Cryptography for COVID-19 - How Privacy Can be Enabled for Pandemic Contact Tracing
June 14, 2020
Though many countries around the world are still in the midst of lockdown to mitigate the spread of transmission of the coronavirus COVID-19 pandemic, some are beginning to emerge from isolation and look to resume a more normal state as they seek to get the economy and social experiences up and running. However, as has been seen in some countries, easing lockdown measures too early has led to a resurgence of new cases and worries that a second wave may hit. Despite the risks, many are seeking ways to work around the issues at hand, and for many the answer seems to be monitoring and tracking of those who develop symptoms and the ability to warn those they may have had contact with - ‘contact tracing’.
Obviously, there are issues with this approach as many worry about who would be in control of this solution and the huge potential privacy concerns that this data might engender. Alongside this, it has been reported in some places that people who worry they might have the virus keep the information quiet as they do not want to be seen or judged negatively. Any solution that could be accepted would not only need to deal with the privacy issues raised, but also ensure that those using the system had the confidence to report their symptoms and results accurately and without fear of reprisal. In order to do this, a cryptographically-secure and privacy-centric solution would need to be implemented, and it would need to be one that was simple to use and accessible to all.
Research into these possibilities is exactly what has been going on at Edinburgh Napier University. A paper has been worked on recently, carried out in conjunction with the Blockpass Identity Lab - a research lab set up as a collaboration between Blockpass and Edinburgh Napier University - which looks into how privacy and security standards can be met in a pandemic-tracking system. “PAN-DOMAIN: Privacy-preserving Sharing and Auditing of COVID-19 Infection Identity Matching” was written by Will Abramson, Professor Bill Buchanan, and Owen Lo. It is expected to be available, along with other articles from the authors and the Blockpass Identity Lab, on ResearchGate in the near future.
The research paper describes how digital contact tracing can be used, with people having unique ID codes which can be used with mobile devices and Bluetooth networks to monitor and track the individual’s location, enabling a system which can connect with and report to other devices that come within a set radius. With this data, a person who tests positive for COVID-19 can then update their app, prompting the system to notify people that are logged as having passed close to the device’s owner that they are at risk and need to be tested themselves. The paper notes that Apple and Google have worked together to create a Bluetooth-tracking API, and that PAN-DOMAIN has posited a solution to link this with pandemic contact tracing in such a manner that only verified testing centres can initiate the health warning, preventing misuse by people seeking to cause trouble with the system.
Where the novel approach taken by this paper comes in, is in a method to create pseudonyms for users which would ensure privacy could be met at the highest level and allow users to be represented across a multitude of services whilst simultaneously preventing different services from accessing information they are not entitled to see or misusing the data. As the paper states, its purpose is to “outline a concrete and realistic example of this cryptography applied to pandemic tracing”. This would put the user in control of their own data, including giving them the ability to audit who has been requesting their data, whilst still allowing for multiple agencies to gain access to the information they need to function and help prevent the spread of pandemics. The possibility exists, the paper explains, to completely anonymise the user from the fact that they are or are not infected; there is no need for a person to know who they might have been infected by, just whether they are at risk and need to get checked. This possibility can be made a reality by the use of advanced cryptographic techniques such as homomorphic encryption and zero-knowledge proofs.
Building on algorithms previously developed, the paper examines how a healthcare organisation could build out a contact tracing app. This covers the various steps to set up the system, how people could download and register for the app, how the contact tracing would work and how the system would process the various states that the different actors in the system would go through as the process took place. The end result of this is a process where verified health centres can authenticate, monitor and notify the individuals in the system without compromising privacy and only with users’ consent. Not only would this benefit the user, with greater control over their personal information, but would bring peace of mind to healthcare organisations as it would remove the necessity and worry of storing large amounts of sensitive information.
From this, the paper goes on to look into the ability to audit those who are seeking to process their data, and how the solution could be applied on a large scale, such as with the COVID-19 pandemic. In the paper, the authors also detail the scale of the problem, along with the similarities and differences of the issue in various different countries. In this instance, the paper is looking specifically at utilising these methods and cryptography for pandemic contact tracing solutions but the authors note that there are wider implications for this type of technology. Those who have an interest in the mathematics behind this and the specifics of how the solutions could be implemented and would work can find the details in the paper when it is made available.
When Blockpass and Edinburgh Napier University partnered to launch the Blockpass Identity Lab in September 2018, this kind of privacy-preserving and problem-solving solution was exactly the kind of work that was the focus for research and development. The peerless cryptographic skills and privacy-centric ideals of the students and professors working for the University and the Lab were precisely the ideals that Blockpass sought to partner with to improve the potential of the Blockpass Mobile App and KYC Connect® solutions, as well as future developments, as Blockpass strives to make identity fast, simple and painless without compromising security or privacy. Developments such as the research that is coming from the Blockpass Identity Lab will enable Blockpass to provide the best possible identity management solutions whilst maintaining the highest standards of regulatory compliance and data privacy, putting the user at the centre, in control of their own data.
To find out more about the Blockpass Identity Lab, click here. To find out how Blockpass is looking to assist in tackling this COVID-19 pandemic, click here. The Blockpass platform is fully automated and hosted in the cloud, with no integration or setup fee. Businesses can sign up to the KYC Connect® console in a matter of minutes, test out the service, and start conducting identity documents verification, KYC and AML checks. Sign up for FREE at console.blockpass.org.