Research institutions Inria and Fraunhofer has shared details about their contact tracking protocol that can be used by the governments of France and Germany in the coming weeks. It was named ROBERT for ROBust and the proximity search protocol for privacy preservation.
Inria and Fraunhofer are members of the Pan-European Privacy Preservation Proximity Tracking (PEPP-PT) project. On Friday, PEPP-PT the word that seven European governments are interested in developing national applications based on a standardized approach. So ROBERT can be an important inspiration for various contact tracking applications across Europe.
The French and German research teams have chosen to share technical specifications on GitHub with various documents describing their work so far. Besides a complete specification documents, the group has written a high level overview with frequently asked questions illustrative example and interesting names document: “Distance Tracking Application: Misleading debate about a centralized versus decentralized approach.”
Inria’s CEO, Bruno Sportisse also wrote the article on the Inria website illustrates the thinking behind the work of Inria (and Fraunhofer). In addition to explaining the concept of contact tracing, he said there was no such thing as a decentralized contact tracking protocol or a centralized contact tracking protocol.
“There are no projects aimed at implementing a peer-to-peer network where everything will depend on communities that are supposed to be ‘independent’ […] device / smartphone that exchanges information between them. The main reason why that isn’t the case is that security vulnerabilities can have an impact with such an approach, “Sportisse writes.
“All systems in the work include general components (servers) and decentralized components (a group of smartphones that can communicate between them using Bluetooth): all systems currently working are therefore centralized […] and decentralized, “he continued.
However, centralization and decentralization have been at the heart of debates between privacy researchers in Europe, with supporters of the DP-3T initiative sometimes call PEPP-PT approach. DP-3T is a coalition of other experts who claim to care more about privacy than PEPP-PT.
So let’s dive into ROBERT and find out what Inria and Fraunhofer mean by centralized contact tracking protocols.
In the specification document, Inria and Fraunhofer define the big principles behind ROBERT.
Our scheme provides the following goals detailed in :
- Open participation. Participants are free to join or leave the system at any time.
- Simple and transparent. This system is easy to use and understand.
- Easy placement. This scheme is easy to use and only requires minimal infrastructure.
- Anonymity Smartphone applications and back-end database servers do not collect or store any personal data.
- Federation Infrastructure. The system must scale across countries, ideally throughout the world. To maintain state sovereignty, a trusted infrastructure federation is needed.
These are all fair points, but based on the rest of the document, anonymity is not guaranteed 100% for all actors involved (government, other application users, malicious users). The document itself explains why there might be some gaps in the protocol:
That authority run the system, in turn, is “Honest but curious”. Specifically, it will not use spy devices or will not change protocols and messages. However, it might use information collected for other purposes such as to re-identify users or infer their contact graph. We consider the back-end system to be safe, and regularly audited and controlled by trusted and neutral external authorities (such as the Data Protection Authority and the National Cyber Security Agency).
That’s great if.
Basically, the protocol is designed so that it protects your privacy as long as you trust the government / ministry of health / whoever is responsible for running the central server. Based on that statement alone, it looks like the authorities can record a lot of information about application users.
Make a log of your proximity contacts
In essence, the contact tracking application uses Bluetooth to create a complete list of other application users who interact with you for more than a few seconds. The ROBERT-based contact-tracking application will make a match on your device.
ROBERT uses a temporary Bluetooth ID that changes every 15 minutes. For example, if you talk to someone for 10 minutes, you will regularly send your momentary Bluetooth ID to someone else, and you will receive a Bluetooth ID from someone else. If no one is infected with COVID-19, those IDs remain on your device (and may even be deleted after a while).
This application also collects additional information related to the Bluetooth ID for a moment. For example, it collects Bluetooth signal strength to evaluate the distance between two people.
All of this is pretty standard.
Upload your contact list, not your own temporary identifier
A different approach if someone is confirmed to be infected with COVID-19. Under the ROBERT implementation, if a user is diagnosed as COVID-positive and gives their agreement to help the community of other application users, the application will upload the Bluetooth ID list momentarily from other users who have interacted with them for the past 14 days.
Again, this application does not send the user’s instantaneous Bluetooth ID – it sends information about the circle of people who are interested in the infected user.
The server then has a list of users who are potentially exposed. That does not mean they will be infected with COVID-19.
Calculate the risk score on the server
So what does the server do with this list of potentially exposed users?
When you download a ROBERT-based contact tracking application (like France Stop the Covid application working) and launching it for the first time, the server is notified. The server generates and sends a permanent ID and a list of Bluetooth IDs for a moment. The server also maintains a list of all temporary IDs that are associated with permanent IDs.
In other words, the authority has a giant database of all permanent and mortal IDs that are associated with all application users. While the specification says “the information stored is ‘anonymous’ and, by no means, is related to a particular user,” it is deep can’t be anonymous. That’s a pseudonym.
When a user is diagnosed positive for COVID and receives to share a list of instantaneous Bluetooth IDs from people who interact with them, the server records all that information and increases the risk score of the people who interact with them.
Over time, many users who are confirmed to be infected with COVID-19 can tag various Bluetooth IDs for a moment that belong to the same user. The server will increase the risk score of the permanent ID associated with that user.
Basically, the authority will have a database of permanent IDs with each ID representing one person. There will be a risk score associated with each person. When the risk score reaches a certain threshold, the user is notified.
Weak defense of centralization
As you can see in my description of the ROBERT protocol, the project tries to minimize the attack surface by concentrating most of the computing on the server. This is designed to be as resilient to as many malicious users as possible – this requires you to “register” your account by getting a permanent ID from the central server.
But this centralized implementation means that you have to trust your government. Specifically, you must believe that:
- They don’t do anything bad without telling you.
- They have developed a safe implementation of the ROBERT protocol.
For example, what if a ROBERT-based application uploads your IP address when your application checks the risk score associated with your permanent ID? What if the government wants a little more data to examine social graph pseudonym? That can be a huge privacy risk and end users will not even be aware of its vulnerability. This is basically the opposite of “privacy by design.”
Instead, Inria and Fraunhofer discarded the DP-3T implementation under the bus:
Others, who qualify as ‘decentralized’, the scheme is broadcast to each aggregate information Application that contains the pseudonyms of all infected users. This information allows each Application to decode the infected user’s identification and verify whether any of them are part of his contact list. Our scheme does not follow this principle because we believe that sending information about all infected users reveals too much information. In fact, it has been shown that this information can be easily used by malicious users to re-identify infected users on a large scale. We claim that the re-identification of infected users must be completely avoided because it can cause stigmatization. Instead, we chose to store this information safely on a central server.
Ignoring the decentralized protocol in such a way is totally irresponsible. In both cases, it depends on the implementation. That’s why it’s important to let developers audit code that runs on smartphones and servers – whether the server is just a relay server or a central database. Otherwise, people will not trust the contact tracking application and they will not be useful.
Data on your device can be encrypted and cannot be accessed to other applications and malicious users. The government can even control the decryption key using multi-signature authentication. In this way, malicious users will not be able to decrypt data without interacting with the central server, and the central server will not be able to access user data.
to request modification Contact us at Here or [email protected]