Developed by | Singapore Government Digital Services |
---|---|
Introduced | March 24, 2020 |
Industry | Digital contact tracing |
Compatible hardware | Android & iOS smartphones |
Physical range | ~10 m (33 ft) [1] |
Website | bluetrace |
BlueTrace is an open-source application protocol that facilitates digital contact tracing of users to stem the spread of the COVID-19 pandemic. [2] Initially developed by the Singaporean Government, BlueTrace powers the contact tracing for the TraceTogether app. [3] [4] Australia and the United Arab Emirates have already adopted the protocol in their gov apps, [5] [6] [7] and other countries were considering BlueTrace for adoption. [8] [9] A principle of the protocol is the preservation of privacy and health authority co-operation. [10]
Preservation of user privacy was one of the core considerations around which BlueTrace was designed. To achieve this, personal information is collected only once at the point of registration and is only used to contact potentially infected patients. Additionally, users can opt-out at any time, clearing all personal information and rendering any recorded data untraceable. Contact tracing is done entirely locally on a client device using Bluetooth Low Energy, storing all encounters in a contact history log chronicling encounters for the past 21 days. Users in the contact log are identified using anonymous time-shifting "temporary IDs" issued by the health authority. This means a user's identity cannot be ascertained by anyone except the health authority with which they are registered. Additionally, since temporary IDs change on a regular basis, malicious third parties cannot track users by observing log entries over time.
Once a user tests positive for infection, the health authority requests the contact log. If the user chooses to share their log, it is sent to the health authority where they match the temporary ID with contact information. Health authorities are not able to access log entries about foreign users, so those entries are sent to the appropriate foreign health authority to be processed there. Once a log has been processed, the health authority contacts the user identified by the record.
The protocol is focused on two areas: locally logging registered users in the vicinity of a device and the transmission of the log to the operating health authority, all while preserving privacy. To achieve this, the protocol can be divided into the areas of device to device communication (DDC), and device to reporting server communication (DRSC).
The DDC component operates on top of the existing Bluetooth Low Energy protocol, defining how two devices acknowledge each other's presence. [10] : p. 2 The DRSC component uses HTTPS to communicate a timeline of visits to a centralized server owned by a health authority once a user has tested positive for an infection. The health authority can then, using the log, notify the users who came in contact with the infected patient. [10] : p. 2
Each app implementing the BlueTrace protocol has a corresponding central reporting server operated by a health authority. The reporting server is responsible for handling initial registration, provisioning unique user identifiers, and collecting contact logs created by the DDC part of the protocol. When the user first launches a BlueTrace app, they will be asked for their internationally formatted phone number and are assigned a static UserID. [10] : section. 4 This phone number is later used if the user has registered an encounter in an infected patient's contact log.
Once registered, users are provisioned Temporary IDs (TempID) uniquely identifying them to other devices. Each TempID has a lifetime of 15 minutes to prevent malicious parties from performing replay attacks or tracking users over time with static unique identifiers. [10] : section. 4.2 TempIDs are generated from a user's UserID, the TempID start time, and the TempID expiry time, which is encrypted and turned into a Base64 encoded string by the server using a secret symmetric encryption key. To ensure devices have a constant supply of TempIDs, even in an unstable network environment, TempIDs are transmitted to devices in forward dated batches. [10] : section. 4.2 The composition of a TempID is shown below:
Once a user has been tested positive for infection, the health authority generates a PIN authenticating the user to upload their contact log to the reporting server. As part of the log, metadata about each encounter is included; the most important of which being the timestamp and health authority identifier (HAI).
The HAI identifies to which health authority the logged contact reports. If the HAI represents a foreign health authority the log entry is transmitted to the identified authority to be processed there.
Once a health authority has filtered log entries to only include home clients, they decrypt the TempID to reveal the UserID, start time, and expiry time. The start and expiry date are compared with the encounter timestamp to ensure validity, and the UserID is matched to a phone number. The health authority can then contact the phone number to inform a user of potential contact with an infected patient.
The DDC part of the protocol defines how two devices communicate and log their contact. Each device is in one of two states, Central or Peripheral, on a duty cycle of around 1:4, respectively.
In Peripheral mode, a device advertises its presence, and in Central mode, it scans for advertising devices. Additionally, certain devices are incapable of operating in Central mode and thus operate purely in Peripheral mode. [11] Once two devices have discovered each other, they communicate a characteristic packet containing information about themselves. The packet is formed as a JSON file, containing the device's TempID, device model, HAI, and BlueTrace protocol version.
When operating in Central mode, the device additionally sends the strength of the signal, allowing the approximate distance between the two devices to be calculated later. Below is an example Central characteristic packet:
{"id":"FmFISm9nq3PgpLdxxYpTx5tF3ML3Va1wqqgY9DGDz1utPbw+Iz8tqAdpbxR1 nSvr+ILXPG==",// TempID"md":"iPhone X",// Device model"rc":-60,// Signal strength"o":"IJ_HAI",// Health authority identifier"v":2// Protocol version}
These characteristics are then added to a local database on the device where they are stored for 21 days and can be sent to the reporting server later. The contacted device is also added to a local blacklist for two duty cycles in order to stop two devices repeatedly contacting each other, saving power and storage.
The cooperation between separate health authorities is a core component of the BlueTrace protocol, and it is designed such that multiple authorities can work together without revealing personal information to foreign authorities with which a user is not registered. Since each authority maintains its separate encryption key and user records, a health authority can't decrypt and see a foreign user's data.
To ensure log entries are sent to the correct authority, part of the DDC handshake contains a health authority identifier (HAI), a unique string assigned to registered health authorities. Once a foreign health authority's log entry is identified, the receiving health authority transmits the log entry to the foreign authority's reporting server where it is verified, and a static PseudoID is returned.
The PseudoID is a salted cryptographic hash of the UserID, designed to allow foreign health authorities to perform statistical analysis on contact logs and communicate about a specific user without revealing unnecessary personal information. Once the PseudoID is assessed to have been in close contact with the infected patient, the foreign health authority that issued the PseudoID is informed and can follow up as necessary.
The ability of users to withdraw consent to the use and collection of their data at any time was an important consideration in the design of the protocol. [10] : section. 3, point. 4 To allow this, personally identifiable information is excluded from the DDC component of the protocol. This means the only place personal information is stored is on the reporting server, where it is associated with an anonymous static UserID. This UserID (encrypted in a TempID) is what is used for identification in the DDC part of the protocol. If a user withdraws consent, the user record is deleted from the reporting server, meaning UserIDs obtained through contact logs can no longer be matched to a phone number.
One of the largest privacy concerns raised about protocols such as BlueTrace or PEPP-PT is the usage of centralised report processing. [12] [13] [14] [15] [16] [17] In a centralised report processing protocol, a user must upload their entire contact log to a health authority administered server, where the health authority is then responsible for matching the log entries to contact details, ascertaining potential contact, and ultimately warning users of potential contact. [18]
Alternatively, decentralised report processing protocols, while still having a central reporting server, delegate the responsibility to process logs to clients on the network. Protocols using this approach, such as TCN and DP-3T, have the client upload a number from which encounter tokens can be derived by individual devices. Clients then check these tokens against their local contact logs to determine if they have come in contact with an infected patient. [19] Inherent in the fact the protocol never allows the government access to contact logs, this approach has major privacy benefits. However, this method also presents some issues, primarily the lack of human in the loop reporting, leading to a higher occurrence of false positives; [18] and potential scale issues, as some devices might become overwhelmed with a large number of reports. Decentralised reporting protocols are also less mature than their centralised counterparts. [20] [21] [22]
OpenTrace is the open-source reference implementation of BlueTrace released under the GPL-3.0 license. [23] [24] [25] The DRSC side of the protocol is implemented using the Firebase platform, [26] using Firebase functions, a serverless computing framework, for all client calls; and Firebase Secret Manager [27] : lines 29–37 and Storage [28] : line 22 for storing the encryption key and contact logs respectively. For the app/DDC side of the protocol, a modified version of the TraceTogether app for Android and iOS devices is included. [29] [30]
COVIDSafe [31] [32] is a digital contact tracing app announced by the Federal Australian Government based on OpenTrace/BlueTrace, announced on 14 April 2020 to help combat the ongoing COVID-19 pandemic. [33] On 26 April 2020, the Australian federal government publicly released the first version of the app. [6] [5] Within the first 24 hours after release, over 1 million people downloaded the app, [34] and within 48 hours, over 2 million. [35] By the second week, over 4 million users had registered. [36] Accompanying the release, Peter Dutton, the Minister for Home Affairs, announced new legislation that would make it illegal to force anyone to hand over data from the app, even if they had registered and tested positive. [37] [38] The app source code was also released on 8 May 2020, [39] [40] after delays [41] until a review by the Australian Signals Directorate had been completed. [42]
Threema is a paid cross-platform encrypted instant messaging app developed by Threema GmbH in Switzerland and launched in 2012. The service operates on a decentralized architecture and offers end-to-end encryption. Users can make voice and video calls, send photos, files, and voice notes, share locations, and make groups. Unlike many other popular secure messaging apps, Threema does not require phone numbers or email address for registration, only a one-time purchase that can be paid via an app store or anonymously with Bitcoin or cash.
Signal is an encrypted messaging service for instant messaging, voice, and video calls. The instant messaging function includes sending text, voice notes, images, videos, and other files. Communication may be one-to-one between users or may involve group messaging.
Eddystone was a Bluetooth Low Energy beacon profile released by Google in July 2015. In December 2018 Google stopped delivering both Eddystone and Physical Web beacon notifications. The Apache 2.0-licensed, cross-platform, and versioned profile contained several frame types, including Eddystone-UID, Eddystone-URL, and Eddystone-TLM. Eddystone-URL was used by the Physical Web project, whereas Eddystone-UID was typically used by native apps on a user's device, including Google's first party apps such as Google Maps.
Wire is an encrypted communication and collaboration app created by Wire Swiss. It is available for iOS, Android, Windows, macOS, Linux, and web browsers such as Firefox. Wire offers a collaboration suite featuring messenger, voice calls, video calls, conference calls, file-sharing, and external collaboration – all protected by a secure end-to-end-encryption. Wire offers three solutions built on its security technology: Wire Pro – which offers Wire's collaboration feature for businesses, Wire Enterprise – includes Wire Pro capabilities with added features for large-scale or regulated organizations, and Wire Red – the on-demand crisis collaboration suite. They also offer Wire Personal, which is a secure messaging app for personal use.
COVID-19 apps include mobile-software applications for digital contact-tracing - i.e. the process of identifying persons ("contacts") who may have been in contact with an infected individual - deployed during the COVID-19 pandemic.
Aarogya Setu is an Indian COVID-19 "contact tracing, syndromic mapping and self-assessment" digital service, primarily a mobile app, developed by the National Informatics Centre under the Ministry of Electronics and Information Technology (MeitY). The app reached more than 100 million installs in 40 days. On 26 May, amid growing privacy and security concerns, the source code of the app was made public.
Coronavirus Australia was an app released by the Australian Government designed to allow users to access information about the COVID-19 pandemic in Australia. The app was released by the Department of Health on 29 March 2020, and decommissioned two years later on 31 August 2022. Over its lifetime, the app was downloaded over a million times and was initially ranked first in the Apple App Store's "Health and Fitness" category. Due to the short development period of two weeks, the app initially served primarily as an aggregate of links to official government websites. Shortly after an update was released adding a voluntary "isolation registration" form that collected the location, name, age, mobile phone number, isolation start date, and various other details about users who were self isolating.
Pan-European Privacy-Preserving Proximity Tracing (PEPP-PT/PEPP) is a full-stack open protocol designed to facilitate digital contact tracing of infected participants. The protocol was developed in the context of the ongoing COVID-19 pandemic. The protocol, like the competing Decentralized Privacy-Preserving Proximity Tracing (DP-3T) protocol, makes use of Bluetooth LE to discover and locally log clients near a user. However, unlike DP-3T, it uses a centralized reporting server to process contact logs and individually notify clients of potential contact with an infected patient. It has been argued that this approaches compromises privacy, but has the benefit of human-in-the-loop checks and health authority verification. While users are not expected to register with their real name, the back-end server processes pseudonymous personal data that would eventually be capable of being reidentified. It has also been put forward that the distinction between centralized/decentralized systems is mostly technical and PEPP-PT is equally able to preserve privacy.
TraceTogether was a digital system implemented by the Government of Singapore to facilitate contact tracing efforts in response to the COVID-19 pandemic in Singapore. The main goal was a quick identification of persons who may have come into close contact with anyone who has tested positive for COVID-19. The system helps in identifying contacts such as strangers encountered in public one would not otherwise be able to identify or remember. Together with SafeEntry, it allows the identification of specific locations where a spread between close contacts may occur.
The (Google/Apple) Exposure Notification System (GAEN) is a framework and protocol specification developed by Apple Inc. and Google to facilitate digital contact tracing during the COVID-19 pandemic. When used by health authorities, it augments more traditional contact tracing techniques by automatically logging close approaches among notification system users using Android or iOS smartphones. Exposure Notification is a decentralized reporting protocol built on a combination of Bluetooth Low Energy technology and privacy-preserving cryptography. It is an opt-in feature within COVID-19 apps developed and published by authorized health authorities. Unveiled on April 10, 2020, it was made available on iOS on May 20, 2020 as part of the iOS 13.5 update and on December 14, 2020 as part of the iOS 12.5 update for older iPhones. On Android, it was added to devices via a Google Play Services update, supporting all versions since Android Marshmallow.
COVIDSafe was a digital contact tracing app released by the Australian Government on 26 April 2020 to help combat the ongoing COVID-19 pandemic. The app was intended to augment traditional contact tracing by automatically tracking encounters between users and later allowing a state or territory health authority to warn a user they have come within 1.5 metres with an infected person for 15 minutes or more. To achieve this, it used the BlueTrace and Herald protocol, originally developed by the Singaporean Government and VMWare respectively, to passively collect an anonymised registry of near contacts. The efficacy of the app was questioned over its lifetime, ultimately identifying just 2 confirmed cases by the time it was decommissioned on 16 August 2022.
The Temporary Contact Numbers Protocol, or TCN Protocol, is an open source, decentralized, anonymous exposure alert protocol developed by Covid Watch in response to the COVID-19 pandemic. The Covid Watch team, started as an independent research collaboration between Stanford University and the University of Waterloo was the first in the world to publish a white paper, develop, and open source fully anonymous Bluetooth exposure alert technology in collaboration with CoEpi after writing a blog post on the topic in early March.
Digital contact tracing is a method of contact tracing relying on tracking systems, most often based on mobile devices, to determine contact between an infected patient and a user. It came to public prominence in the form of COVID-19 apps during the COVID-19 pandemic. Since the initial outbreak, many groups have developed nonstandard protocols designed to allow for wide-scale digital contact tracing, most notably BlueTrace and Exposure Notification.
Decentralized Privacy-Preserving Proximity Tracing is an open protocol developed in response to the COVID-19 pandemic to facilitate digital contact tracing of infected participants. The protocol, like competing protocol Pan-European Privacy-Preserving Proximity Tracing (PEPP-PT), uses Bluetooth Low Energy to track and log encounters with other users. The protocols differ in their reporting mechanism, with PEPP-PT requiring clients to upload contact logs to a central reporting server, whereas with DP-3T, the central reporting server never has access to contact logs nor is it responsible for processing and informing clients of contact. Because contact logs are never transmitted to third parties, it has major privacy benefits over the PEPP-PT approach; however, this comes at the cost of requiring more computing power on the client side to process infection reports.
NHS COVID-19 was a voluntary contact tracing app for monitoring the spread of the COVID-19 pandemic in England and Wales. It had been available since 24 September 2020 for Android and iOS smartphones, and can be used by anyone aged 16 or over.
NZ COVID Tracer is a mobile software application that enables a person to record places they have visited, in order to facilitate tracing who may have been in contact with a person infected with the COVID-19 virus. The app allows users to scan official QR codes at the premises of businesses and other organisations they visit, to create a digital diary. It was launched by New Zealand's Ministry of Health on 20 May 2020, during the ongoing COVID-19 pandemic. It can be downloaded from the App Store and Google Play.
Covid Watch was an open source nonprofit founded in February 2020 with the mission of building mobile technology to fight the COVID-19 pandemic while defending digital privacy. The Covid Watch founders became concerned about emerging, mass surveillance-enabling digital contact tracing technology and started the project to help preserve civil liberties during the pandemic.
COVID Alert was the Exposure Notification service app for the country of Canada. It launched in the province of Ontario on July 31, 2020, and became available in nearly all Canadian provinces by October of that year, excluding Alberta, and British Columbia.
COVID Tracker Ireland is a digital contact tracing app released by the Irish Government and the Health Service Executive on 7 July 2020 to prevent the spread of COVID-19 in Ireland. The app uses ENS and Bluetooth technology to determine whether a user have been a close contact of someone for more than 15 minutes who tested positive for COVID-19. On 8 July, the app reached one million registered users within 36 hours after its launch, representing more than 30% of the population of Ireland and over a quarter of all smartphone users in the country. As of August 2021, over 3,030,000 people have downloaded the app.
{{cite web}}
: CS1 maint: multiple names: authors list (link){{cite web}}
: CS1 maint: multiple names: authors list (link){{cite web}}
: CS1 maint: multiple names: authors list (link)