Privacy-Preserving Contact Tracing

Apple and Google have proposed a method of doing contact tracing using the Bluetooth on our smartphones. It’s done using fancy cryptography and such, but I wanted to explain the basic mechanics in a simple way. Skip down to the bottom if you just want that part.

We are all now learning way more about pandemics than we ever wanted to, including phrases like social distancing, flatten the curve and raise the line. And there have even been helpful videos for non-epidemiologists, to help us understand what’s going on. But there’s another term getting a lot of press lately: contact tracing. It’s not a new term – it’s a key tool in dealing with any pandemic. But we are now in an age where we can use technology to aid in this procedure, and that is raising serious concerns from advocates for privacy and civil liberties.

First, let’s define the term so we’re all on the same page. When trying to control the spread of a virus, it’s crucial to know who infected people have recently been in contact with – especially when the virus is contagious before the infected person is symptomatic. To do this, doctors will question the infected person to try to get a list of every person they have come in contact with in recent days. For COVID-19, this would go back at least 14 days. But the human memory is notoriously bad, and what if you don’t know the people you had contact with (barista, waitress, etc)?

Orwellian Contact Tracing

Even 1984 didn’t foresee that we would all be happily and willingly (if maybe unwittingly) carrying around portable “telescreens” (aka, smartphones). But right now, your cellular carrier, Google, Facebook and others pretty much know where every person is at any time (or at least where their smartphone is). They also know exactly who owns each one of those devices.

So the lazy solution here is a panopticon. That is, for these companies to trace back every infected person’s path for the last 14 days to see who they were near. Google already provides this sort of service to law enforcement when they have trouble finding witnesses to crimes. They ask Google to give them a list of every person they track (most of us) within a certain geographic area during a time (or date?) range. Having Google know where we all are and where we’ve all been is bad enough… handing over a tool like that to the government would be truly… well, Orwellian.

One More Time… with Privacy!

So is there some way to do contact tracing while somehow preserving our privacy and civil liberties? It’s still not clear, but at least some people are actually trying. And their solution is pretty clever.

Let me say clearly that the point of this article is not to advocate that we do this. There are many other other considerations with this sort of system that are social and political, and there are still ways this system can be abused. But I do want to show that with enough thinking, it’s possible to come up with crafty ways to solve these sorts of problems while preserving privacy and human rights.

You can read the proposal here, but it’s still a little technical. Basically, the idea is to use our smartphones to keep track of everyone we’ve had “contact” with. All smartphones (with Bluetooth enabled) broadcast unique ID’s all the time. These IDs can be “heard” by other Bluetooth devices nearby (about 6 feet). So if your phone remembers all the IDs it hears, then you have a record of every contact you’ve made.

You Win! (Now Get Tested)

Here’s my analogy for how this idea works. Let’s say everyone carries around a spool of raffle tickets. Every ticket has a unique number on it and can be split into two halves. Now Alice and Bob meet somewhere (there’s a “contact event”). Alice rips off a ticket from her roll and gives half to Bob and saves the other half. Bob does the same for her. Alice and Bob put these ticket halves in two different bags they each carry:

  • my ticket halves (ones I gave to other people)
  • their ticket halves (ones given to me)

Days later, Bob tests positive for COVID-19. He now empties his bag containing the tickets he received from Alice and other people. He posts a list of these ticket numbers in a public place. Alice checks this list periodically (say, daily) and finds her number is on the list. Yay – she won! Unfortunately, that means she has been in contact with someone who probably had the virus and now she needs to get herself tested.

The clever part here is that we didn’t have to track Alice and Bob’s exact locations 24/7, we just kept a list of every person they came close to. And that list didn’t have names – it had anonymous IDs. We’ve accomplished our goal without compromising privacy!

Of course, there are still plenty of problems with this approach, despite the time and care they took to protect your privacy. This short article from Bruce Schneier basically says it’s useless.

There is going to be a lot of pressure in the coming weeks and months to implement some sort of contact tracing. We need to take the time to come up with novel solutions that preserve our human rights.

Need practical security tips?

Sign up to receive Carey's favorite security tips + the first chapter of his book, Firewalls Don't Stop Dragons.

Don't get caught with your drawbridge down!

Scroll to Top