Decentralized Privacy-Preserving Proximity Tracing (2005.12273v1)

Abstract: This document describes and analyzes a system for secure and privacy-preserving proximity tracing at large scale. This system, referred to as DP3T, provides a technological foundation to help slow the spread of SARS-CoV-2 by simplifying and accelerating the process of notifying people who might have been exposed to the virus so that they can take appropriate measures to break its transmission chain. The system aims to minimise privacy and security risks for individuals and communities and guarantee the highest level of data protection. The goal of our proximity tracing system is to determine who has been in close physical proximity to a COVID-19 positive person and thus exposed to the virus, without revealing the contact's identity or where the contact occurred. To achieve this goal, users run a smartphone app that continually broadcasts an ephemeral, pseudo-random ID representing the user's phone and also records the pseudo-random IDs observed from smartphones in close proximity. When a patient is diagnosed with COVID-19, she can upload pseudo-random IDs previously broadcast from her phone to a central server. Prior to the upload, all data remains exclusively on the user's phone. Other users' apps can use data from the server to locally estimate whether the device's owner was exposed to the virus through close-range physical proximity to a COVID-19 positive person who has uploaded their data. In case the app detects a high risk, it will inform the user.

• The paper introduces a decentralized approach for COVID-19 contact tracing that minimizes data exchange to protect user privacy.
• It leverages Bluetooth Low Energy to broadcast ephemeral IDs while keeping data local until the user consents to share it.
• The design mitigates risks of centralized data breaches and provides a scalable model for future digital health solutions.

Decentralized Privacy-Preserving Proximity Tracing: An Overview

The paper, "Decentralized Privacy-Preserving Proximity Tracing," presents a detailed exploration of a system designed to support large-scale contact tracing efforts for COVID-19 while prioritizing user privacy. Developed collaboratively by researchers from institutions including EPFL, ETHZ, and University College London, the system employs a decentralized approach to ensure that personal data is minimized, reducing potential privacy risks for individuals.

System Design and Functionality

The proposed system hinges on mobile applications that broadcast and record ephemeral, pseudo-random IDs via Bluetooth Low Energy (BLE). When a user receives a positive COVID-19 diagnosis, they can upload their broadcast IDs to a central server, which other users' smartphones can query to ascertain potential virus exposure. Critically, this process does not involve revealing the identities of users or the precise locations where contacts occurred.

The design ensures that all data remains local to the user's device until the user consents to upload it, hence maintaining a degree of anonymity and privacy throughout the process. This decentralization is crucial as it employs minimal data centralization, unlike centralized models where a central authority receives and processes all proximity data.

Privacy and Security Safeguards

To enhance security and privacy, the system is designed to minimize data collection and usage. It limits what the central server can see to only anonymous identifiers, ensuring the server cannot infer any relational or personal identity data. Some key privacy features include:

• Data Minimization: The central server receives only the minimum data necessary to alert individuals to potential exposure, without any additional geographic or personal information.
• No Long-term Tracking: Users are protected from long-term tracking as the system generates new identifiers frequently, and uploaded data is ephemeral.
• Graceful Dismantling: The application is designed to dismantle itself, with data being automatically deleted after 14 days and operations ceasing following the pandemic's end.

Comparative Advantage Over Centralized Systems

In contrast to centralized approaches, like those seen in PEPP-PT-NTK and OpenTrace, where identifiers and risk calculations are managed centrally, the decentralized approach of this system offers superior privacy protections. By keeping computations and data primarily on the user's device, it reduces the potential for mass data breaches and misuse by the central authority.

Notably, the system mitigates the risks associated with exposure notification, such as over- or under-reporting due to the misuse of broadcast EphIDs, through the careful design of its identifier generation and risk estimation processes.

Practical Implications and Future Directions

The system's deployment can significantly enhance public health efforts by accelerating the process of identifying and notifying individuals potentially exposed to COVID-19, thereby facilitating faster isolation and interruption of transmission chains. In broader contexts, such a decentralized framework could inform the design of privacy-preserving digital health solutions beyond the scope of COVID-19.

Future developments may focus on optimizing the trade-offs between privacy and system resource demands (e.g., bandwidth and battery life), especially in different technological environments. Additionally, extending interoperability across different regions could enhance global pandemic response efforts.

In conclusion, the decentralized privacy-preserving system delineated in this paper represents a robust and thoughtful approach to digital contact tracing, prioritizing user privacy and data security while contributing effectively to public health measures. Its implementation could serve as a model for future digital health interventions, particularly in balancing public safety with individual rights.