CyberSec&AI Connected 2021 | BLOG

The positive development of a privacy preserving contact tracing protocol

By Carmela Troncoso
“We are going to be introducing a new infrastructure into the world, so we need to make sure that we are going to do this without introducing new problems”, says EPFL Professor Carmela Troncosso

Since the beginning of the year, we have watched COVID-19 cases fluctuate around the world, turning countries from yellow to red on interactive infection color coded maps. While the global race for a vaccine is apparently reaching its first significant milestone, a key tactic in slowing down infections to date has been the use of contact tracing apps. These have been developed to help delay the spread of the virus by alerting users, via their mobile, that they have come into contact with someone who has tested positive and could therefore be at risk. 

As well intended as they are, digital contact tracing applications pose a significant risk to users’ personal information. Poor security or design could see thousands, even millions, of people’s privacy exposed.

Professor Carmela Troncosso from EPFL Switzerland spoke at Avast’s CyberSec&AI Connected virtual conference after spending six grueling months developing the first large scale privacy preserving contact tracing protocol, DP3T. The developers’ focus was not only to help contain the pandemic, but to ensure users’ identities, location, and behaviors remained hidden.

A huge sprint  

Getting a startup up and running in Agile within six months is a daunting task, especially when faced with the realities and restrictions of working in a pandemic. Troncosso detailed how the first three months of the process were dedicated to working on the DP3T protocol itself, followed by integration of the digital contact tracing application into the health system during the next three months.

Troncosso explained that they had to create a design very fast under tight deadlines, while, externally, the continuing spread of the virus around the world ramped up the pressure to release a working product. The team needed to be able to verify quickly that no mistakes were made in the design itself, nor in its implementation, so it could work reliably on a huge scale. 

A clear goal

Trocosso emphasized that digital contact tracing is meant to complement manual contact tracing to notify users that they have been exposed to COVID-19 in a more timely, efficient, and scalable manner. 

She explicitly mentioned that the purpose is “not to identify people in the traditional sense, but just to notify those people that have been exposed to the virus.” Users’ privacy and security are of the utmost importance, which is why this protocol ensures that the process of receiving the information hides the individual’s identity, their location, and their behaviors. The protocol is also designed to securely hide who COVID positive users are, and those who have come in contact with them.

The DP3T protocol works in five stages to guarantee users’ privacy:


Privacy and security by design  

The presentation addressed the unique challenges faced in creating an app to help fight a pandemic. Troncosso spoke of the consequences of poor security implementation. False alarms raised by the app, for instance, would lead to lack of trust in the system and make people less inclined to use it. A scenario that would drastically undermine the fight against COVID-19. 

The full presentation, as well as the subsequent live Q&A that followed, will be available later in the year on our YouTube channel. However, registered CyberSec&AI Connected delegates can visit our Virtual Library to view. 

10 2020 MC 2125 CyberSec blog posts 02 02 numbers
Random codes do not depend on your identity, but the key that your phone generates.

Share this article

Share on linkedin
Share on facebook
Share on twitter

And follow #CyberSecAI

Carmela Troncoso
EPFL Switzerland

is featured in this article

Latest news

Call for Speakers

Share your knowledge and insight with our growing global community of cybersecurity experts and professionals. We are looking for presenters who want to share their work and latest research in the fields of AI, machine learning, digital privacy, and cybersecurity to their peers around the world. Abstracts must be submitted by July 31st, 2021.

We value your privacy

By clicking “ACCEPT” you allow cookies that help us analyze the performance and usage of this website. See our Cookies Policy for more details.