Contact tracing means, once someone is infected all people who were in contact with this person need to be identified.

Following China and Singapore, countries are working on solutions for their citizens. In Switzerland, DP-3T is an initiative from EPFL/ ETHZ (and other universities) that is likely to be adopted. By mid-April, Apple and Google announced a joint effort to provide a framework named Exposure Notification API compatible with both iOS and Android that will help to implement such systems.

How does contact tracing work?

The basic principle of contact tracing apps is to use your mobile device to determine whether you were in contact with someone infected by the virus in the last 14 days. The first applications released were using a solution based on GPS locations. More recent developments focus on solutions based on broadcast messages exchanged via Bluetooth as it is less intrusive. The Bluetooth technology allows to build a contact chain without knowing users’ location. The following cartoon explains well how contact tracing works.

How privacy-first contact tracing works. Source: DP^3T

The protocol is more complicated than that. There are a lot of discussions going on about the best security and privacy-preserving practices (ref, ref). The goals are:

  1. Minimize data collection and retention
  2. Prevent tracking of non-infected users (everything is kept on users’ phone if their are not infected)
  3. Keep users who are infected anonymous (users receive anonymous messages broadcasted by infected users)

However, there is a major limitation for the developers of such a system. Bluetooth scanning is not allowed to run in the background on iOS, which means that the app has to be constantly open to work. There is no such restriction on Android, but since version 10, the user has to give the permission to have it working in the background. Apple added this restriction to stop apps that were tracking users for bad reasons, for example, to display advertisements when walking in a grocery store. There are low chances that Apple backs off on this decision (as France is asking). Instead, Apple and Google advise to use the new Exposure Notification API, which works in the background and optimizes the battery consumption. In addition, the framework is focused on preserving user privacy and uses similar concepts imagined by DP-3T (Apple and Google proposal). DP-3T has the integration of the API in their roadmap.

Exposure Notification API

The Exposure Notification API (Apple/Google) facilitates a lot the development of contact tracing apps and adds some additional security layers. The framework handles Bluetooth scanning. Furthermore, the generated/received random messages called Temporary Exposure Keys are stored in a secure enclave. Once someone is tested positive with medical validation, a subset of the generated keys named Diagnosis Keys can be fetched from the API (keys generated the last 14 days) and sent to the diagnosis server. Diagnosis server, validation mechanism and client-server communication are to be implemented by the developers. To identify an exposure, all clients have to download periodically the Diagnosis Keys on the server. Giving them back to the framework will compare them with the keys observed during Bluetooth scanning. As output, the API returns a value if the user has been exposed.

I find it interesting to see that users are not simply considered as exposed if there is a match. That would give a lot of false positives. Instead, the framework returns an exposure risk level that gives the probability of being infected. This level is calculated from different risk parameters:

  • Transmission risk parameter: risk based on probability to transmit the virus (e.g. the highest risk value for a user who has recently been tested positive, medium risk for a user who was contact with a positively diagnosed person).
  • Duration risk parameter: risk based on duration of the exposure.
  • Days risk parameter: risk based on the days since the exposure happened.
  • Attenuation risk parameter: Bluetooth signal attenuation (i.e. distance) from an exposure.

Those parameters are weighted and give a final exposure risk level score between the lowest risk and the highest risk. The weights and parameter values have to be set by the developers in function of how much the medical authority wants to put importance on a risk parameter and values. The documentation gives an example of how to calculate the rate for Alice that was exposed to Bob who was diagnosed positive.

Example : Alice, Primary Exposed User. Source: Apple Developer

Bluetooth limitations

To approximate distance between two phones – the attenuation of the Bluetooth signal power (dB) between the emitter and the receptor – is measured knowing that it is proportional to the distance. However, the measurement is not accurate and depends on external factors like technical issues, interferences, how the device is being held or if there are obstacles like a human body. It means you could miss someone that was close or detect another person that is in fact behind a wall.

There is a calibration app you can use to test the detection on the DP-3T GitHub repository (iOS/Android). You will see that distance estimations are pretty accurate when two devices are close but less precise and fluctuate when these devices are further apart. There are parameters that you can tweak to improve the computation (e.g. take multiple measures). At the end of the day, it’s not a major issue for contact tracing apps as they should only record measurements when distances between two phones are maximum 2 to 3 meters. Regarding the risk level estimation above, only less than 50 dB of attenuation are taken into account which corresponds to a distance of 3 meters.

I think that it’s a good thing that Apple and Google provide the implementation for developers. The latter ones will be better at optimizing the detection together with the hardware vendors. Android developers usually have to fight with different hardware behaviours and/or Android version compatibility when implementing features using Bluetooth and it will be certainly less a pain.

Next steps

Scientific research says that contact tracing apps can help to have epidemic control if used by enough of people. To reach this goal, authorities have to focus on user privacy and build trust (official public health authorities app working with trustful development partners, open source, open communication, etc.). Apple and Google have also an important role to play in accepting only apps developed by public health authorities. In a second phase, Apple and Google are going to integrate the Exposure Notification API in the OS to reach more users (still with user consent). If a match is detected, the OS will prompt the user to download an official app.

These apps are implemented with strict security and privacy preserving rules in mind, but there are still scenarios where a malicious person can abuse the system. For instance, by knowing who is using the app, creating false positives or deducing who is infected. A survey showed that in Switzerland the majority of inhabitants agrees to install a contact tracing app on their phone. The Swiss Parliament is still discussing on a legal basis needed to authorize these apps.

Due to the limits of this technology, it is important that users can get medical advice. Users should indeed be able to be tested if necessary once the app shows that there is a risk of being infected. In my opinion, the usage of such apps should be voluntary and not become required to cross the border or enter a shop. Finally, users should be able to deactivate it at home. And the service should be switched down once the Coronavirus crisis is over. Privacy-first contact tracing apps are probably one tool to make it happen.

Hero picture by Kate Trifo on Unsplash.