Privacy by Design from Theory to Practice in the Context of COVID-19 Contact Tracing

Prof. Carmela Troncoso @carmelatroncoso https://spring.epfl.ch/

13.01.2020 Technology to help with 2 pandemic contention Carmela Troncoso Carmela . Manual tracing overwhelmed

. The need • A complement to notify users that have been exposed to COVID19 and they are at risk of infection

• In a timely, efficient, and scalable manner The constraints: 3 Security and Privacy Carmela Troncoso Carmela

. Protect from misuse (surveillance, manipulation, etc) • Purpose limitation by default

Seda Gurses, Carmela Troncoso, Claudia Diaz. Engineering Privacy by Design.Computers, Privacy & Data Protection. 2011 The constraints: 4 Security and Privacy Carmela Troncoso Carmela

January 2021 The constraints: 5 Security and Privacy Carmela Troncoso Carmela The constraints: 6 Security and Privacy Carmela Troncoso Carmela . Protect health-related data . Protect from misuse (surveillance, manipulation, etc) • Purpose limitation by default • hide users identity, location, and behavior (social graph)

. Preserve system integrity • Prevent false alarms & Denial of Service

Seda Gurses, Carmela Troncoso, Claudia Diaz. Engineering Privacy by Design.Computers, Privacy & Data Protection. 2011 The “hidden” constraint 7 Reality Carmela Troncoso Carmela

. High scalability and reliability

. Design under time pressure! • Need fast, robust verification . KISS principle: Keep It Simple Stupid . Avoid new technologies or non-mainstream • Use existing infrastructure . BLE beacons

. Dependencies, dependencies, dependencies

Blagovesta Kostova, Seda Gürses, Carmela Troncoso. Privacy Engineering Meets Software Engineering. On the Challenges of Engineering Privacy By Design Apps Maintenance - - - Key: ideas

and support A collaborative Decentralization of matching operations for privacy and purpose limitation purpose and privacy for operations matching of Decentralization unlinkability for Cryptography devices by recorded broadcast/ beacons BLE (some members) (some 2020 March April 2020 2020 April May 2020 2020 May July/August 2020 2020 July/August June 2020 2020 June Since September September Since August/September 2020 2020 August/September – – – – Final version DP3T version Final GAEN is announced is GAEN Pilots EU apps EU Pilots Start DP3T Start – – CT Apps launching CT Apps Presence tracing Presence Immunity Certificates – (continued) (continued) Towards interoperability EU sprint Marathon Ironman

Carmela Troncoso 8 The system design 9

The theory… . The App creates a secret key (SK) and

from this key it derives random Troncoso Carmela identifiers (EphIDs) that it broadcasts via Bluetooth . Secret keys are rotated every day SKt+1=H(SKt)

. EphID1 || ... || EphIDn = PRG(PRF(SKt,“broadcast key”) )

Iu&^#&980 . A random identifier is used for a limited amount of time A . Without the key, no-one can link two identifiers

https://github.com/DP-3T/documents/blob/master/DP3T%20White%20Paper.pdf Reality 10 Use existing infrastructure Carmela Troncoso Carmela

. Battery and CPU usage • Limited round trips • Google and Apple must be involved

. Run in the background • Apple must be involved

. Compatibility Android - iOS • Google and Apple must be involved

. Google and Apple implement the protocol and the API • Implications on privacy engineering • Implications for epidemiology and exposure estimation (no time in this talk…) • Implications for privacy when internationalizing (no time in this talk…)

Blagovesta Kostova, Seda Gürses, Carmela Troncoso. Privacy Engineering Meets Software Engineering. On the Challenges of Engineering Privacy By Design 11 The system design . The App creates a secret every day (TEK) and from this key it derives The practice random identifiers (RPIs) that it

Google and Apple decide broadcasts via Bluetooth Troncoso Carmela . A random identifier is used for a limited amount of time . Without the key, no-one can link two identifiers time

Key Iu&^#&980 derivation AES function

RPI Metadata A Key TEK derivation AES function info

https://blog.google/documents/69/Exposure_Notification_-_Cryptography_Specification_v1.2.1.pdf The system design 13

Lyvdka((@

SEEN NUMBERS ... B Iu&^#&980 Kja&#^@hk ... Iu&^#&980

A SEEN NUMBERS ... Kja&#^@hk Lyvdka((@ ...

SEEN NUMBERS C ... Lyvdka((@ ... The system design 14

AC,Keys

AC The system design 15

Keys (from all positive users) You’ve been exposed to COVIDLyvdka((@-positive people. Take action SEEN NUMBERS ... B Iu&^#&980 Kja&#^@hk ...

C 16 The system design Only information that ever leaves the phone are the TEKs broadcasted during the contagious period.

Keys (from all positive users) You’ve been exposed No identity, no location, no to COVIDLyvdka((@-positive people. Take action information about others SEEN NUMBERS ... B Iu&^#&980 AC,Keys Kja&#^@hk ... No information available for Iu&^#&980 abuse

A SEEN NUMBERS ... System sunsets-by-design Kja&#^@hk Lyvdka((@ ...

SEEN NUMBERS C AC ... Lyvdka((@ ... The system design 17

Societal impact Health system

Law

App

Mobile Epidemi OS ology Authorization mechanism 18 Theory

. Crucial for security: only true positives can upload Troncoso Carmela • Desired properties: . Privacy . Hard to delegate

• Crypto FTW! commit to content in authorization token!

Secure Upload Authorisation for Digital proximity tracing. DP-3T project. https://github.com/DP-3T/documents/blob/master/DP3T%20-%20Upload%20Authorisation%20Analysis%20and%20Guidelines.pdf Authorization mechanism 19 Practice

. Crucial for security: only true positives can upload Troncoso Carmela • Desired properties: . Privacy . Hard to delegate

• Crypto FTW! commit to content in authorization token!

A . Health systems/staff are not digitalized everywhere • Simple activation codes sent via phone/mail/sms • Different level of automatization • Belgium went for (light) commitments! AC

AC,Keys

AC Privacy of uploads 21 Theory Existence of upload Carmela Troncoso Carmela

the user is COVID+

AC,Keys DP3T design paper

https://github.com/DP-3T/documents/blob/master/DP3T%20White%20Paper.pdf Privacy of uploads 22 Practice

. Unknown environment Troncoso Carmela • What is users’ behavior?

. Constraints associated to the platform • Bandwidth AC,Keys • Server capacity • Battery

A . Anonymity and delays not possible

AC Plausible deniability (constant time & size)

https://github.com/DP-3T/documents/blob/master/DP3T%20-%20Best%20Practices%20for%20Operation%20Security%20in%20Proximity%20Tracing.pdf Privacy of uploads 23 Practice – there is authentication! Carmela Troncoso Carmela

. Dummies also must realize the token,Keys authentication step token • Servers must consider dummies • Ensure equal timing and volume AC AC A

https://github.com/DP-3T/documents/blob/master/DP3T%20White%20Paper.pdf Privacy of uploads 24 Practice – . Exposure Notification API (

token token’ . Implications on authorization and token keys-1 last key dummy strategy AC AC • Cannot delay all keys! • Dummies must mimic second upload

AC . Phone does not always wake up… Privacy of uploads 25 Practice – servers don’t exist in the vacuum

token’

token token’ keys-1 token last key

AC AC

. Load Balancer, Firewall • More information than expected! • Off the shelf cloud managing tools

. Careful design of logging to avoid forensics • Coarse logging at key server • Only counts logged for statistics . e.g, active users based on dummy traffic

. Logging strategy re-designed N times

https://github.com/DP-3T/documents/blob/master/DP3T%20-%20Best%20Practices%20for%20Operation%20Security%20in%20Proximity%20Tracing.pdf https:// www.medrxiv.org/content/10.1101/2020.12.21.20248619v1.full.pdf https://www.ebpi.uzh.ch/dam/jcr:5fc56fb7 https://github.com/digitalepidemiologylab/swisscovid_efficacy/blob/master/SwissCovid_efficacy_MS.pdf https://www.experimental.bfs.admin.ch/expstat/en/home/innovative Where is is Wherethis deployed? Field experimentFieldZurichOctober 2020 in COVID ~18000 1.87 • • • • • Millionactive users (~22% population) Speed: ~1 day faster notification for non - for notification faster day ~1 Speed: Manual to Contact respect positives with Tracing of 5% in Zurich notification positive after in 10tested 1 quarantine sent 22% - COVID 80% -3e7e -40bf - -8df4 positive users uploaded their keys in December (15% of PCR in Switzerland)usersin positive uploaded DecemberPCR their keysinof (15% positive upload positive app users codes their -1852a067a625/Estimation%20of%20SwissCovid%20effectiveness%20for%20the%20Canton%2 -methods/swisscovid -monitoring.html -app household exosures (70% (70% cases) the of 0of%20Zurich%20in%20September%202020_V1.5.pdf 27 Carmela Troncoso 28 Key lessons Carmela Troncoso Carmela

. Data is not a must!

. Privacy engineering goes well beyond crypto

. Privacy engineering in an agile/service world is exhausting • Platforms and requirements continuously change

. Good socio-technical integration is key to success and it is hard • Purpose limitation and abuse prevention is a must . . . Digital contact tracing solved? tracing contact Digital here go Where to from Can we eliminate beacon we eliminate Can trust? reduce least At dependency Google/Apple • • • • • Device beeliminated? Can it Without Google and Apple’s collaboration? and Apple’s Google Without them? seeing without libraries their we verify Can keys? the of randomness the Can we verify based contact tracing is a possibility? (free from Bluetooth?!) from (free possibility? a is tracing -based contact authentication related attacks? related -authentication (and also Amazon!) also (and 29 Carmela Troncoso More technologies to theMore technologies rescueto here still The pandemic is Implementations appearing . . . Register of (any) events Unique identifiers (phone / name / address) Databases positiveof and negative and people 30 Carmela Troncoso (link towhite paper at the bottom) (new pairing- https More technologies to theMore technologies rescueto here still The pandemic is :// basedversion soon!) notify - me.ch/en Our proposal . . . Abuse preventiondesign by -CoV for SARS Privacy Privacy for users (from locations, databases) -2 -positive location 31 Carmela Troncoso More technologies to theMore technologies rescueto here still The pandemic is Implementations ??? . Danger of… . . . . function creep discrimination g central database lobal tracking of users 32 Carmela Troncoso More technologies to theMore technologies rescueto here still The pandemic is purposedesign by (nor the longstanding (nor Cannot limit the the limit Cannot impact) 33 Carmela Troncoso Post-doctoral position SPRING Lab

Do you want to use your crypto skills to deploy socially-responsible technologies?

Come help us in our privacy-engineering efforts. Example partners:

Position for 1 year (extendable)

More info: https://spring.epfl.ch/ Our projects: https://github.com/spring-epfl

Applying: email [email protected]