The approach to contact tracing taken by the Apple/Google project
- Smartphones broadcast “Rolling Proximity Identifiers” via Bluetooth Low Energy (BLE) every 200-270ms.
- Smartphones record these “Rolling Proximity Identifiers” that they detect in their environment, including when the signal was detected (but not where) and RSSI.
- These “Rolling Proximity Identifiers” are cryptographically secure and change every 10 minutes.
- The “Rolling Proximity Identifier” functionality is built into the smartphone operating system; Public Health Systems develop Apps for their regions based on this functionality.
- When an App User has been tested positive for the virus (“Affected User”), their App uploads “Diagnosis Keys” and dates of possible infectiousness to a central server operated by the Public Health System.
- App Instances of other users (potentially “Exposed User”) frequently download all Diagnosis Keys from the central server. Due to the way the keys are cryptographically related to each other, potentially-recorded “Rolling Proximity Identifiers” advertised by the infected person’s App Instance can be reconstructed.
- If a match occurs, the App User may have been exposed to an infected other App User.
- Contact Tracing – Framework Documentation (API)
- Contact Tracing – Bluetooth Specification
- Contact Tracing – Cryptography Specification
- Android Contact Tracing API
Known cryptographic vulnerabilities
Commentary / analysis:
Wired: How Apple and Google Are Enabling Covid-19 Contact-Tracing
Mark Gurman, Bloomberg: Apple, Google Covid-19 Contact Tracing to Require Verification
Russell Brandom, VERGE: Answering the 12 biggest questions about Apple and Google’s new coronavirus tracking project
Views from independent security researchers:
Phillip Hallam-Baker video: Bonus edition of COVID Cryptography looking at the Apple/Google tracing application
Sergio Caltagirone on Twitter: This is terrible. Let me tell you why.
Moxie Marlinspike on Twitter: First look at Apple/Google contact tracing framework
Shoshana Zuboff on Twitter: Apple/Google promise “Opt-in” “Anonymity” “Only COVID” “Disable later”… All bait and switch without law to make it so. Who decides, democracy or corporations?
Andrew Crocker, Kurt Opsahl, and Bennett Cyphers for EFF: The Challenge of Proximity Apps For COVID-19 Contact Tracing