COVID-19: “the tracking App”

So I’m sure, like many other Australians, you’ve noticed that we’re doing quite well in the battle against COVID19 and how there’s now talk of moving towards elimination rather than just suppression. If we could achieve elimination this would allow us to substantially lift the current lockdown and resume our lives in a relatively normal way.

Elimination is a bit of misnomer because it wouldn’t really be eliminated, but instead reduced in prevalence to such a degree, that we can reasonably hope to catch the virus every time it takes hold again and starts to spread. This is done through a combination of large scale testing and harsh isolation measures of people infected.

A big part of this process is contact tracing where every time a test comes back positive it’s important to quickly trace all of the people the infected person has been in contact with. This is where “The Trace Together App” has been proposed by the Australian Government as a key (but not the only) tool to do this. In essence the pitch is “give up some of your privacy and you can be released from the lockdown we’re in”.

Various authorities have described the need for this app to be taken up by at least 40% of people for it to be effective. The app is based on a similar one developed by the Singaporean government who’ve so far only obtained about a 20% take up in what’s typically regarded a significantly more compliant population than Australia. 

There’s been some hysteria about exactly how much privacy we’re being asked to give up. Some have described it as tracking all your movements and sending it back to the government, which isn’t the case. All reports so far say that it uses Bluetooth technology to record who you’ve been around not GPS, so it doesn’t know where you’ve been.

The government have a strong need for people to trust that their privacy will be protected and so far they’ve done a spectacularly bad job at doing this. After all the past scares about cyber security including the Census bungle, the Data Retention Laws etc, the Australian Government has some way to go before the Australian people consider it trustworthy around privacy. So my prediction is that this app will be a complete waste of time due to the low take up rate.

So could it be done better? Could it be done in such a way that people wouldn’t have to trust the government with their privacy? The answer is yes. Using a “Protocol” rather than “Platform” approach along with some open source code practices.

The Protocol 

 

The first way the government could gain a massive amount of trust would be to release the software source code to the app it’s developing. Then we can look at their code and see if truly does what it is only intended to do and in particular doesn’t do anything that they aren’t telling us about. We’re clearly not all coding experts, but there are enough experts who we trust that could give us their opinion.

However, why not go a stage further and actually throw away the code from Singapore and make it a home grown open source project here in Australia? It need not be limited to a single one – people could download the app created by the group that they trust most.

The government would set out the “protocol” which would define how these apps are to interact with each other, how the data is stored and how the data is released.

It would be totally possible to avoid the government ever having the information without your permission.

I imagine a scenario like this:-

  1. The app is downloaded and a single random number is created – this number is only stored on the phone and is unique to you.
  2. The app turns on bluetooth and watches for interactions with other phones.
  3. Once an interaction has exceeded a criteria (as defined by the government protocol) the two phones running the app swap the random number generated in step 1. These numbers are stored along with the date/time on the phone only. Note that these are just numbers, nobody knows who they belong to.
  4. Everyone’s app also subscribes to a list of electronically published numbers that the health authorities would like to contact.
  5. If at some point in the future you test positive to COVID19. At that point you are asked, but not forced, if you would be willing to share either your random number and/or your list of numbers (interactions) – there are subtle privacy differences here but either will work.
  6. Your number is then either added to the list of numbers that other people’s apps should check to see if they have had any interaction with, alternatively a number could be broadcast saying “we need to contact this person”.
  7. Your app would then offer up a notification to you saying that the health authorities would like to contact you. You can choose to follow this or just ignore it as you see fit. 

Using the above protocol/procedure and open source code to actually perform the function, the aim of the health authorities could be achieved (contact tracing) without the people involved ever revealing their location, or even proximity to anyone else without their express permission, which would only be sought if it was needed for the purposed of COVID19 tracing. 

Damian Ivereigh
Launtel
20 April 2020