Decentralized Privacy-Preserving Proximity Tracing Explained

Decentralized Privacy-Preserving Proximity Tracing
Introdate:[1]
Industry:Digital contact tracing
Hardware:Android & iOS smartphones
Range:~10m (30feet)[2]
Website:https://github.com/DP-3T/documents

Decentralized Privacy-Preserving Proximity Tracing (DP-3T, stylized as dp3t) is an open protocol developed in response to the COVID-19 pandemic to facilitate digital contact tracing of infected participants.[3] [4] The protocol, like competing protocol Pan-European Privacy-Preserving Proximity Tracing (PEPP-PT), uses Bluetooth Low Energy to track and log encounters with other users.[5] [6] The protocols differ in their reporting mechanism, with PEPP-PT requiring clients to upload contact logs to a central reporting server, whereas with DP-3T, the central reporting server never has access to contact logs nor is it responsible for processing and informing clients of contact.[7] Because contact logs are never transmitted to third parties, it has major privacy benefits over the PEPP-PT approach;[8] [9] however, this comes at the cost of requiring more computing power on the client side to process infection reports.[10]

The Apple/Google Exposure Notification project is based on similar principles as the DP-3T protocol, and supports a variant of it since May 2020.[11] [12] [13] Huawei added a similar implementation of DP-3T to its Huawei Mobile Services APIs known as "Contact Shield" in June 2020.[14]

The DP-3T SDK and calibration apps intend to support the Apple/Google API as soon as it is released to iOS and Android devices.[15] [16]

On the 21 April 2020, the Swiss Federal Office of Public Health announced that the Swiss national coronavirus contact tracing app will be based on DP-3T.[17] On the 22 April 2020, the Austrian Red Cross, leading on the national digital contact tracing app, announced its migration to the approach of DP-3T.[18] Estonia also confirmed that their app would be based on DP-3T.[19] On April 28, 2020, it was announced that Finland was piloting a version of DP-3T called "Ketju".[20] In Germany, a national app is being built upon DP-3T by SAP SE and Deutsche Telekom alongside CISPA, one of the organisations that authored the protocol.[21] As of September 30, 2020, contact tracing apps using DP-3T are available in Austria, Belgium, Croatia, Germany, Ireland, Italy, the Netherlands, Portugal and Switzerland.[22]

Overview

The DP-3T protocol works off the basis of Ephemeral IDs (EphID), semi-random rotating strings that uniquely identify clients.[23] When two clients encounter each other, they exchange EphIDs and store them locally in a contact log.[24] Then, once a user tests positive for infection, a report is sent to a central server. Each client on the network then collects the reports from the server and independently checks their local contact logs for an EphID contained in the report. If a matching EphID is found, then the user has come in close contact with an infected patient, and is warned by the client. Since each device locally verifies contact logs, and thus contact logs are never transmitted to third parties, the central reporting server cannot by itself ascertain the identity or contact log of any client in the network. This is in contrast to competing protocols like PEPP-PT, where the central reporting server receives and processes client contact logs.[25]

Ephemeral ID

Similar to the TCN Protocol and its Temporary Contact Numbers, the DP-3T protocol makes use of 16 byte Ephemeral IDs (EphID) to uniquely identify devices in the proximity of a client. These EphIDs are logged locally on a receiving client's device and are never transmitted to third parties.[7]

To generate an EphID, first a client generates a secret key that rotates daily (

SKt

) by computing

SKt=H(SKt-1)

, where

H

is a cryptographic hash function such as SHA-256.

SK0

is calculated by a standard secret key algorithm such as Ed25519. The client will use

SKt

during day

t

to generate a list of EphIDs. At the beginning of the day, a client generates a local list of size

n=(24*60)/l

new EphIDs to broadcast throughout the day, where

l

is the lifetime of an EphID in minutes. To prevent malicious third parties from establishing patterns of movement by tracing static identifiers over a large area, EphIDs are rotated frequently. Given the secret day key

SKt

, each device computes

S\EphID(BK)=PRG(PRF(SKt,BK))

, where

BK

is a global fixed string,

PRF

is a pseudo-random function like HMAC-SHA256, and

PRG

is a stream cipher producing

n*16

bytes. This stream is then split into 16-byte chunks and randomly sorted to obtain the EphIDs of the day.[7]

Technical specification

The DP-3T protocol is made up of two separate responsibilities, tracking and logging close range encounters with other users (device handshake), and the reporting of those encounters such that other clients can determine if they have been in contact with an infected patient (infection reporting). Like most digital contact tracing protocols, the device handshake uses Bluetooth Low Energy to find and exchange details with local clients, and the infection reporting stage uses HTTPS to upload a report to a central reporting server. Additionally, like other decentralized reporting protocols, the central reporting server never has access to any client's contact logs; rather the report is structured such that clients can individually derive contact from the report.[7]

Device handshake

In order to find and communicate with clients in proximity of a device, the protocol makes use of both the server and client modes of Bluetooth LE, switching between the two frequently.[26] In server mode the device advertises its EphID to be read by clients, with clients scanning for servers.[27] When a client and server meet, the client reads the EphID and subsequently writes its own EphID to the server. The two devices then store the encounter in their respective contact logs in addition to a coarse timestamp and signal strength. The signal strength is later used as part of the infection reporting process to estimate the distance between an infected patient and the user.[7]

Infection reporting

When reporting infection, there exists a central reporting server controlled by the local health authority. Before a user can submit a report, the health authority must first confirm infection and generate a code authorizing the client to upload the report. The health authority additionally instructs the patient on which day their report should begin (denoted as

t

). The client then uploads the pair

SKt

and

t

to the central reporting server, which other clients in the network download at a later date. By using the same algorithm used to generate the original EphIDs, clients can reproduce every EphID used for the period past and including

t

, which they then check against their local contact log to determine whether the user has been in close proximity to an infected patient.[7]

In the entire protocol, the health authority never has access to contact logs, and only serve to test patients and authorize report submissions.

Epidemiological analysis

When a user installs a DP-3T app, they are asked if they want to opt in to sharing data with epidemiologists. If the user consents, when they are confirmed to have been within close contact of an infected patient the respective contact log entry containing the encounter is scheduled to be sent to a central statistics server. In order to prevent malicious third parties from discovering potential infections by detecting these uploads, reports are sent at regular intervals, with indistinguishable dummy reports sent when there is no data to transmit.[7]

Health authority cooperation

To facilitate compatibility between DP-3T apps administered by separate health authorities, apps maintain a local list of the regions a user has visited. Regions are large areas directly corresponding to health authority jurisdiction; the exact location is not recorded. The app will later connect these regions to their respective foreign central reporting server, and fetch reports from these servers in addition to its normal home reporting server. Apps will also submit reports to these foreign reporting servers if the user tests positive for infection.[7]

Attacks on DP-3T and criticism

Cryptography and security scholar Serge Vaudenay, analyzing the security of DP-3T[28] argued that:Vaudenay's work presents several attacks against DP-3T and similar systems. In response, the DP-3T group claim that out of twelve risks Vaudenay presents, eight are also present in centralized systems, three do not work, and one, which involves physical access to the phone, works but can be mitigated.[29] In a subsequent work[30] Vaudenay reviews attacks against both centralized and decentralized tracing systems and referring to identification attacks of diagnosed people concludes that:In the same work[30] Vaudenay advocates that, since neither the centralized nor the decentralized approaches offer sufficient level of privacy protection, different solutions should be explored, in particular suggesting the ConTra Corona,[31] Epione[32] and Pronto-C2[33] systems as a "third way".

Tang[34] surveys the major digital contact tracing systems and shows that DP-3T is subject to what he calls "targeted identification attacks".

Theoretical attacks on DP-3T have been simulated[35] showing that persistent tracking of users of the first version of the DP-3T system who have voluntarily uploaded their identifiers can be made easy to any 3rd party who can install a large fleet of Bluetooth Low Energy devices. This attack leverages the linkability of a user during a day, and therefore is possible on within a day on all users of some centralized systems such as the system proposed in the United Kingdom,[36] but does not function on 'unlinkable' versions of DP-3T where infected users' identifiers are not transmitted using a compact representation such as a key or seed.[37]

See also

References

  1. Web site: Initial commit. 2020-04-04. GitHub. 2020-04-22.
  2. Web site: Things You Should Know About Bluetooth Range. Sponås. Jon Gunnar. blog.nordicsemi.com. en-gb. 2020-04-12.
  3. News: Reuters. Rift Opens Over European Coronavirus Contact Tracing Apps. 2020-04-20. The New York Times. 2020-04-21. en-US. 0362-4331.
  4. Troncoso . Carmela . Bogdanov . Dan . Bugnion . Edouard . Chatel . Sylvain . Cremers . Cas . Gürses . Seda . Hubaux . Jean-Pierre . Jackson . Dennis . Larus . James R. . Lueks . Wouter . Oliveira . Rui . Payer . Mathias . Preneel . Bart . Pyrgelis . Apostolos . Salathé . Marcel . 2022-08-19 . Deploying decentralized, privacy-preserving proximity tracing . Communications of the ACM . 65 . 9 . 48–57 . 10.1145/3524107 . 0001-0782. free . 1822/90764 . free .
  5. Web site: BlueTrace: A privacy-preserving protocol for community-driven contact tracing across borders. Jason Bay, Joel Kek, Alvin Tan, Chai Sheng Hau, Lai Yongquan, Janice Tan, Tang Anh Quy. Government Technology Agency. 2020-04-12.
  6. Is Apple and Google's Covid-19 Contact Tracing a Privacy Risk?. Wired. 2020-04-18. en. 1059-1028.
  7. Web site: DP-3T whitepaper. GitHub. 2020-04-22.
  8. Web site: Controversy around privacy splits Europe's push to build COVID-19 contact-tracing apps. Fortune. en. 2020-04-21.
  9. News: Rift opens over European coronavirus contact tracing apps. 2020-04-20. Reuters. 2020-04-21. en.
  10. Web site: DP-3T 3 page brief. GitHub. 2020-04-22.
  11. Web site: Apple and Google update joint coronavirus tracing tech to improve user privacy and developer flexibility. TechCrunch. 24 April 2020. 2020-04-26. 4 June 2021. https://web.archive.org/web/20210604040434/https://techcrunch.com/2020/04/24/apple-and-google-update-joint-coronavirus-tracing-tech-to-improve-user-privacy-and-developer-flexibility/. live.
  12. Web site: How a handful of Apple and Google employees came together to help health officials trace coronavirus. Farr. Christina. 2020-04-28. CNBC. 2020-04-29.
  13. Web site: Coronalert: A Distributed Privacy-Friendly Contact Tracing App for Belgium . 22 April 2023. kuleuven.be. 5 August 2020.
  14. Web site: 2020-06-08. Huawei releases its "Contact Shield" API for COVID-19 contact tracing. 2020-10-07. xda-developers.
  15. Web site: DP3T-SDK for iOS. GitHub. en. 2020-05-06.
  16. Web site: DP3T-SDK for Android. GitHub. 2020-05-06.
  17. Web site: Contact tracing app could be launched in Switzerland within weeks. swissinfo.ch. S. W. I.. Corporation. a branch of the Swiss Broadcasting. SWI swissinfo.ch. en. 2020-04-21.
  18. Web site: Stopp Corona-App: Weiterentwicklung mit Hilfe der Zivilgesellschaft. OTS.at. de. 2020-04-22.
  19. Web site: How do you trace Covid-19 while respecting privacy?. 2020-04-24. e-Estonia. en-US. 2020-04-26.
  20. Web site: Vaasa Central Hospital pilots the Ketju application for helping in the identification of coronavirus exposures. Sitra. 28 April 2020 . en-GB. 2020-04-29.
  21. Web site: Corona-Tracking: Helmholtz-Zentrum erwartet Start der Corona-App in den nächsten Wochen. www.handelsblatt.com. de. 2020-04-29.
  22. Web site: FAQ - Does Coronalert also work abroad?. 2020-09-30. Coronalert. en-US.
  23. Web site: France's Inria and Germany's Fraunhofer detail their ROBERT contact-tracing protocol. TechCrunch. 20 April 2020. en-US. 2020-04-22.
  24. Web site: Protecting Lives & Liberty: How Contact Tracing Can Foil COVID-19 & Big Brother. ncase.me. 2020-04-19.
  25. Web site: TraceTogether: under the hood. Liauw. Frank. 2020-04-09. Medium. en. 2020-04-18.
  26. Web site: DP-3T/dp3t-sdk-android/dp3t-sdk/sdk/src/main/java/org/dpppt/android/sdk/internal/TracingService.java. GitHub. en. 2020-04-24.
  27. Web site: What is a client and server in BLE?. Nordic DevZone. 2 July 2013 . en. 2020-04-24.
  28. Web site: Analysis of DP3T Between Scylla and Charybdis. IACR ePrint archive. 2020-05-07.
  29. Web site: Response to 'Analysis of DP3T: Between Scylla and Charybidis'. The DP-3T Project. GitHub. 23 April 2020.
  30. Web site: Centralized or Decentralized? The Contact Tracing Dilemma. IACR ePrint archive. 2020-05-07.
  31. Web site: ConTra Corona: Contact Tracing against the Coronavirus by Bridging the Centralized Decentralized Divide for Stronger Privacy. IACR ePrint archive. 2020-05-09.
  32. Lightweight Contact Tracing with Strong Privacy. 2004.13293. Trieu. Ni. Shehata. Kareem. Saxena. Prateek. Shokri. Reza. Song. Dawn. 2020. cs.CR.
  33. Web site: Towards Defeating Mass Surveillance and SARS-CoV-2: The Pronto-C2 Fully Decentralized Automatic Contact Tracing System. IACR ePrint archive. 2020-05-07.
  34. Privacy-Preserving Contact Tracing: current solutions and open questions. 2004.06818. Tang. Qiang. 2020. cs.CR.
  35. Web site: BLE contact tracing sniffer PoC. github. 2020-05-07.
  36. Web site: NHS COVID App: Application and system architecture. github. 2020-05-08.
  37. Web site: Privacy and Security Attacks on Digital Proximity Tracing Systems. github. 2020-05-08.

External links