Contact Tracing App Warns of COVID-19 Exposure While Protecting Privacy
Contact Tracing App Warns of COVID-19 Exposure while Protecting Privacy
Three BU cybersecurity experts join MIT researchers to develop new Bluetooth-enabled smartphone app
Three Boston University computer scientists and engineers are working on a smartphone app that could let people know if they have come in contact with someone who has tested positive for COVID-19, while protecting the privacy of all parties.
Ran Canetti, Ari Trachtenberg, and Mayank Varia have teamed up with researchers at Massachusetts Institute of Technology and other universities to develop an app that uses Bluetooth-enabled cell phones to notify a person if they have come into close proximity with someone infected with SARS-CoV-2, the novel coronavirus that causes COVID-19 and has been officially detected in more than two million people worldwide.
To work best, the app requires many people to use it, whether they have had COVID-19 or not. The app transmits and captures random Bluetooth signals via nearby cell phones that also have the app installed. App users who have been diagnosed with COVID-19 voluntarily and anonymously report their positive results, which then causes their Bluetooth pings from the last 14 days to be uploaded to a database that’s coded to ensure that the diagnosed user is uploading their own pings. From there, those signals are compared with pings of other app participants in the system. The app then alerts users of possible proximity to an infected person, and subsequently directs them to follow up with health officials (or their doctor). All of the uploaded information is verified by a public health agency, and all apps must be installed by users voluntarily.
For Canetti, Trachtenberg, and Varia, all cybersecurity experts, the main concern of the technology is the preservation of privacy. “The question of privacy originally came up in a discussion on the mailing list of the BU Hariri Institute’s Cyber Security, Law, and Society Alliance,” says Trachtenberg, a College of Engineering professor of electrical and computer engineering. “I proposed a [prototypic] approach to privacy-aware contact tracing, and Ran, Mayank, and I fleshed out the approach in a paper that we posted to arXiv on March 27.”
The arXiv paper attracted a great deal of attention, and the BU team soon joined the PACT (Private Automated Contact Tracing) team, which is led by Ron Rivest, an MIT professor and the inventor of several highly regarded encryption algorithms.
“PACT was started in response to COVID-19,” says Varia, a BU College of Arts & Sciences research associate professor of computer science and codirector of BU’s Center for Reliable Information Systems and Cyber Security (RISCS). “This is just one small piece of the COVID-19 puzzle; there exist an immense number of healthcare issues and also many technological ones that PACT does nothing to address. On the other hand, this technology can be useful beyond the current epidemic since we [plan to] have this capability ready to go in advance of the next epidemic—which hopefully won’t be for a long time.”
PACT also includes scientists from Massachusetts General Hospital, the Weizmann Institute of Science, Brown University, Carnegie Mellon University, and the MIT Lincoln Laboratory. The researchers say key elements in the PACT protocol are taken from the original design proposed by the team of BU engineers. Apple and Google recently put forth a very similar protocol in their own contact tracing app.
“Typically, an effort like this would be done over years, with publication and peer review, but we just don’t have the time for the formal academic mechanism,” says Trachtenberg. “The broad PACT collaboration serves as an excellent substitute in this time of need. It’s essential that this system be put together at breakneck speed.”
Varia emphasizes that the app does not transmit any personal information, or even a unique identifier for a phone.
“To protect everyone’s privacy, we are only sending random ‘garbage’ within each Bluetooth packet,” he says. “We call these random numbers ‘chirps.’ People who are diagnosed with COVID-19 voluntarily post only these random chirps to a public database, which permits anyone who has come into contact with the diagnosed person to check (locally on their own phone) whether any of the chirps they have [encountered] match the entries in the public database.”
Canetti, a BU College of Arts & Sciences professor of computer science and RISCS director, says the technology demonstrates how automatic contact tracing can be done on a phone-to-phone basis and without a centralized opaque database that holds location information on all individuals.
“That’s important,” Canett says, “because it counters the prevailing perception that mitigating the pandemic via automatic contact tracing mandates large-scale, government-led violation of privacy of all or most of the population.”
Comments & Discussion
Boston University moderates comments to facilitate an informed, substantive, civil conversation. Abusive, profane, self-promotional, misleading, incoherent or off-topic comments will be rejected. Moderators are staffed during regular business hours (EST) and can only accept comments written in English. Statistics or facts must include a citation or a link to the citation.