Bluetooth Based Contact Tracing Scheme for Hamagen Benny Pinkas - - PowerPoint PPT Presentation

Hashomer: A Proposal for a Privacy-Preserving Bluetooth Based Contact Tracing Scheme for Hamagen

Benny Pinkas Eyal Ronen

Some disclaimers

• We are not that kind of doctors (medical / epidemiology)
• We do not represent the Israeli Ministry of Health
• We would not talk about the crypto details (see white paper)
• We will talk about our views on what is contact tracing
• Centralized vs. De-centralized
• The DP3T / GAPPLE solutions vs. our own
• What we think is the right solution for Israel

One of the main problems of COVID19

• Sdfg

Image taken from DP3T

People meet each other

Alice is identified as COVID-19 positive

Need to inform whoever met Alice

Manual Contact Tracing

• Manual epidemiologic interrogation
• Where have you been in the last two weeks?
• Hard to remember exact location and times
• Exposure defined as under 2 meter for over 15 minutes
• Who you have met?
• Some contacts are unknown
• Notify all of you contacts
• How to notify unknown contacts?

Initial solution: publish list of locations

• A labor intensive and inefficient process
• Very coarse grain and inaccurate information
• Hard to scale to a large number of new positives

How can contacts be automatically traced?

• Cellular information
• Pros: global, does not depend on user cooperation
• Cons: accuracy wise - inaccurate

privacy wise - tracks location rather than contacts government may learn locations of all people.

• Same arguments apply to similar types of surveillance: credit card

purchases, security cams, etc.

• Homomorphic encryption and MPC
• Might be used for processing data while limiting the risk, but will not mitigate

it completely. Do not scale up well.

How can contacts be automatically traced?

• Location data gathered on the device itself: GPS, wifi signals, etc.
• Pros: More accurate
• Cons: Still inaccurate (especially indoors)

Tracks location rather than contacts Requires cooperation by users (install an app; must convince users that this is for their own good) Privacy wise: depends on the specific solution

Contact tracing in Israel

• Manual epidemiologic interrogation
• Fine grained - individual contacts or specific locations
• Coarse grained – closing whole schools or workplaces
• Shabak - based on cellular networks (and other information?)
• List of customers at restaurants
• Wide and disturbing impacts on privacy
• Still not very accurate

Contact tracing in Israel

• Hamagen privacy preserving GPS based solution
• Devices keep a log of their whereabouts
• Devices retrieve a list of infected persons' locations

generated from manual interrogation

• Locally compare it to the user's GPS history
• Alert for possible exposure with time and location
• Preserve privacy for healthy users

nothing leaves the device

• Almost no privacy for infected persons

MoH redacts sensitive locations

• GPS has low accuracy, especially inside buildings.

Large number of false positives.

Bluetooth Low Energy (BLE) tracking

• Can identify other devices in close range
• Privacy issues
• Can’t just publish MAC address
• Technical issues
• Distance and duration estimations depend on multiple

factors (model, obstructions...)

• BLE must be sent/received in the background
• Power consumption ?
• Effective only if both devices support the protocol
• For full utility, 60% of users must install. Still good if

fewer people install. BLE

In an Ideal World

• etc. …

Trusted Party

In an Ideal World

Knows all contacts (not necessarily locations)

In an Ideal World

Knows all contacts

Centralized Output

The government

Centralized Output

The government stay at home!

Government does not learn about the contacts of non-infected people (in this ideal implementation)

De Decentralized Output

Data which enables to identify contacts

De Decentralized Output

Data which enables to identify contacts

Oops Oops Oops

Government learns nothing, unless those who contacted the sick person want to report about this

De Decentralized Output

Data which enables to identify contacts

Oops Oops Oops

Government learns nothing, unless those who contacted the sick person want to report about this

Centralized vs. Decentralized

• Who controls the data?

(government vs. users)

• Who gets the output?

(government vs. users)

• Centralized (Singapore, Australia, UK?): we must trust that the

government does not misuse its power

• Even more so in real world implementations of this model
• Decentralized (Europe / GAPPLE): we must trust that users will do the

right thing

Real World Implementation of the Centralized model

In the real world, the implementation of the centralized model might reveal to the government who was in contact with whom

Our Approach

• Users must trust that the system preservers their rights
• Otherwise they will “cheat”
• Government might fight that, but we don’t want to get there

Basic centralized design

• Government chooses the values sent over BLE
• (simplification) Each device encrypts its identity

(plus the time) under the government's public key, and broadcasts it over BLE

Basic centralized design

• Government chooses the values sent over BLE
• (simplification) Each device encrypts its identity

(plus the time) under the government's public key, and broadcasts it over BLE

• Users who receive such messages keep them

(but cannot decrypt)

Basic centralized design

• When a user is sick, it sends to the

government all encrypted ids that it received

Basic centralized design

• When a user is sick, it sends to the

government all encrypted ids that it received

• The government decrypts these ids and tells

the corresponding people to quarantine

stay at home!

Basic centralized design

• When a user is sick, it sends to the government

all encrypted ids that it received

• The government decrypts these ids and tells the

corresponding people to quarantine

• Can be misused
• Stored ids can be subpoenaed or compromised
• Passive receivers can be used to accurately track users
• Many more...

stay at home!

Basic decentralized design

• Every 5 minutes each device picks a random

value and broadcasts it over BLE

Basic decentralized design

• Every 5 minutes each device picks a random

value and broadcasts it over BLE

• If user is COVID positive, he can choose to

give the government the list of values that he broadcasted

rand1, rand2, ...

Basic decentralized design

• The government broadcasts the random values

received from all new COVID+ people

rand values of all new sick users

Basic decentralized design

• The government broadcasts the random values

received from all new COVID+ people

• All users compare this list to the values that they

received

• If there is a match then they can choose to report

this

rand values of all new sick users

match ?

Google/Apple

• Similar to the DP-3T decentralized design
• Similar to basic design
• Generate random key for each day
• Ephemeral IDs for the day are all derived from

the daily key

• Infected person's daily "Temporary Exposure

Keys" are broadcasted to all users

• Reduces the communication complexity
• 1000 positives × 14 days × 24 hours

× 4 ids per hour × 16 Bytes ~ 21 MB

• 1000 positives × 14 days × 16 Bytes ~ 0.2MB

Tradeoff Between Privacy and Explainability

• Do we protect the privacy of infected persons?
• Depends on the information given to users, but basically NO
• GAPPLE / DP3T only reveal the day of the contact
• No explainability
• No way to filter false positives
• Doesn't seem to be a problem for DP3T in Switzerland
• Only protects privacy against receivers which follow the protocol
• In Israel locations and times are published
• We suggest revealing location and coarse time of contact

Linkability and Partial Disclosure

• GAPPLE / DP3T send a single key per day, which allows linking all IDs

that an infected person sent on the same day

• It is also impossible to redact "sensitive" time periods
• We suggest using hourly keys
• Using a "Tree" like key derivation scheme to allow flexible tradeoff

between privacy and communication complexity

• And allowing the user or MoH to redact different periods of time
• Better privacy

Relay Attacks

• Attack Scenario
• BT receiver is placed in an emergency room
• BT transmitter is placed in a busy supermarket

rand

Protecting against Relay Attacks

• GAPLLE / DP3T is insecure wrt these attacks
• We suggest sending the user's coarse grain geohash
• Receiver anyway knows this location
• Use authenticated encryption, key revealed only for infected persons
• Server does not learn the location
• Tradeoff between security and privacy
• Location information stored on device might be compromised or subpoenaed
• More advance attacks still possible
• e.g., colluding with an infected person

Proving exposure to COVID+

• In DP3T/GAPPLE, users can

just claim that they were exposed to a patient

• Our design enables users to

prove that they were exposed

Did anyone see any of these values sent by new sick users?

I did!

So you can’t take the exam tomorrow…

How to prevent coercion?

• User choice is required for trust
• App usage must be voluntary
• Users might still be coerced to install (e.g., by employers)
• Users should be given the option
• To decide if a notification is correct or is a false positive
• To choose whether to notify the authorities or not
• To disable BT transmission and / or reception
• To delete keys for specific time intervals
• To delete notification history
• Otherwise, users will find ways to "cheat"
• Hopefully, most users will do the right thing

Current status

• Design and reference implementation at

https://github.com/eyalr0/HashomerCryptoRef

• A little more complex but as efficient as DP3T/GAPLLE
• A new version of Hamagen which includes our BT solution has

been developed

• A lot of hard work by MoH and volunteers
• Code is / should be open source
• Should have gone online this week
• Release is postponed to unknown date due to low-level BLE issues

Current status

• GAPPLE claim that they have solved the low-level BLE issues

However, they are banning Israel MoH from using their solution

• Can only access the low-level BLE interface by using the GAPPLE

API

• Apps using GAPPLE API cannot access location information
• Prevents backward support for the current Hamagen GPS based solution
• Prevents tracing contacts from large populations without a smartphone
• No security or privacy motivation for this decision

What is the most important thing can we do?