A project called Pan-European Privacy-Preserving Proximity Tracing aims to make use of smart phones in contact tracing while satisfying European privacy laws. The idea is to use Bluetooth to collect data on the proximity history of the carriers of smartphones while using cryptography to maintain privacy.
Here's the mission statement from the website:
The PEPP-PT system is a larger software system with many individual components.PEPP-PT wants to continuously improve its approach and therefore needs to be open to ideas that pursue common goals. This in particular includes any ideas which adhere to the goals of supporting: roaming/interoperability (“Pan European”), adheres to GDPR (“Privacy-Preserving”), and delivers epidemiological data to fight the pandemic (“Proximity Tracing”).
In accordance with the recently published EU Toolbox, PEPP-PT currently considers two privacy-preserving approaches: “centralized” and “decentralized”, and continues to be open for further ideas for improvement that support PEPP-PT goals.
If you believe the whole pandemic is nothing but a hoax, then you can stop reading now.
What I believe is that an approach that involves building a system capable of accurately and efficiently indentifying individuals likely to have been infected for intelligently targeted testing is absolutely mandatory for normal life to resume as soon as possible. The economic damage caused by the social distancing/lockdown measures is completely unsustainable to be continued for very long and the human and economic cost of allowing it spread through populations unobstructed is so high that the epidemic must be suppressed. There is no alternative to large-scale testing and contact tracing. And contact tracing is completely impossible without sophisticated technological solutions.
Here's the part which interests those with privacy concerns:
Overview: How We Preserve Privacy and Maintain Security Paragraphs 1-5 describe the flow of a reference implementation of PEPP-PT’s mechanisms. Paragraph 6 gives a very brief glimpse at how we maintain information and infrastructure security. Please get in touch with our partner managers to receive a full documentation package on privacy and security.
1 Anonymous identifier donation.
Each PEPP-PT phone broadcasts over a short distance a temporarily valid, authenticated and anonymous identifier (ID) that cannot be connected to a user. Proximity between phones of other PEPP-PT users are estimated by measuring radio signals (Bluetooth, etc.) using well tested and calibrated algorithms.
2 Logging the proximity history.
When PEPP-PT phone A is in epidemiologically sufficient proximity to PEPP-PT phone B over an epidemiologically sufficient period of time, as determined by the measurements, the anonymous ID of phone B is recorded in the encrypted proximity history stored locally on phone A (and vice versa). No geolocation, no personal information or other data are logged that would allow the identification of the user. This anonymous proximity history cannot be viewed by anyone, not even the user of phone A. Older events in the proximity history are deleted when they become epidemiologically unimportant.
3 Usage of the proximity history: two modes of operation.
Mode 1
If a user is not tested or has tested negative, the anonymous proximity history remains encrypted on the user’s phone and cannot be viewed or transmitted by anybody. At any point in time, only the proximity history that could be relevant for virus transmission is saved, and earlier history is continuously deleted.
Mode 2
If the user of phone A has been confirmed to be SARS-CoV-2 positive, the health authorities will contact user A and provide a TAN code to the user that ensures potential malware cannot inject incorrect infection information into the PEPP-PT system. The user uses this TAN code to voluntarily provide information to the national trust service that permits the notification of PEPP-PT apps recorded in the proximity history and hence potentially infected. Since this history contains anonymous identifiers, neither person can be aware of the other’s identity.
4 Country-dependent trust service operation.The anonymous IDs contain encrypted mechanisms to identify the country of each app that uses PEPP-PT. Using that information, anonymous IDs are handled in a country-specific manner:
Mode 1
If both anonymous IDs of phone A and B are from the same country, the anonymous ID of the potentially infected party can be marked, so that when this party’s app enquires about his or her status, the app will be informed about the possible exposure.
Mode 2
If an anonymous ID of phone B is identified as being associated with another country than phone A, information associated with the anonymous ID of phone B is transmitted to the national trust service of the other country. This transmission is fully encrypted and digitally signed. Further processing is done by the national trust service of the country that issued the app.
5 Healthcare ProcessingA process for how to inform and manage exposed contacts can be defined on a country by country basis.
6 Information and InfrastructureAll procedures, mechanisms, standards and code at PEPP-PT is continuously monitored by our security team. In parallel national cyber security agencies and national data protection agencies inspect all of the above line-by-line on a regular basis and sign. We have always asked and continue to motivate security activities to get in touch to review and improve our code or procedures.
Anything released to the public is checked that way to prevent unintended effects in procedures or code exist and potential loopholes are closed swiftly.
I had something roughly like this in mind when I talked about this with @adetorrent recently.