The approach to contact tracing taken by the Apple/Google project
- Smartphones broadcast “Rolling Proximity Identifiers” via Bluetooth Low Energy (BLE) every 200-270ms.
- Smartphones record these “Rolling Proximity Identifiers” that they detect in their environment, including when the signal was detected (but not where) and RSSI.
- These “Rolling Proximity Identifiers” are cryptographically secure and change every 10 minutes.
- The “Rolling Proximity Identifier” functionality is built into the smartphone operating system; Public Health Systems develop Apps for their regions based on this functionality.
- When an App User has been tested positive for the virus (“Affected User”), their App uploads “Diagnosis Keys” and dates of possible infectiousness to a central server operated by the Public Health System.
- App Instances of other users (potentially “Exposed User”) frequently download all Diagnosis Keys from the central server. Due to the way the keys are cryptographically related to each other, potentially-recorded “Rolling Proximity Identifiers” advertised by the infected person’s App Instance can be reconstructed.
- If a match occurs, the App User may have been exposed to an infected other App User.
- Contact Tracing – Framework Documentation (API)
- Contact Tracing – Bluetooth Specification
- Contact Tracing – Cryptography Specification
- Android Contact Tracing API
Known cryptographic vulnerabilities
Commentary / analysis:
Mark Gurman, Bloomberg: Apple, Google Covid-19 Contact Tracing to Require Verification