, cryptography- out physical barriers, varying interpersonal distances, and based approach has been adopted by Private Set Intersection the presence of jamming? (PSI) [8] and TraceSecure [9]. PSI enables two parties to • RQ2. How accurately does the app detect proximity compute the intersection of their data in a privacy-preserving and contact events in realistic crowd environments, as way, with only the common data values being revealed. The compared with the ground truth of such