Since the beginning of the year, we have watched COVID-19 cases fluctuate around the world, turning countries from yellow to red on interactive infection color coded maps. While the global race for a vaccine is apparently reaching its first significant milestone, a key tactic in slowing down infections to date has been the use of contact tracing apps. These have been developed to help delay the spread of the virus by alerting users, via their mobile, that they have come into contact with someone who has tested positive — and could therefore be at risk.
As well intended as they are, digital contact tracing applications pose a significant risk to users’ personal information. Poor security or design could see thousands, even millions, of people’s privacy exposed.
Professor Carmela Troncosso from EPFL Switzerland spoke at Avast’s CyberSec&AI Connected virtual conference after spending six grueling months developing the first large scale privacy preserving contact tracing protocol, DP3T. The developers’ focus was not only to help contain the pandemic, but to ensure users’ identities, location, and behaviors remained hidden.
A huge sprint
Getting a startup up and running in Agile within six months is a daunting task, especially when faced with the realities and restrictions of working in a pandemic. Troncosso detailed how the first three months of the process were dedicated to working on the DP3T protocol itself, followed by integration of the digital contact tracing application into the health system during the next three months.
Troncosso explained that they had to create a design very fast under tight deadlines, while, externally, the continuing spread of the virus around the world ramped up the pressure to release a working product. The team needed to be able to verify quickly that no mistakes were made in the design itself, nor in its implementation, so it could work reliably on a huge scale.
A clear goal
Trocosso emphasized that digital contact tracing is meant to complement manual contact tracing to notify users that they have been exposed to COVID-19 in a more timely, efficient, and scalable manner.
She explicitly mentioned that the purpose is “not to identify people in the traditional sense, but just to notify those people that have been exposed to the virus.” Users’ privacy and security are of the utmost importance, which is why this protocol ensures that the process of receiving the information hides the individual’s identity, their location, and their behaviors. The protocol is also designed to securely hide who COVID positive users are, and those who have come in contact with them.
The DP3T protocol works in five stages to guarantee users’ privacy:
Privacy and security by design
The presentation addressed the unique challenges faced in creating an app to help fight a pandemic. Troncosso spoke of the consequences of poor security implementation. False alarms raised by the app, for instance, would lead to lack of trust in the system and make people less inclined to use it. A scenario that would drastically undermine the fight against COVID-19.
The full presentation, as well as the subsequent live Q&A that followed, will be available later in the year on our YouTube channel. However, registered CyberSec&AI Connected delegates can visit our Virtual Library to view.