Coronavirus Contact Tracing Plans For Androids and iPhones
Bluetooth LE And Rolling Proximity Identifiers
Google and Apple are working on a tool which will allow them to trace your phones travels and alert you if you may have come in contact with someone who has tested positive; depending of course on the honesty of people reporting to the app. The technology is interesting, assigning your device a unique tracing key which is used as a seed to generate a daily tracing key once a day which is then used to generate a hashed rolling proximity key every 15 minutes. This will allow the app to be able to determine which devices were physically close to each other at any given time. The keys are stored so that if someone reports a positive COVID-19 test to the app, it can alert any any all devices, and their owners, to possible exposure.
There are certainly some privacy concerns that will be raised by those choosing to participate in this by installing the app, which the developers address to a certain extent. The rolling proximity key is generated by hashing a timestamp and the daily key, which should prevent anyone from using it to determine your daily key or your devices unique tracing key so participants identities should remain anonymous. However, at the same time, that unique key does reside on your phone so if someone gains access to it not only can they trace your previous movements they could in theory use it to track your device in real time.
Hackaday has some questions about the effectiveness of the application as well, though it is certainly better than nothing. Bluetooth can penetrate materials which neither humans nor viruses can and may lead to false exposure reports. Imagine taking the elevator up a high rise where a few reported cases reside. There is no way for them to infect you while you are riding the elevator past their apartment, yet the app will register that contact and then share that with the system, which could then alert others in close proximity to you later that day about their possible exposure to you. There is also the question of the effect of those individuals that would find it amusing to report themselves as positive and then take a wander through a supermarket.
It’s an extremely tall order to do so in a way that is voluntary, respects personal privacy as much as possible, doesn’t rely on potentially vulnerable centralized services, and doesn’t produce so many false positives that the results are either ignored or create a mass panic. And perhaps much more importantly, it’s got to work.