Contact tracing app warns of COVID-19 exposure while protecting privacy
Three Boston University computer scientists and engineers are working on a smartphone app that could let people know if they have come in contact with someone who has tested positive for COVID-19, while protecting the privacy of all parties.
Ran Canetti, Ari Trachtenberg, and Mayank Varia have teamed up with researchers at Massachusetts Institute of Technology and other universities to develop an app that uses Bluetooth-enabled cell phones to notify a person if they have come into close proximity with someone infected with SARS-CoV-2, the novel coronavirus that causes COVID-19 and has been officially detected in more than 2 million people worldwide.
To work best, the app requires many people to use it, whether they have had COVID-19 or not. The app transmits and captures random Bluetooth signals via nearby cell phones that also have the app installed. App users who have been diagnosed with COVID-19 voluntarily and anonymously report their positive results, which then causes their Bluetooth pings from the last 14 days to be uploaded to a database that’s coded to ensure that the diagnosed user is uploading their own pings. From there, those signals are compared with pings of other app participants in the system. The app then alerts users of possible proximity to an infected person, and subsequently directs them to follow up with health officials (or their doctor). All of the uploaded information is verified by a public health agency, and all apps must be installed by users voluntarily.
For Canetti, Trachtenberg, and Varia, the main concern of the technology is the preservation of privacy. “The question of privacy originally came up in a discussion on the mailing list of the BU Hariri Institute’s Cyber Security, Law, and Society Alliance,” says Trachtenberg, a professor of electrical and computer engineering. “I proposed a [prototypic] approach to privacy-aware contact tracing, and Ran, Mayank, and I fleshed out the approach in a paper that we posted to arXiv on March 27.”
The arXiv paper attracted a great deal of attention, and the BU team soon joined the PACT (Private Automated Contact Tracing) team, which is led by Ron Rivest, an MIT professor and the inventor of several highly regarded encryption algorithms.
“PACT was started in response to COVID-19,” says Varia. “This is just one small piece of the COVID-19 puzzle; there exist an immense number of healthcare issues and also many technological ones that PACT does nothing to address. On the other hand, this technology can be useful beyond the current epidemic since we [plan to] have this capability ready to go in advance of the next epidemic—which hopefully won’t be for a long time.”
PACT also includes scientists from Massachusetts General Hospital, the Weizmann Institute of Science, Brown University, Carnegie Mellon University, and the MIT Lincoln Laboratory. The researchers say key elements in the PACT protocol are taken from the original design proposed by the team of BU engineers. Apple and Google recently put forth a very similar protocol in their own contact tracing app.
“Typically, an effort like this would be done over years, with publication and peer-review, but we just don’t have the time for the formal academic mechanism,” says Trachtenberg. “The broad PACT collaboration serves as an excellent substitute in this time of need. It’s essential that this system be put together at breakneck speed.”
Varia, codirector of BU’s Center for Reliable Information Systems and Cyber Security (RISCS) and research associate professor in computer science, emphasizes that the app does not transmit any personal information, or even a unique identifier for a phone.
“To protect everyone’s privacy, we are only sending random ‘garbage’ within each Bluetooth packet,” he says. “We call these random numbers ‘chirps.’ People who are diagnosed with COVID-19 voluntarily post only these random chirps to a public database, which permits anyone who has come into contact with the diagnosed person to check (locally on their own phone) whether any of the chirps they have [encountered] match the entries in the public database.”
Canetti, director of the RISCS and professor of computer science, says the technology demonstrates how automatic contact tracing can be done on a phone-to-phone basis and without a centralized opaque database that holds location information on all individuals.
“That’s important,” he says, “because it counters the prevailing perception that mitigating the pandemic via automatic contact tracing mandates large-scale, government-led violation of privacy of all or most of the population.”