It is at this time, about 4 months since early January when the entire Hubei province of China was infected with Covid-19, that the use of contact tracing technology is starting to gain a serious foothold.
Using AI, governments worldwide have been creating contact tracing apps for the public to download and use to reduce the spread of Covid-19. Many Asian countries, such as China, South Korea, and Taiwan have already implemented location tracking technology to alert the public of Covid-19 redzones, or to notify a user if they were near someone infected with the virus.
A new AI contact-tracing app called TraceTogether has been released fresh out of Singapore. In collaboration with the Singapore Government Digital Services, it is powered by BlueTrace, which in its own words, is:
“an open source application protocol of the Singapore government which facilitates the digital contact tracing of infected participants.” -BlueTrace, Company Description on Google
The TraceTogether app works similar to other contact-tracing apps in that most of the public needs to have the app downloaded in order for Covid-19 alerts to be efficient. However, devices with the TraceTogether app use bluetooth signals to exchange proximity information and to identify infected persons. The intricacy of this AI tech is explained in BlueTrace’s white paper.
TRACETOGETHER TECH BREAKDOWN
TraceTogether Demonstration Video https://www.youtube.com/embed/buj8ZTRtJes
When a user downloads the TraceTogether app and registers their phone number, a unique randomised UserID is generated and becomes associated with the user’s phone number. The phone numbers are used to contact other users with the app if they have been exposed to an infected person for a measured duration of time.
The BlueTrace protocol logs bluetooth encounters through handshakes (an exchange of predetermined signals determining when a connection has been established between two participating devices).
The two devices exchange encrypted temporary identifiers over bluetooth signals to tell if the owner of the device is infected with Covid-19, but are unable to identify the identity of a user. The design of bluetooth logging is privacy-oriented in that:
The TempID for each encounter is encrypted and cryptographically generated. It can only be decrypted by the health authority to obtain a UserID and validity period.
Third parties cannot use BlueTrace apps to track users. The temporary identifier message is randomized and changes frequently, which makes it more difficult for hackers to track the location of users.
The only personal data used is a user’s phone number
The data of a user’s encounter history is only stored on the user’s device, and not for more than one week
TraceTogether regularly scans for other devices that have the app downloaded in a particular area. It implements a blacklist of recently seen devices to know not to contact them when recognizing them in a scanning cycle. If a user is infected with Covid-19, they must upload their encounter history to the app, and a health authority who monitors the program then contacts all of the people that an infected user has had exchanges with through the bluetooth signals.
Bluetooth tracing technology is not new, but may be most effective to reduce the spread of Covid-19 infection. It’s advantage of approximating close contacts within 2 meters (the average distance for Covid-19 infection) is useful in identifying when one user may have been infected with Covid-19 from another user. However, the main challenge for TraceTogether and other AI contact-tracing apps is that most of the population in a specified region must have the app downloaded in order to make contact-tracing effective. If just 5 out of 10 people have TraceTogether downloaded, the virus will continue to be unruly and uncontained.
DATA PROTECTION CONCERNS
As for concerns with privacy and the protection of personal data, TraceTogether has clearly been designed with user privacy in mind from the beginning. From a security perspective, this is at least a great start compared to most app-designs. The only personal information used (from what is known from the Bluetrace white paper) is a user’s mobile phone number to provide alerts.
However, concerns that hackers or “wicked opportunists” still remain in abundance. It would be problematic if some users decided to falsely declare themselves as infected with Covid-19, which could set off unnecessary panic.
The sense of safety in encryption and randomization is also not entirely secure, for as long as hackers are toying with new ways to disrupt AI, there are many parties that they can choose from to compromise. For example: An attacker targeting a specific user could not only capture a bluetooth signal from the target’s main device, but they could also intercept one of the signals pinging back and forth between numerous surrounding devices. Better yet, they could compromise the health authorities who continuously monitor the data.
In order to fully protect users and their data, it is recommended that TraceTogether continuously work on updates to address future risks and that users continuously download application patches. Contact-tracing Covid-19 is a major responsibility for both governments and tech communities to take on due to what is at stake (the user!), so it is paramount to make sure that the AI being used is secure.
Feature Image TraceTogether Logo https://www.tracetogether.gov.sg/