Contact Tracing Mobile Apps for COVID-19: Privacy Considerations and Related Trade-offs (2003.11511v2)

Abstract: Contact tracing is an essential tool for public health officials and local communities to fight the spread of novel diseases, such as for the COVID-19 pandemic. The Singaporean government just released a mobile phone app, TraceTogether, that is designed to assist health officials in tracking down exposures after an infected individual is identified. However, there are important privacy implications of the existence of such tracking apps. Here, we analyze some of those implications and discuss ways of ameliorating the privacy concerns without decreasing usefulness to public health. We hope in writing this document to ensure that privacy is a central feature of conversations surrounding mobile contact tracing apps and to encourage community efforts to develop alternative effective solutions with stronger privacy protection for the users. Importantly, though we discuss potential modifications, this document is not meant as a formal research paper, but instead is a response to some of the privacy characteristics of direct contact tracing apps like TraceTogether and an early-stage Request for Comments to the community. Date written: 2020-03-24 Minor correction: 2020-03-30

• The paper examines privacy concerns (from snoopers, contacts, and authorities) in COVID-19 contact tracing apps like TraceTogether and analyzes related trade-offs.
• Proposed privacy enhancements include polling-based systems, token mixing, public databases, and private messaging systems using cryptographic protocols.
• Achieving strong privacy often requires complex cryptographic methods, and balancing privacy trade-offs is crucial for app adoption and public health effectiveness.

Analyzing Privacy Considerations in Mobile Contact Tracing Apps for COVID-19

This paper provides a detailed examination of the privacy concerns associated with mobile contact tracing applications, focusing on the examples set by various countries in combatting the COVID-19 pandemic. Primarily, it evaluates the TraceTogether app developed in Singapore and explores privacy trade-offs while proposing potential strategies to increase privacy guarantees for users.

Overview

The authors argue that contact tracing is imperative for controlling the spread of COVID-19, particularly as cases rise to levels where manual contact tracing becomes infeasible. In response, various digital contact tracing solutions have been deployed globally, each with different implications for privacy. The paper analyzes three main privacy concerns specific to contact tracing apps: privacy from snoopers, privacy from contacts, and privacy from the authorities.

Notions of Privacy

1. Privacy from Snoopers: The focus here is on shielding users from passive actors who might exploit the system to track identities using the broadcasted tokens. The paper suggests that while the TraceTogether app employs time-varying tokens to avoid such privacy invasions, it is not foolproof since linkage attacks could still identify users.
2. Privacy from Contacts: The goal is to limit the amount of information regarding a user's contacts that is exposed to other users. The TraceTogether app attempts this by having government authorities mediating the alerts, ensuring that only minimal information is disclosed.
3. Privacy from Authorities: This concern deals with the extent of information accessible to the authorities administering the contact tracing app. The paper critiques the TraceTogether app for lacking in this aspect, as it allows government access to users’ contact networks whenever a user reports a COVID-19 diagnosis.

Proposed Privacy Enhancements

The authors propose several augmentations to the TraceTogether approach:

• Polling-Based Systems: These systems involve users polling a central server to check for exposure. Although this approach may offer some privacy from authorities, it remains vulnerable to linkage attacks.
• Token Mixing: This strategy involves using mixing servers to aggregate data before forwarding it to central authorities. This could obscure the correlation between individuals' network activity and their identities, protecting user privacy from authorities.
• Public Databases: Publishing tokens of diagnosed users in a public database may increase data privacy from authorities. However, it could compromise diagnosed users' privacy from contacts.
• Private Messaging Systems: Leveraging cryptographic protocols to enable secure information sharing between contact tracing apps and users. Such systems, utilizing mix networks and private information retrieval, show the potential to securely implement contact tracing without compromising metadata privacy.

Implications and Future Directions

The paper's analysis highlights that achieving strong privacy guarantees in contact tracing systems requires sophisticated cryptographic methods, often at the cost of increased computational resources. However, these methods provide an avenue for ensuring privacy without sacrificing the effectiveness of public health measures. The discussion extends into strategies for encouraging widespread adoption of contact tracing apps, arguing that strong privacy assurances can facilitate voluntary uptake, which is essential for the apps' success in curbing disease spread.

Conclusion

In assessing mobile contact tracing apps for COVID-19, this paper contributes to the discourse on privacy considerations in digital epidemiology tools. While some promising solutions are discussed, practical implementations would require navigating complex trade-offs between privacy and public health. The suggestions made for privacy augmentations indicate a need for continued research to balance these priorities while adapting technologies to diverse societal norms. Future work will need to translate theoretical privacy enhancements into practical, widely deployable systems.