Private Kit–Open Source, Privacy-First Contact Tracing

Private Kit is an open source, privacy-first contact tracing app for iOS and Android. The intent is to enable contact tracing, which is important for reducing the spread of diseases like COVID-19, while also assuring user privacy (which, over the long term, will likely engender more compliance and participation from the public).

The creators of the app have a whitepaper explaining the rationale behind Private Kit.

We’re building the next generation of secure location logging to preserve privacy and #flattenthecurve

Location logs provide time-stamped records of where users have been, allowing them to share information with health officials accurately and quickly. This helps support contact tracing efforts to slow the spread of the virus.

What’s truly special about Private Kit, though, is its privacy protection. Data never leaves users’ devices without their password entry and explicit consent. The location log generated by Private Kit cannot be accessed from outside the user’s device, meaning data transfer occurs only if the user chooses to share it with the researcher.

Privacy-Preserving Contact Tracing?

Contact tracing is a method of stopping the spread of diseases by quickly finding and treating people who have come into contact with an infected person. According to the World Health Organization,

This monitoring process is called contact tracing, which can be broken down into 3 basic steps:

1. Contact identification: Once someone is confirmed as infected with a virus, contacts are identified by asking about the person’s activities and the activities and roles of the people around them since onset of illness. Contacts can be anyone who has been in contact with an infected person: family members, work colleagues, friends, or health care providers.

2. Contact listing: All persons considered to have contact with the infected person should be listed as contacts. Efforts should be made to identify every listed contact and to inform them of their contact status, what it means, the actions that will follow, and the importance of receiving early care if they develop symptoms. Contacts should also be provided with information about prevention of the disease. In some cases, quarantine or isolation is required for high risk contacts, either at home, or in hospital.

3. Contact follow-up: Regular follow-up should be conducted with all contacts to monitor for symptoms and test for signs of infection.

The Zcash Foundation is looking to develop a decentralized, privacy-preserving contact tracing tool that would springboard off of the Singapore government’s TraceTogether application.

One incredibly exciting technological development is TraceTogether, a mobile application that assists with contact tracing produced by the Government of Singapore and the Singapore Ministry of Health (MoH). The app creates a temporary ID by encrypting a user ID to a MoH-owned public key, and then broadcasts the temporary ID over Bluetooth. This temporary ID is refreshed at regular intervals, so that it cannot be used as a long-term identifier for third-party tracking. Nearby mobile devices running the app log all observed broadcasts. If a user later develops symptoms and tests positive for COVID-19, they can upload their log of contacts to the MoH, who functions as a trusted third party that can decrypt the log entries and notify all of that user’s contacts of potential COVID-19 exposure. The MoH promises to use the log data only for the purposes of contact notification.

While this application is not perfectly privacy-preserving, it is far superior to location-tracking, and reveals personal information only upon infection, rather than using the threat of COVID-19 as a justification to build permanent surveillance infrastructure, or exposing patient data to the public. Public health requires public trust, and the developers should be congratulated for building privacy protections into the system.

Weaponizing South Korean Contact Tracing

South Korea is relying extensively on contact tracing of COVID-19 positive patients and coupling that with controversial text alerts that reveal a lot of personal information about patients (names are not included, but it looks like more than enough information is included to de-anonymize most patients).

As part of the information the South Korean government includes in text alerts is information on what restaurants and businesses a patient had visited. As can be imagined, this has a major impact on those businesses, and has led to fraudsters attempting to blackmail restaurants,

While restaurants that had been named closed temporarily for fumigation, they say their association with the virus could put them out of business.

Fraudsters are now playing on those fears. A man claiming to be infected with Covid-19 called several restaurants in the Mapo district of Seoul warning that their business would suffer if he told health authorities he had eaten there, and demanded money in return for his silence. Police are investigating the case but have yet to locate the suspect.