contact tracing: what it is and how it works

by

In this article we analyze the contact tracing apps, their functioning, the protocols available and the risks associated with the use of this technology.

The contents of the article

  • The three “Ts”: Testing, Tracing and Treating
  • The Bluetooth beacons
  • How contact tracing works
  • The quality of the contact
  • The protocols available
  • The Italian choice
  • The choices of other countries
  • The associated risks
  • Are there other technologies?
  • Live Streaming
  • References
  • Conclusions

Are you wondering what a contact tracing app is ? Would you like to deepen its functioning , the protocols available and the risks associated with the use of this technology?

In this article I will try to clarify the characteristics of this technology, chosen by governments around the world, to counter the spread of the coronavirus pandemic .

After more than two months of lockdown , after having seen hundreds of programs, listened to virologists, epidemiologists, doctors and former patients, read articles and news, I think it is clear to everyone that the fight against codiv-19 must be done following several paths, which can be summarized with the now famous axiom of the three “T’s” that is Test, Trace and Treat .

The three “Ts”: Testing, Tracing and Treating

This means that it is necessary to carry out tests on the population (swabs, serological tests, …), trace the contacts using technology ( Trace ) and finally work on the treatment ( Treat ) of the patient with adequate medicines, care and intensive care.

While waiting for a vaccine (which is not yet clear if and when there will be) it is essential that each state works well on all three ” T “.

In this article I will talk to you about the second ” T ” or the ” Trace ” or contact tracing , how it works , what protocols exist and what implications, also related to security , could have the adoption of this technology on a global scale.

The Bluetooth beacons

To understand how contact tracing works it is good to take a small step back and talk about the ” beacon ” technology based on BLE ( Bluetooth Low Energy ).

This technology, based precisely on Bluetooth, consists of two “actors”, a presenter (the beacon device) and a receiver (an app for smartphones).

The beacon device ( presenter ) can have various shapes, including design, but its main characteristic is that of being able to transmit , at regular intervals, a UUID (B9407G30-H5F8-944E-AFG9-34557A56FE6D) in addition to two values numerical ( major and minor ) that allow the classification.

The smartphone app ( receiver ), on the other hand, is able to receive the message transmitted by the beacon and, based on the information received, is able to “do” things.

Normally these technologies are used for museum apps, for information apps in shopping centers or for geofencing in areas not covered by GPS (eg in subways).

How contact tracing works

The contact tracing works with the only app that acts as both a presenter (beacon that transmits) that receiver (sw able to receive).

Basically there is no passive object (beacon) and an active object (app) as the smartphone, or rather the smartphone hardware and software, are able to perform both roles, so installing the app on a mobile phone makes it both presenter than receiver .

In this way, when two smartphones enter the Bluetooth activation area they both transmit and receive the UUID to each other. For such “delicate” apps, the UUID is not static , but changes at regular intervals to increase the level of security and privacy of the process.

This is a typical use case regarding contact tracing (source wikipedia )

As can be seen clearly from the use case, subject A, suffering from coronavirus symptoms without symptoms, comes into direct contact with B at home, C and D on the train, E, F and G at work and not directly with H and I.

When subject A discovers that he has the coronavirus, he will have to transmit the list of his contacts, anonymously and encrypted , to the health authorities via the app.

In this way, subjects B, C, D, E, F and G will be automatically spotted having come into contact with a positive subject , and therefore will be able to activate a whole series of protocols such as: self-isolation, buffer, temperature monitoring.

Subjects H and I will be reported to have come into contact with a positive subject but to be at low risk of contamination due to the distance and probably the duration of the contact.

The quality of the contact

The concept of contact quality is something about which many, including myself, are raising doubts and perplexities.

What is meant by contact quality? 

The quality of the contact is an index directly proportional to the possibility that a contact has been able to determine an infection of the subject A to the subject B .

What does the quality of the contact depend on?

The quality of the contact depends on many factors , some of which cannot be detected with Bluetooth alone, and which we can summarize as follows:

  • Duration of contact: obviously one thing is that two people come into contact for 30 seconds and another thing is that they do so for an hour. This feature is very easy to verify with the BT.
  • Proximity of the contact: proximity is also a very important indication, considering that the BLE activation area is about 100m you understand very well that one thing is to stay at 30 meters and another at 20 cm. This feature is very easy to verify with the BT.
  • Signal strength: this is also a very important aspect and it directly depends on whether or not there are barriers between one subject and another. This feature is instead more complex to verify, to date we know that the engineers of Apple and Google are working on it and that the new APIs will allow us to act on this too, as they count on being able to insert a Bluetooth signal strength threshold for exclude irrelevant contacts .
  • Place of contact: the place could have a decisive importance, just think of the difference that could be between having come into contact with a positive person on a beach or in a hospital . This feature, however, cannot be analyzed with the BT alone as this does not provide us with information on ” where ” the contact took place. To do this we would need GPS tracking (latitude and longitude) but to date none of the chosen apps and protocols adopted by democratic states provides this functionality.
  • Centralized or decentralizedanalysis: the analysis of the contact between A and B can be done directly on the device ( decentralized analysis ) or it could be postponed to the central server when the information is transmitted ( centralized analysis ). These two different approaches are raising many conflicting opinions , also in relation to the various protocols adopted and which we will analyze in the next paragraph. For now, just know that a decentralized analysis could leave something from a computational point of view but acquire a lot in security and privacy while acentralized analysis could improve a lot in terms of computing power but leave open doubts and perplexities on the subject of privacy and security.
  • Algorithm quality: it seems obvious but in reality it is not at all. A good contact analysis algorithm will be able to discard the irrelevant ones and highlight only the really “dangerous” ones. Almost all the software development companies in the world are confronting (and often clashing) on ​​this issue, even if Apple and Google are the masters . Still on this issue, it is important to note that there are also critical issues in relation to the use of the Bluetooth API by the app, especially on iOS OS, when the app is in the background . Apple and Google are also working on this with the definition of the new protocol conversation between software and hardware bt.

As you can see, to determine the quality of contact there are many variables at play, different and contrasting technological and architectural choices.

[sociallocker] [/ sociallocker]

The protocols available

Currently the frameworks (protocols) available for the implementation of a generic contact tracing app are five, as reported on this page

  • PEPP-PT (Pan-European Privacy-Preserving Proximity Tracing)
  • GA-PPTP (Google / Apple Privacy Preserving Tracing Project)
  • DP-3T (Decentralized Privacy-Preserving Proximity Tracing)
  • Blue Trace
  • TCN

The main features of each framework are:

  • PEPP-PT

Framework with proprietary specifications, closed source (not open source) and centralized control.

  • GA-PPTP

Open specification framework, closed source (not open source) and decentralized control.

  • DP-3T

Framework with open specifications, open source and decentralized control. On github you can find all the specifications and the source of the project.

  • Blue Trace

Framework with open specifications, open source and centralized control.

  • TCN

Framework with open specifications, open source and decentralized control.

So summarized

The Italian choice

Italy has chosen the Milanese company Bending Spoons SpA for the creation of the  “ Immuni ” contact tracing app , developed in partnership with Jakala and Centro Medico Santagostino.

This app is based on some fundamental pillars, as required by the EDPB (European Data Protection Board) or by the European data protection committee .

The Board expressed its opinion by providing a sort of Toolbox (IT toolbox) on the theme ” Mobile applications to support contact tracing in the EU’s fight against COVID-19 ” which includes the following guidelines:

  • the voluntarynature
  • the approval of the national health authority
  • the protection of privacyand data security
  • interoperabilityof systems also at transnational level
  • the decommissioningof the systems when the treatment is no longer necessary

The use of GPS in any form is excluded , so there will be no possibility of knowing “where” the contact took place.

It must be said that all democratic countries are adopting this “GPS Free” approach.

Initially Bending Spoons for the Immuni app had chosen the PEPP-PT framework which, we recall, is a “closed” framework both in terms of protocol specifications and in terms of code.

Bending Spoons had assured on many social channels that the source code would be Open, however at the date of writing the article the source is not yet available.

The initial adoption of the PEPP-PT framework brought with it some critical issues related to the app’s background operation, privacy and security (centralized model).

It would appear that Bending Spoons is working on a new release of the Immuni app based on the guidelines of the DP-3T and GA-PPTP protocol , therefore in line with the dictates of Google and Apple.

This is great news, it means that we are coming to a solution that is in line with the DP-3T and GA-PPTP protocols.

Consider that some parallel projects are being born, based on the DP-3T open protocol , promoted by the community of Italian IT professionals.

We will see what happens. One thing is for sure, the pressure worked and Bending Spoons is proving a great fit on the contact tracing theme.

The choices of other countries

Considering that Apple and Google have moved for a single protocol ( GA-PPTP ), it must be said that this solution would have a crazy impact in terms of diffusion and capillarity worldwide as 99% of the world’s devices are iOs or Android.

Diffusion is a very important value because, from studies done, the contact tracing app would have a real impact only if at least 60% of the population has downloaded, installed and activated it.

From this point of view, the GA-PPTP solution would definitely have an advantage.

The problem?

Well, they already know everything about us, so they would also know which of us is sick … let’s pay attention to the information monopoly.

  • Singapore

Singapore has chosen an app called “ TraceTogether ” developed by a government agency using Bluetooth Low Energy (BLE) technology and not GPS.

The source code of the app developed in Singapore is open source and has been published on the web under the name OpenTrace. It adopts the BlueTrace protocol to guarantee the privacy of citizens and is becoming the starting point for many other apps and applications developed in other countries.

  • China

China, on the other hand, has exploited applications already installed on the smartphones of its citizens (WeChat and Alipay). As often happens in an undemocratic country , the solution was ” imposed ” by the government as well as the adoption of the electronic bracelet . We cannot therefore speak of attention to privacy and choices from a GDPR perspective.

These apps also allow the use of GPS and localization and therefore are absolutely not feasible in democratic states.

  • Korea

Korea is adopting a hybrid solution , between that of Singapore and that of China, but even this is too stringent in terms of privacy guarantees so it is not usable in Europe and in democratic countries.

The associated risks

Now that we have seen what contact tracing is and what are the choices that the various countries of the world are adopting, let’s try to understand what are the risks associated with adopting one protocol rather than another.

Let’s start from a basic assumption , in democratic countries the use of GPS is not possible because the movements and movements of the entire population cannot be tracked .

The main risks and on which everyone is trying to provide solutions and answers is linked to the fact that a beacon that is always active on a device is in fact an access ” door ” (backdoor) and therefore in itself is an IT risk to be reduced to a minimum. minimum.

In addition to the ” door “, the risk of IT intrusion could exist above all in those systems that adopt centralized protocols, in which case the questions to which it is appropriate to provide answers are:

Who will manage the data on the servers? How secure is the data transmission between device and central server?

Suppose that through the “door” of access it is possible to falsify the association, this could be a way to blackmail people , force them at home and maybe get dominant positions .

Knowing information on people’s health has an inestimable value and therefore it is good that the computer security part is really very high, this time we cannot afford a second INPS case .

If it is true, as it seems to be true, that our ” Immune ” app is turning to a decentralized model then we will have very solid guarantees on the management of the famous encrypted “UUIDs” that will take place locally and no longer on the server.

In the centralized model that there is a place where there are both the contact data (UUID) and the keys with which to make them potentially identifiable. In the decentralized model this is effectively canceled and is a very important step forward on the security issue .

Are there other technologies?

The answer is yes, there are other technologies that could allow good contact tracing but the choice of Bluetooth is undoubtedly the best in terms of mitigating risks related to privacy (there is no spatial tracking with lat / lon) and connection quality between devices.

The other candidate technologies were GPS , but this has too strong implications from the point of view of privacy, or the triangulation between telephone cells but in this case the approximation would be too high and therefore the quality of the contact would be drastically reduced.

Most likely the best solution, from a purely technological point of view, would be the adoption of RFID technology , to be clear the one used by anti-shoplifting systems.

In this case, additional objects (eg bracelets ) and reception antennas should be used, so the adoption, on a large scale, would be even more complex and expensive than bluetooth.

Live Streaming

We talked about contact tracing on a live facebook with other friends, if you want to know more this video on youtube.

 

References

  • wikipedia
  • Mobile applications to support contact tracing in the EU’s fight against COVID-19
  • cybersecurity360
  • digital agenda
  • beaconitaly

Conclusions

In this article I have tried to clarify what is the current situation on the subject of ” contact tracing “. We have analyzed the functioning , the protocols available and the risks associated with the use of this technology as well as the choices that Europe and our country are making to help us in the fight against covid-19.

 

Related Posts:

by Abdullah Sam
I’m a teacher, researcher and writer. I write about study subjects to improve the learning of college and university students. I write top Quality study notes Mostly, Tech, Games, Education, And Solutions/Tips and Tricks. I am a person who helps students to acquire knowledge, competence or virtue.

Leave a Comment