May 12, 2020
Privacy-aware coronavirus tracing app
Identification of contacts is one of the most important measures to mitigate the spread of the Corona virus. Tracing apps are to help. They will inform people who stayed near an infected person during a defined period of time. Technical implementation, however, is associated with the risk of data misuse and the approaches presented so far do not sufficiently protect privacy. Researchers of Karlsruhe Institute of Technology (KIT) and of the FZI Research Center for Information Technology, an innovation partner of KIT, have now proposed an app that combines the advantages of a central and a decentralized approach and, thus, enhances privacy. The results are published in a technical report.
In the past weeks, potential centralized or decentralized solutions for tracing apps and their data security triggered extensive discussion. Debates mainly focus on the question of whether these approaches sufficiently protect the privacy of users. For this reason, scientists of KIT's Competence Center KASTEL and FZI's Competence Center for IT Security have developed a dual approach that guarantees enhanced privacy also against active attackers.
Combination of Central and Decentralized Solutions
"To exclude, if possible, the risks to the privacy of persons infected by the Corona virus, there should not be any central register of all persons infected and users of the system should not be able to draw any conclusions with respect to the person infected when they receive a warning," says Professor Thorsten Strufe, Head of the "Practical IT Security" research group of KIT. "This is achieved by dividing the tracking information into information applied to warn the users and information required for tracking proper." Moreover, the data should be distributed to several independent servers, each of which receives a small volume of sensitive information only.
The scientists plan to store the data locally on the mobile phones similar to the decentralized approaches presented so far. Then, these data will be loaded onto central servers in case of a positive diagnosis only. "On the servers, matching of the contacts will take place. In this way, we can conceal the person infected. This would be impossible when using a purely decentralized concept," says Jörn Müller-Quade, Professor for Cryptography and IT Security at KIT and Director of FZI. "At the same time, we have divided the server such that no individual party alone can retrieve any sensitive information. For example, one server might be run by the Robert Koch Institute, while others are operated by large companies." Even if all these servers would be compromised, this method would still reach the same security level as approaches presented so far—as long as they do not cooperate maliciously.
Protection against unnecessary and fake warnings
The proposal of the scientists also includes the feature that users can reliably prove to medical experts that they had contact to an infected person before they are tested for COVID-19. Without this function, anybody could ask for a test by presenting a screenshot of a warning from another person's smartphone. To prevent unnecessary and potentially panic-inducing warnings of contacts, the information about an infection risk will only be given after a certain period of time. This is to prevent that a person is warned after having passed a car in which an infected person was sitting, for instance.
"Our approach is practicable, scaled, and offers additional security features that have not yet been implemented in any other method," Müller-Quade says. "Finding an optimum compromise between use, privacy, robustness, and performance for applications, however, is a delicate matter that requires further work on data protection and security technology as well as thorough validation not only by scientists, but also by society as a whole."