Home // SnT // News & E... // Balancing IT Security and Privacy Rights for Contact Tracing

Balancing IT Security and Privacy Rights for Contact Tracing

twitter linkedin facebook email this page
Published on Wednesday, 13 May 2020

A critical information infrastructure-based approach to contact tracing.

Editorial by Paulo Esteves-Veríssimo

The subject of contact tracing, and how to do it, has become a hotly debated topic in the wake of COVID-19. For the general public, the heart of the matter seems to be either allowing governments to gather personal data or opt for the local exchange of alerts between smartphones.

As a distributed systems architect specialised in cybersecurity, I see this as an overly simplified framework to approach the topic from. One should rightly be wary of the abuse of government access to contact tracing data, yet locally exchanged alerts are susceptible to IT security flaws that should also be a significant consideration. As an example, there are now many smartphone-app based systems being proposed that would use Bluetooth to exchange information between phones to track proximity, and let the phones store the data. Yet this approach creates considerable threat planes such as phone-to-phone attacks (because information transmitted via Bluetooth can be intercepted, manipulated and tracked), or the potential interference of phone/OS vendors.

For me the key question is how we can deploy the right combination of ICT technologies, including distributed algorithms, fault and intrusion tolerance, networking and cloud technology, as well as cybersecurity, among others. Designing a system that is effective at controlling the spread of a contagion and protects both the digital sovereignty and political rights of citizens, such as privacy, will need a variety of ICT tools to succeed. 

One key tool is critical information infrastructures (CII). Every day we rely on digital solutions with more or less centralisation, for our sensitive data: digital health systems, bank infrastructures, e-government services, and several others. These all use the principles of CIIs for their underlying architectures. The best CIIs are designed to treat sensitive data responsibly, resist cyberattacks in complex and strategic ways, and be GDPR-compliant. Therefore, it would be logical to implement a CII-based approach for the important task of contact tracing.

My team and I specialise in CIIs and have been working to develop a solution that uses their principles to solve the contact tracing challenge in a way that will protect our right to privacy. We have released this preliminary architecture proposal titled “PriLok: citizen-protecting distributed epidemic-tracing critical information infrastructure”, on arXiv.

As part of the process to create PriLok, we identified six functional objectives and four non-functional objectives that I believe any contact tracing solution should fulfil. The functional objectives define the elements that are necessary for any contract-tracing initiative to be effective:

  1. Be epidemic-agnostic: act on any epidemic, even the unexpected, in near real-time.
  2. Help find the highest possible rate of infected individuals in near real-time.
  3. Help find reasonably complete and accurate potential infection chains in near real-time.
  4. Alert, monitor, confine, and trace potentially infected individuals in near real-time.
  5. Diagnose country/region/community epidemic dynamics in near real-time (map basic infection evolution numbers; locate and map infection hotspots and trajectories; detect super infectors and/or lone wolves; predict collections of asymptomatic individuals; discern between external and communal infection paths).
  6. Learn from first epidemic outbreaks and act during individual re-infections and epidemic recurrences, in near real-time.

The non-functional objectives are critical concerns to make contract tracing inclusive and fair, as well as secure and dependable.

  1. Guarantees of protecting citizens’ fundamental rights (such as transparency, privacy and equality) in compliance with the law.
  2. Resilience to manipulation and forging, fake-news, gossip, panic, denial of service.
  3. Sustained real-time capability under overload, to maintain situational analysis and reaction capacity (infection roadblocks; sanitary fences around hotspots; group quarantines; and later, precise selective re-opening).
  4. Smoothly incremental accuracy and recall, from an acceptable nation-wide baseline technology level, to levels attainable by s.o.t.a. technology (not only but including 5G).

PriLok addresses these 10 objectives by building on and complementing some robust existing CIIs, as well as techniques developed for this purpose by my research group, all detailed in our paper available on arXiv.

In creating PriLok we addressed the above functional and non-functional objectives, but implementation is dependent on a democratic government. Because of this it is crucial that PriLok is managed with a series of checks and balances to avoid the system being abused, and properly protect every citizen’s right privacy. Therefore, the management of PriLok relies on a consensus among several key entities for any action – let’s assume for example a national health authority, a judicial oversight body, a ministry, and an independent regulator/ombudsman. Without the agreement of all four entities no action could be taken, minimising the risk to citizens. And this arrangement is not enforced using the traditional systems that might be reliant on paperwork, but with highly resilient IT-based protocols built into the design. These technologies have already been developed and are being used in the fintech sector, namely in blockchain-based systems.

In consequence, the correct implementation of PriLok would guarantee the seven fundamental principles of the GDPR: lawfulness, fairness and transparency; purpose limitation; data minimisation; accuracy; storage limitation; integrity and confidentiality; and accountability.

So, if all the objectives are met, we are bound to have a comprehensive CII that truly serves a nation and its individuals. The risk of another pandemic in the future should motivate us all to implement a system that could be used again, yet how to do so is complex. We should all be considering the questions of security, effectiveness, and personal privacy when thinking about contact tracing and how to move forward in a post-COVID world.