Overview on privacy-preserving

Mario Lassnig CERN EP-ADP Tracing introduction

● Significantly reduce the time it takes to communicate infections ○ Person can be contagious without knowing ○ Figure out the ones who don't show symptoms yet, notify them, and quarantine them ○ Eventually reduce the duration of widespread lockdowns ○ Introductory video (A. Ronacher) and comic (N. Case) ● Typically done by health officials (sometimes with legal leverage) ○ Using tedious manual tracing ○ Endangering the tracer's health ○ Potentially spreading from traced infected persons ● Singapore reacted a bit differently ○ Leverage smartphones for automated tracing ○ Epidemic control seems to work! Ferretti et al.

2020-04-16 Mario Lassnig :: science-responds.org :: Privacy-aware contact tracing 2 Apps

● Selection of deployed tracing apps ○ Singapore: TraceTogether with first public protocol BlueTrace ○ China: mandatory, uses proprietary Alipay with the expected privacy concerns ○ Australia: Rumoured to be built on OpenTrace, but custom proprietary solution ○ Austria: Red Cross Austria, proprietary ○ Czech Republic: eRouška / GitHub as part of the Czech Smart Quarantine System ○ Israel: includes opt-in location awareness / GitHub ○ Russia: Geofencing app for confirmed infected ( Interview with Health Minister ) ○ more can be found here

● Additional apps were developed, mostly for self-diagnosis ○ Self check of symptoms based on flowcharts or questionnaires ○ Recommendations how to interact with emergency, care workers, hospitals, etc.. if infection is likely

2020-04-16 Mario Lassnig :: science-responds.org :: Privacy-aware contact tracing 3 Frameworks

● BlueTrace/OpenTrace: https://bluetrace.io/ ○ Needs central authority ● Temporary Contact Numbers (TCN) Protocol: https://tcn-coalition.org/ ○ Decentralised protocol ● Contact Event Numbers (CEN) Protocol ○ Hardened version of the TCN principles for the broadcast, report and scan phase ○ US-centric: CovidWatch & Co-Epi ● Pan-European Privacy-Preserving Proximity Tracing (PEPP-PT) ○ https://www.pepp-pt.org/ ○ Coordination initiative, testing of apps, integration with health officials ● Decentralized Privacy-Preserving Proximity Tracing (DP-3T): https://github.com/DP-3T ○ Hardened version of the TCN principles for the broadcast, report and scan phase ○ Was submitted to PEPP-PT and will most likely become the reference implementation 2020-04-16 Mario Lassnig :: science-responds.org :: Privacy-aware contact tracing 4 Frameworks

● MIT protocol variant uses GPS+Bluetooth ○ Focuses on location-based gathering ○ http://safepaths.mit.edu/ built on http://privatekit.mit.edu/ ● Joint Google/Apple Proposal ○ https://www.apple.com/covid19/contacttracing ○ Based on early iteration of DP3-T ("Low-cost decentralized proximity tracing") ○ According to DP-3T authors, there were substantial improvements since that early version and they'd like to see Apple/Google "upgrade" to DP-3T ○ Expected that both companies also open up more OS APIs in the future ○ Main problem right now is that iOS phones do not allow background BLE apps

2020-04-16 Mario Lassnig :: science-responds.org :: Privacy-aware contact tracing 5 What can go wrong?

● DP-3T security analysis showed one glaring flaw for TCN-like approaches ○ Open protocol, everyone can develop adversary apps which can exploit Bluetooth flaws ○ Gather more data from contacts than they want ○ Can only be mitigated through TPM, which is a deployment challenge ■ e.g., who is the authority that keeps the master key? ■ how do you protect the master key? ■ what to do with electronics without TPM chips? ● Additional flaws include potential replay attacks, timing attacks, or coercion attacks ○ Typically mitigated through counter timing mechanisms ○ But delaying notifications goes against the objective of the app… ● Potential future variant ○ An evolved combined version of CEN and DP-3T that addresses these flaws ○ Running on new dedicated OS APIs

2020-04-16 Mario Lassnig :: science-responds.org :: Privacy-aware contact tracing 6 Words of warning

● Underlying technological assumption is flawed (e.g., ARGE Daten) ○ BLE not precise enough for what is needed ● Does not help the population who needs it (e.g., New Humanitarian) ○ At risk -population typically are not heavy mobile electronics users ● Sustainable data privacy (e.g., Amnesty, FFiF, CCC, Privacy International, RSF) ○ False positives can lead to forced isolation of individuals ○ Behavioural profiling and compliance scoring can lead to targeted attacks ○ De-anonymisation of patients possible with easily obtainable additional metadata ○ No legal incentives to comply with limited data retention ○ Restrictions of personal freedoms when not using the app ○ Commercial tracking and/or selling of proximity data ○ Usage of proximity data for secondary investigations ○ Widespread injection of false positives for foreign adversaries

2020-04-16 Mario Lassnig :: science-responds.org :: Privacy-aware contact tracing 7