It could let people know if they have come in contact with someone who has tested positive for the virus while protecting the privacy of all parties.
To work best, the app requires many people to use it, whether they have had COVID-19 or not. The app transmits and captures random Bluetooth signals via nearby cell phones that also have the app installed. App users who have been diagnosed with COVID-19 voluntarily and anonymously report their positive results, which then causes their Bluetooth pings from the last 14 days to be uploaded to a database that’s coded to ensure that the diagnosed user is uploading their own pings.
From there, those signals are compared with pings of other app participants in the system. The app then alerts users of possible proximity to an infected person, and subsequently directs them to follow up with health officials (or their doctor). All of the uploaded information is verified by a public health agency, and users must voluntarily install all apps.
Privacy concerns for contact tracing apps
For Ran Canetti, Ari Trachtenberg, and Mayank Varia of Boston University, all cybersecurity experts, the main concern of the technology is the preservation of privacy. “The question of privacy originally came up in a discussion on the mailing list of the BU Hariri Institute’s Cyber Security, Law, and Society Alliance,” says Trachtenberg, a College of Engineering professor of electrical and computer engineering. “I proposed a [prototypic] approach to privacy-aware contact tracing, and Ran, Mayank, and I fleshed out the approach in a paper that we posted to arXiv on March 27.”
The arXiv paper attracted a great deal of attention, and the BU team soon joined the PACT (Private Automated Contact Tracing) team, which Ron Rivest, an MIT professor and the inventor of several highly regarded encryption algorithms, leads.
“PACT was started in response to COVID-19,” says Varia. “This is just one small piece of the COVID-19 puzzle; there exist an immense number of healthcare issues and also many technological ones that PACT does nothing to address. On the other hand, this technology can be useful beyond the current epidemic since we [plan to] have this capability ready to go in advance of the next epidemic—which hopefully won’t be for a long time.”
“Typically, an effort like this would be done over years, with publication and peer-review, but we just don’t have the time for the formal academic mechanism,” says Trachtenberg. “The broad PACT collaboration serves as an excellent substitute in this time of need. It’s essential that this system be put together at breakneck speed.”
The app does not transmit any personal information, or even a unique identifier for a phone, emphasizes Varia, codirector of Boston University’s Center for Reliable Information Systems and Cyber Security (RISCS) and a research associate professor in computer science.
“To protect everyone’s privacy, we are only sending random ‘garbage’ within each Bluetooth packet,” he says. “We call these random numbers ‘chirps.’ People who are diagnosed with COVID-19 voluntarily post only these random chirps to a public database, which permits anyone who has come into contact with the diagnosed person to check (locally on their own phone) whether any of the chirps they have [encountered] match the entries in the public database.”
Canetti, director of the RISCS and a professor of computer science, says the technology demonstrates how automatic contact tracing can be done on a phone-to-phone basis and without a centralized opaque database that holds location information on all individuals.
“That’s important,” he says, “because it counters the prevailing perception that mitigating the pandemic via automatic contact tracing mandates large-scale, government-led violation of privacy of all or most of the population.”