Muhammad Ajmal Azad,Junaid Arshad,Syed Muhammad Ali Akmal,Farhan Riaz,Sidrah Abdullah,Muhammad Imran,Farhan Ahmad

DOI: https://doi.org/10.1109/JIOT.2020.3024180

2020-09-17

Abstract:Today's smartphones are equipped with a large number of powerful value-added sensors and features, such as a low-power Bluetooth sensor, powerful embedded sensors, such as the digital compass, accelerometer, GPS sensors, Wi-Fi capabilities, microphone, humidity sensors, health tracking sensors, and a camera, etc. These value-added sensors have revolutionized the lives of the human being in many ways, such as tracking the health of the patients and the movement of doctors, tracking employees movement in large manufacturing units, monitoring the environment, etc. These embedded sensors could also be used for large-scale personal, group, and community sensing applications especially tracing the spread of certain diseases. Governments and regulators are turning to use these features to trace the people's thoughts to have symptoms of certain diseases or viruses, e.g., COVID-19. The outbreak of COVID-19 in December 2019, has seen a surge of the mobile applications for tracing, tracking, and isolating the persons showing COVID-19 symptoms to limit the spread of the disease to the larger community. The use of embedded sensors could disclose private information of the users, thus potentially bring a threat to the privacy and security of users. In this article, we analyzed a large set of smartphone applications that have been designed to contain the spread of the COVID-19 virus and bring the people back to normal life. Specifically, we have analyzed what type of permission these smartphone apps require, whether these permissions are necessary for the track and trace, how data from the user devices are transported to the analytic center, and analyzing the security measures these apps have deployed to ensure the privacy and security of users.

Tianshi Li,Jackie,Yang,Cori Faklaris,Jennifer King,Yuvraj Agarwal,Laura Dabbish,Jason I. Hong

DOI: https://doi.org/10.48550/arXiv.2005.11957

2020-05-25

Abstract:Contact-tracing apps have potential benefits in helping health authorities to act swiftly to halt the spread of COVID-19. However, their effectiveness is heavily dependent on their installation rate, which may be influenced by people's perceptions of the utility of these apps and any potential privacy risks due to the collection and releasing of sensitive user data (e.g., user identity and location). In this paper, we present a survey study that examined people's willingness to install six different contact-tracing apps after informing them of the risks and benefits of each design option (with a U.S.-only sample on Amazon Mechanical Turk, $N=208$). The six app designs covered two major design dimensions (centralized vs decentralized, basic contact tracing vs. also providing hotspot information), grounded in our analysis of existing contact-tracing app proposals. Contrary to assumptions of some prior work, we found that the majority of people in our sample preferred to install apps that use a centralized server for contact tracing, as they are more willing to allow a centralized authority to access the identity of app users rather than allowing tech-savvy users to infer the identity of diagnosed users. We also found that the majority of our sample preferred to install apps that share diagnosed users' recent locations in public places to show hotspots of infection. Our results suggest that apps using a centralized architecture with strong security protection to do basic contact tracing and providing users with other useful information such as hotspots of infection in public places may achieve a high adoption rate in the U.S.

Human-Computer Interaction,Computers and Society

Shahzaib Tahir,Hasan Tahir,Ali Sajjad,Muttukrishnan Rajarajan,Fawad Khan

DOI: https://doi.org/10.23919/jcn.2021.000031

2021-01-01

Journal of Communications and Networks

Abstract:The outbreak of the COVID-19 virus has caused widespread panic and global initiatives are geared towards treat-ment and limiting its spread. With technological advancements, several mechanisms and mobile applications have been developed that attempt to trace the physical contact made by a person with someone who has been tested COVID-19 positive. While designing these apps, user's privacy has been an afterthought and has resulted in mass violations of privacy of the public and the patients. A total of 32 countries have designed apps and rely on them as a strategy to flatten the pandemic curve. Along with lack of privacy, these methodologies are centralized, where they are fully controlled by the government and the healthcare providers. Owing to these and many other concerns, people are hesitant in the adoption of these technologies. This paper presents a detailed analysis of user tracking apps belonging to 32 countries, thus demonstrating that they collect personal data and are a gross violation of user privacy. This paper presents a novel architecture for the efficient, effective and privacy-preserving contact tracing of COVID-19 patients using blockchain. The proposed architecture preserves the privacy of individuals and their contact history by encrypting all the data specific to an individual using a privacy-preserving Homomorphic encryption scheme and storing it on a permissioned blockchain network. The contacts made with a COVID-19 positive patient are identified by performing search queries directly over the Homomorphic encrypted data stored in the blocks. Therefore, only those contacts that are suspected to be COVID-19 positive may be decrypted by the healthcare professional or government for further contact tracing/ diagnosis and COVID-19 testing; thereby leading to enhanced privacy.

Lorenzo Martinico,Aydin Abadi,Thomas Zacharias,Thomas Win

DOI: https://doi.org/10.48550/arXiv.2208.09525

2022-08-20

Abstract:The highly transmissible COVID-19 disease is a serious threat to people's health and life. To automate tracing those who have been in close physical contact with newly infected people and/or to analyse tracing-related data, researchers have proposed various ad-hoc programs that require being executed on users' smartphones. Nevertheless, the existing solutions have two primary limitations: (1) lack of generality: for each type of analytic task, a certain kind of data needs to be sent to an analyst; (2) lack of transparency: parties who provide data to an analyst are not necessarily infected individuals; therefore, infected individuals' data can be shared with others (e.g., the analyst) without their fine-grained and direct consent. In this work, we present Glass-Vault, a protocol that addresses both limitations simultaneously. It allows an analyst to run authorised programs over the collected data of infectious users, without learning the input data. Glass-Vault relies on a new variant of generic Functional Encryption that we propose in this work. This new variant, called DD-Steel, offers these two additional properties: dynamic and decentralised. We illustrate the security of both Glass-Vault and DD-Steel in the Universal Composability setting. Glass-Vault is the first UC-secure protocol that allows analysing the data of Exposure Notification users in a privacy-preserving manner. As a sample application, we indicate how it can be used to generate "infection heatmaps".

Cryptography and Security,Computers and Society

Jianwei Huang,Vinod Yegneswaran,Phillip Porras,Guofei Gu

DOI: https://doi.org/10.48550/arXiv.2012.03283

2020-12-09

Abstract:Smartphone-based contact-tracing applications are at the epicenter of the global fight against the Covid-19 pandemic. While governments and healthcare agencies are eager to mandate the deployment of such applications en-masse, they face increasing scrutiny from the popular press, security companies, and human rights watch agencies that fear the exploitation of these technologies as surveillance tools. Finding the optimal balance between community safety and privacy has been a challenge, and strategies to address these concerns have varied among countries. This paper describes two important attacks that affect a broad swath of contact-tracing applications. The first, referred to as contact-isolation attack, is a user-privacy attack that can be used to identify potentially infected patients in your neighborhood. The second is a contact-pollution attack that affects the integrity of contact tracing applications by causing them to produce a high volume of false-positive alerts. We developed prototype implementations and evaluated both attacks in the context of the DP-3T application framework, but these vulnerabilities affect a much broader class of applications. We found that both attacks are feasible and realizable with a minimal attacker work factor. We further conducted an impact assessment of these attacks by using a simulation study and measurements from the SafeGraph database. Our results indicate that attacks launched from a modest number (on the order of 10,000) of monitoring points can effectively decloak between 5-40\% of infected users in a major metropolis, such as Houston.

Cryptography and Security,Computers and Society

Hannah Alsdurf,Edmond Belliveau,Yoshua Bengio,Tristan Deleu,Prateek Gupta,Daphne Ippolito,Richard Janda,Max Jarvie,Tyler Kolody,Sekoul Krastev,Tegan Maharaj,Robert Obryk,Dan Pilat,Valerie Pisano,Benjamin Prud'homme,Meng Qu,Nasim Rahaman,Irina Rish,Jean-Francois Rousseau,Abhinav Sharma,Brooke Struck,Jian Tang,Martin Weiss,Yun William Yu

DOI: https://doi.org/10.48550/arXiv.2005.08502

2020-07-27

Abstract:The SARS-CoV-2 (Covid-19) pandemic has caused significant strain on public health institutions around the world. Contact tracing is an essential tool to change the course of the Covid-19 pandemic. Manual contact tracing of Covid-19 cases has significant challenges that limit the ability of public health authorities to minimize community infections. Personalized peer-to-peer contact tracing through the use of mobile apps has the potential to shift the paradigm. Some countries have deployed centralized tracking systems, but more privacy-protecting decentralized systems offer much of the same benefit without concentrating data in the hands of a state authority or for-profit corporations. Machine learning methods can circumvent some of the limitations of standard digital tracing by incorporating many clues and their uncertainty into a more graded and precise estimation of infection risk. The estimated risk can provide early risk awareness, personalized recommendations and relevant information to the user. Finally, non-identifying risk data can inform epidemiological models trained jointly with the machine learning predictor. These models can provide statistical evidence for the importance of factors involved in disease transmission. They can also be used to monitor, evaluate and optimize health policy and (de)confinement scenarios according to medical and economic productivity indicators. However, such a strategy based on mobile apps and machine learning should proactively mitigate potential ethical and privacy risks, which could have substantial impacts on society (not only impacts on health but also impacts such as stigmatization and abuse of personal data). Here, we present an overview of the rationale, design, ethical considerations and privacy strategy of `COVI,' a Covid-19 public peer-to-peer contact tracing and risk awareness mobile application developed in Canada.

Cryptography and Security,Artificial Intelligence,Computers and Society

Peeyush Gupta,Sharad Mehrotra,Nisha Panwar,Shantanu Sharma,Nalini Venkatasubramanian,Guoxi Wang

DOI: https://doi.org/10.48550/arXiv.2005.02510

2020-05-05

Databases

Abstract:Contact tracing has emerged as one of the main mitigation strategies to prevent the spread of pandemics such as COVID-19. Recently, several efforts have been initiated to track individuals, their movements, and interactions using technologies, e.g., Bluetooth beacons, cellular data records, and smartphone applications. Such solutions are often intrusive, potentially violating individual privacy rights and are often subject to regulations (e.g., GDPR and CCPR) that mandate the need for opt-in policies to gather and use personal information. In this paper, we introduce Quest, a system that empowers organizations to observe individuals and spaces to implement policies for social distancing and contact tracing using WiFi connectivity data in a passive and privacy-preserving manner. The goal is to ensure the safety of employees and occupants at an organization, while protecting the privacy of all parties. Quest incorporates computationally- and information-theoretically-secure protocols that prevent adversaries from gaining knowledge of an individual's location history (based on WiFi data); it includes support for accurately identifying users who were in the vicinity of a confirmed patient, and then informing them via opt-in mechanisms. Quest supports a range of privacy-enabled applications to ensure adherence to social distancing, monitor the flow of people through spaces, identify potentially impacted regions, and raise exposure alerts. We describe the architecture, design choices, and implementation of the proposed security/privacy techniques in Quest. We, also, validate the practicality of Quest and evaluate it thoroughly via an actual campus-scale deployment at UC Irvine over a very large dataset of over 50M tuples.

Yogesh Simmhan,Tarun Rambha,Aakash Khochare,Shriram Ramesh,Animesh Baranawal,John Varghese George,Rahul Atul Bhope,Amrita Namtirtha,Amritha Sundararajan,Sharath Suresh Bhargav,Nihar Thakkar,Raj Kiran

DOI: https://doi.org/10.48550/arXiv.2009.04916

2020-09-10

Abstract:The COVID-19 pandemic is imposing enormous global challenges in managing the spread of the virus. A key pillar to mitigation is contact tracing, which complements testing and isolation. Digital apps for contact tracing using Bluetooth technology available in smartphones have gained prevalence globally. In this article, we discuss various capabilities of such digital contact tracing, and its implication on community safety and individual privacy, among others. We further describe the GoCoronaGo institutional contact tracing app that we have developed, and the conscious and sometimes contrarian design choices we have made. We offer a detailed overview of the app, backend platform and analytics, and our early experiences with deploying the app to over 1000 users within the Indian Institute of Science campus in Bangalore. We also highlight research opportunities and open challenges for digital contact tracing and analytics over temporal networks constructed from them.

Computers and Society,Social and Information Networks

Federica Lucivero,Nina Hallowell,Stephanie Johnson,Barbara Prainsack,Gabrielle Samuel,Tamar Sharon

DOI: https://doi.org/10.1007/s11673-020-10016-9

2020-08-25

Journal of Bioethical Inquiry

Abstract:Abstract Mobile applications are increasingly regarded as important tools for an integrated strategy of infection containment in post-lockdown societies around the globe. This paper discusses a number of questions that should be addressed when assessing the ethical challenges of mobile applications for digital contact-tracing of COVID-19: Which safeguards should be designed in the technology? Who should access data? What is a legitimate role for “Big Tech” companies in the development and implementation of these systems? How should cultural and behavioural issues be accounted for in the design of these apps? Should use of these apps be compulsory? What does transparency and ethical oversight mean in this context? We demonstrate that responses to these questions are complex and contingent and argue that if digital contract-tracing is used, then it should be clear that this is on a trial basis and its use should be subject to independent monitoring and evaluation.

ethics,medical ethics,social issues,social sciences, biomedical

Salman Ahmed,Ya Xiao,Taejoong,Chung,Carol Fung,Moti Yung,Danfeng

DOI: https://doi.org/10.1109/MC.2021.3125611

2021-12-17

Abstract:Google and Apple jointly introduced a digital contact tracing technology and an API called "exposure notification," to help health organizations and governments with contact tracing. The technology and its interplay with security and privacy constraints require investigation. In this study, we examine and analyze the security, privacy, and reliability of the technology with actual and typical scenarios (and expected typical adversary in mind), and quite realistic use cases. We do it in the context of Virginia's COVIDWISE app. This experimental analysis validates the properties of the system under the above conditions, a result that seems crucial for the peace of mind of the exposure notification technology adopting authorities, and may also help with the system's transparency and overall user trust.

Cryptography and Security,Systems and Control

Lavanya Elluri,Aritran Piplai,Anantaa Kotal,Anupam Joshi,Karuna Pande Joshi

DOI: https://doi.org/10.3389/fdata.2021.701966

2021-08-12

Frontiers in Big Data

Abstract:The entire scientific and academic community has been mobilized to gain a better understanding of the COVID-19 disease and its impact on humanity. Most research related to COVID-19 needs to analyze large amounts of data in very little time. This urgency has made Big Data Analysis, and related questions around the privacy and security of the data, an extremely important part of research in the COVID-19 era. The White House OSTP has, for example, released a large dataset of papers related to COVID research from which the research community can extract knowledge and information. We show an example system with a machine learning-based knowledge extractor which draws out key medical information from COVID-19 related academic research papers. We represent this knowledge in a Knowledge Graph that uses the Unified Medical Language System (UMLS). However, publicly available studies rely on dataset that might have sensitive data. Extracting information from academic papers can potentially leak sensitive data, and protecting the security and privacy of this data is equally important. In this paper, we address the key challenges around the privacy and security of such information extraction and analysis systems. Policy regulations like HIPAA have updated the guidelines to access data, specifically, data related to COVID-19, securely. In the US, healthcare providers must also comply with the Office of Civil Rights (OCR) rules to protect data integrity in matters like plasma donation, media access to health care data, telehealth communications, etc. Privacy policies are typically short and unstructured HTML or PDF documents. We have created a framework to extract relevant knowledge from the health centers’ policy documents and also represent these as a knowledge graph. Our framework helps to understand the extent to which individual provider policies comply with regulations and define access control policies that enforce the regulation rules on data in the knowledge graph extracted from COVID-related papers. Along with being compliant, privacy policies must also be transparent and easily understood by the clients. We analyze the relative readability of healthcare privacy policies and discuss the impact. In this paper, we develop a framework for access control decisions that uses policy compliance information to securely retrieve COVID data. We show how policy compliance information can be used to restrict access to COVID-19 data and information extracted from research papers.

Jessica Vitak,Michael Zimmer

DOI: https://doi.org/10.1177/2056305120948250

2020-07-01

Social Media + Society

Abstract:The global coronavirus pandemic has raised important questions regarding how to balance public health concerns with privacy protections for individual citizens. In this essay, we evaluate contact tracing apps, which have been offered as a technological solution to minimize the spread of COVID-19. We argue that apps such as those built on Google and Apple’s “exposure notification system” should be evaluated in terms of the contextual integrity of information flows; in other words, the appropriateness of sharing health and location data will be contextually dependent on factors such as who will have access to data, as well as the transmission principles underlying data transfer. We also consider the role of prevailing social and political values in this assessment, including the large-scale social benefits that can be obtained through such information sharing. However, caution should be taken in violating contextual integrity, even in the case of a pandemic, because it risks a long-term loss of autonomy and growing function creep for surveillance and monitoring technologies.

communication

Shobhit Aggarwal,Arnab Purkayastha

2023-07-19

Abstract:The COVID-19 pandemic has highlighted the need for innovative solutions to monitor and control the spread of infectious diseases. With the potential for future pandemics and the risk of outbreaks particularly in academic institutions, there is a pressing need for effective approaches to monitor and manage such diseases. Contact tracing using Global Positioning Systems (GPS) has been found to be the most prevalent method to detect and tackle the extent of outbreaks during the pandemic. However, these services suffer from the inherent problems of infringement of data privacy that creates hindrance in adoption of the technology. Non-cellular wireless technologies on the other hand are well-suited to provide secure contact tracing methods. Such approaches integrated with the Internet of Things (IoT) have a great potential to aid in the fight against any type of infectious diseases. In response, we present a unique approach that utilizes an IoT based generic framework to identify individuals who may have been exposed to the virus, using contact tracing methods, without compromising the privacy aspect. We develop the architecture of our platform, including both the frontend and backend components, and demonstrate its effectiveness in identifying potential COVID-19 exposures (as a test case) through a proof-of-concept implementation. We also implement and verify a prototype of the device. Our framework is easily deployable and can be scaled up as needed with the existing infrastructure.

Cryptography and Security

Jia Yuan Loke,Nydia Remolina,Benjamin Tham,Mark James Findlay

DOI: https://doi.org/10.2139/ssrn.3592283

2020-01-01

SSRN Electronic Journal

Abstract:As the COVID-19 health pandemic rages governments and private companies across the globe are utilising AI-assisted surveillance, reporting, mapping and tracing technologies with the intention of slowing the spread of the virus. These technologies have the capacity to amass personal data and share for community control and citizen safety motivations that empower state agencies and inveigle citizen co-operation which could only be imagined outside such times of real and present danger. While not cavilling with the short-term necessity for these technologies and the data they control, process and share in the health regulation mission, this paper argues that this infrastructure application for surveillance has serious ethical and regulatory implications in the medium and long term in relation to individual dignity, civil liberties, transparency, data aggregation, explainability and other governance challenges. To conduct this analysis, the paper presents the Singapore and China case studies, and offers a comparative description based on the many more initiatives implemented worldwide in order to understand the purpose, goal and risk of these infrastructures. The analysis looks at data protection and citizen integrity and reflects on other surveillance methods outside the health context, such as initiatives implemented in the financial sector, where similar challenges have arisen.

Ruoxi Sun,Wei Wang,Minhui Xue,Gareth Tyson,Seyit Camtepe,Damith C. Ranasinghe

DOI: https://doi.org/10.48550/arXiv.2006.10933

2021-01-22

Abstract:The rapid spread of COVID-19 has made manual contact tracing difficult. Thus, various public health authorities have experimented with automatic contact tracing using mobile applications (or "apps"). These apps, however, have raised security and privacy concerns. In this paper, we propose an automated security and privacy assessment tool, COVIDGUARDIAN, which combines identification and analysis of Personal Identification Information (PII), static program analysis and data flow analysis, to determine security and privacy weaknesses. Furthermore, in light of our findings, we undertake a user study to investigate concerns regarding contact tracing apps. We hope that COVIDGUARDIAN, and the issues raised through responsible disclosure to vendors, can contribute to the safe deployment of mobile contact tracing. As part of this, we offer concrete guidelines, and highlight gaps between user requirements and app performance.

Cryptography and Security,Software Engineering

Md Azim Ullah

2023-05-17

Abstract:mContain was developed (and sparsely deployed) by MD2K center at University of Memphis in the early stages of COVID-19 pandemic to help reduce community transmission in Shelby County and Memphis metropolitan area. The application counts and displays the number of daily proximity encounters with other app users. To reduce the chances of entering crowded places, users can see the level of crowding at busy places on a map. If a user and their COVID-19 test provider both agree to share the results of their test, the app can notify other users about possible exposures to COVID-19. The smartphone application collects location and Bluetooth data and sends it to cloud for near real time processing and decisions to be sent back for visualization and interface with the user. The backend algorithmic infrastructure responsible for real time crowd estimation and contact tracing from streaming batch data use open-source cloud analytics platform Cerebral-Cortex. This project concerns about presenting the authors contributions in the algorithmic development, design and implementation of mContain application as part of the entire collaborative project. We describe the mcontain algorithmic infrastructure and major computational challenges encountered when developing and deploying this application for real-life usage. Details of the app can be found in <a class="link-external link-https" href="https://mcontain.md2k.org/" rel="external noopener nofollow">this https URL</a>

Social and Information Networks

Shreya Ghosh,Anwesha Mukherjee

DOI: https://doi.org/10.1007/s11334-022-00458-2

2022-06-02

Abstract:The outbreak of 2019 novel coronavirus (COVID-19) has triggered unprecedented challenges and put the whole world in a parlous condition. The impacts of COVID-19 is a matter of grave concern in terms of fatality rate, socio-economical condition, health infrastructure. It is obvious that only pharmaceutical solutions (vaccine) cannot eradicate this pandemic completely, and effective strategies regarding lockdown measures, restricted mobility, emergency services to users-in brief data-driven decision system is of utmost importance. This necessitates an efficient data analytics framework, data infrastructure to store, manage pandemic related information, and distributed computing platform to support such data-driven operations. In the past few decades, Internet of Things-based devices and applications have emerged significantly in various sectors including healthcare and time-critical applications. To be specific, health-sensors help to accumulate health-related parameters at different time-instances of a day, the movement sensors keep track of mobility traces of the user, and helps to assist them in varied conditions. The smartphones are equipped with several such sensors and the ability of low-cost connected sensors to cover large areas makes it the most useful component to combat pandemics such as COVID-19. However, analysing and managing the huge amount of data generated by these sensors is a big challenge. In this paper we have proposed a unified framework which has three major components: (i) Spatial Data Infrastructure to manage, store, analyse and share spatio-temporal information with stakeholders efficiently, (ii) Cloud-Fog-Edge-based hierarchical architecture to support preliminary diagnosis, monitoring patients' mobility, health parameters and activities while they are in quarantine or home-based treatment, and (iii) Assisting users in varied emergency situation leveraging efficient data-driven techniques at low-latency and energy consumption. The mobility data analytics along with SDI is required to interpret the movement dynamics of the region and correlate with COVID-19 hotspots. Further, Cloud-Fog-Edge-based system architecture is required to provision healthcare services efficiently and in timely manner. The proposed framework yields encouraging results in taking decisions based on the COVID-19 context and assisting users effectively by enhancing accuracy of detecting suspected infected people by ∼ 24% and reducing delay by ∼ 55% compared to cloud-only system.

Zhe Peng,Jinbin Huang,Haixin Wang,Shihao Wang,Xiaowen Chu,Xinzhi Zhang,Li Chen,Xin Huang,Xiaoyi Fu,Yike Guo,Jianliang Xu

DOI: https://doi.org/10.48550/arXiv.2101.09653

2021-01-24

Abstract:The coronavirus disease 2019 (COVID-19) pandemic has caused an unprecedented health crisis for the global. Digital contact tracing, as a transmission intervention measure, has shown its effectiveness on pandemic control. Despite intensive research on digital contact tracing, existing solutions can hardly meet users' requirements on privacy and convenience. In this paper, we propose BU-Trace, a novel permissionless mobile system for privacy-preserving intelligent contact tracing based on QR code and NFC technologies. First, a user study is conducted to investigate and quantify the user acceptance of a mobile contact tracing system. Second, a decentralized system is proposed to enable contact tracing while protecting user privacy. Third, an intelligent behavior detection algorithm is designed to ease the use of our system. We implement BU-Trace and conduct extensive experiments in several real-world scenarios. The experimental results show that BU-Trace achieves a privacy-preserving and intelligent mobile system for contact tracing without requesting location or other privacy-related permissions.

Social and Information Networks,Cryptography and Security,Computers and Society

Jinyue Song,Tianbo Gu,Zheng Fang,Xiaotao Feng,Yunjie Ge,Hao Fu,Pengfei Hu,Prasant Mohapatra

DOI: https://doi.org/10.48550/arXiv.2007.10529

2022-02-02

Abstract:COVID-19 is a severe global epidemic in human history. Even though there are particular medications and vaccines to curb the epidemic, tracing and isolating the infection source is the best option to slow the virus spread and reduce infection and death rates. There are three disadvantages to the existing contact tracing system: 1. User data is stored in a centralized database that could be stolen and tampered with, 2. User's confidential personal identity may be revealed to a third party or organization, 3. Existing contact tracing systems only focus on information sharing from one dimension, such as location-based tracing, which significantly limits the effectiveness of such systems. We propose a global COVID-19 information sharing and risk notification system that utilizes the Blockchain, Smart Contract, and Bluetooth. To protect user privacy, we design a novel Blockchain-based platform that can share consistent and non-tampered contact tracing information from multiple dimensions, such as location-based for indirect contact and Bluetooth-based for direct contact. Hierarchical smart contract architecture is also designed to achieve global agreements from users about how to process and utilize user data, thereby enhancing the data usage transparency. Furthermore, we propose a mechanism to protect user identity privacy from multiple aspects. More importantly, our system can notify the users about the exposure risk via smart contracts. We implement a prototype system to conduct extensive measurements to demonstrate the feasibility and effectiveness of our system.

Cryptography and Security,Networking and Internet Architecture

Qiang Tang

DOI: https://doi.org/10.1145/3490490

2022-06-30

ACM Transactions on Spatial Algorithms and Systems

Abstract:In the current COVID-19 pandemic, manual contact tracing has been proven to be very helpful to reach close contacts of infected users and slow down spread of the virus. To improve its scalability, a number of automated contact tracing (ACT) solutions have been proposed, and some of them have been deployed. Despite the dedicated efforts, security and privacy issues of these solutions are still open and under intensive debate. In this article, we examine the ACT concept from a broader perspective, by focusing on not only security and privacy issues but also functional issues such as interface, usability, and coverage. We first elaborate on these issues and particularly point out the inevitable privacy leakages in existing Bluetooth Low Energy based ACT solutions, including centralized and decentralized ones. In addition, we examine the existing venue-based ACT solutions and identify their privacy and security concerns. Then, we propose a generic venue-based ACT solution and a concrete instantiation based on Bluetooth Low Energy technology. Our solution monitors users’ contacting history only in virus-spreading-prone venues and offers higher-level protection for both security and privacy than its predecessors. Finally, we evaluate our solution from security, privacy, and efficiency perspectives, and also highlight how to reduce false positives in some specific indoor environments.