Qiang Tang

DOI: https://doi.org/10.48550/arXiv.2004.06818

2020-04-14

Cryptography and Security

Abstract:The COVID-19 pandemic has posed a unique challenge for the world to find solutions, ranging from vaccines to ICT solutions to slow down the virus spreading. Due to the highly contagious nature of the virus, social distancing is one fundamental measure which has already adopted by many countries. At the technical level, this prioritises contact tracing solutions, which can alert the users who have been in close contact with the infected persons and meanwhile allow heath authorities to take proper actions. In this paper, we examine several existing privacy-aware contact tracing solutions and analyse their (dis)advantages. At the end, we describe several major observations and outline an interdisciplinary research agenda towards more comprehensive and effective privacy-aware contact tracing solutions.

Zhe Peng,Jinbin Huang,Haixin Wang,Shihao Wang,Xiaowen Chu,Xinzhi Zhang,Li Chen,Xin Huang,Xiaoyi Fu,Yike Guo,Jianliang Xu

DOI: https://doi.org/10.48550/arXiv.2101.09653

2021-01-24

Abstract:The coronavirus disease 2019 (COVID-19) pandemic has caused an unprecedented health crisis for the global. Digital contact tracing, as a transmission intervention measure, has shown its effectiveness on pandemic control. Despite intensive research on digital contact tracing, existing solutions can hardly meet users' requirements on privacy and convenience. In this paper, we propose BU-Trace, a novel permissionless mobile system for privacy-preserving intelligent contact tracing based on QR code and NFC technologies. First, a user study is conducted to investigate and quantify the user acceptance of a mobile contact tracing system. Second, a decentralized system is proposed to enable contact tracing while protecting user privacy. Third, an intelligent behavior detection algorithm is designed to ease the use of our system. We implement BU-Trace and conduct extensive experiments in several real-world scenarios. The experimental results show that BU-Trace achieves a privacy-preserving and intelligent mobile system for contact tracing without requesting location or other privacy-related permissions.

Social and Information Networks,Cryptography and Security,Computers and Society

Ssu-Hsin Yu

DOI: https://doi.org/10.48550/arXiv.2006.08568

2020-06-16

Abstract:Smartphone location-based methods have been proposed and implemented as an effective alternative to traditional labor intensive contact tracing methods. However, there are serious privacy and security concerns that may impede wide-spread adoption in many societies. Furthermore, these methods rely solely on proximity to patients, based on Bluetooth or GPS signal for example, ignoring lingering effects of virus, including COVID-19, present in the environment. This results in inaccurate risk assessment and incomplete contact tracing. A new system concept, called PrivyTRAC, preserves user privacy, increases security and improves accuracy of smartphone contact tracing. PrivyTRAC enhances users' and patients' privacy by letting users conduct self-evaluation based on the risk maps download to their smartphones. No user information is transmitted to external locations or devices, and no personally identifiable patient information is embedded in the risk maps as they are processed anonymized and aggregated locations of confirmed patients. The risk maps consider both spatial proximity and temporal effects to improve the accuracy of the infection risk estimation. Experiments conducted in the paper illustrate improvement of PrivyTRAC over proximity based methods in terms of true and false positives. An approach to further improve infection risk estimation by incorporating both positive and negative local test results from contacts of confirmed cases is also described.

Computers and Society,Cryptography and Security

Jianwei Huang,Vinod Yegneswaran,Phillip Porras,Guofei Gu

DOI: https://doi.org/10.48550/arXiv.2012.03283

2020-12-09

Abstract:Smartphone-based contact-tracing applications are at the epicenter of the global fight against the Covid-19 pandemic. While governments and healthcare agencies are eager to mandate the deployment of such applications en-masse, they face increasing scrutiny from the popular press, security companies, and human rights watch agencies that fear the exploitation of these technologies as surveillance tools. Finding the optimal balance between community safety and privacy has been a challenge, and strategies to address these concerns have varied among countries. This paper describes two important attacks that affect a broad swath of contact-tracing applications. The first, referred to as contact-isolation attack, is a user-privacy attack that can be used to identify potentially infected patients in your neighborhood. The second is a contact-pollution attack that affects the integrity of contact tracing applications by causing them to produce a high volume of false-positive alerts. We developed prototype implementations and evaluated both attacks in the context of the DP-3T application framework, but these vulnerabilities affect a much broader class of applications. We found that both attacks are feasible and realizable with a minimal attacker work factor. We further conducted an impact assessment of these attacks by using a simulation study and measurements from the SafeGraph database. Our results indicate that attacks launched from a modest number (on the order of 10,000) of monitoring points can effectively decloak between 5-40\% of infected users in a major metropolis, such as Houston.

Cryptography and Security,Computers and Society

Scott McLachlan,Peter Lucas,Kudakwashe Dube,Graham A Hitman,Magda Osman,Evangelia Kyrimi,Martin Neil,Norman E Fenton

DOI: https://doi.org/10.48550/arXiv.2005.06621

2020-05-16

Abstract:Many digital solutions mainly involving Bluetooth technology are being proposed for Contact Tracing Apps (CTA) to reduce the spread of COVID-19. Concerns have been raised regarding privacy, consent, uptake required in a given population, and the degree to which use of CTAs can impact individual behaviours. However, very few groups have taken a holistic approach and presented a combined solution. None has presented their CTA in such a way as to ensure that even the most suggestible member of our community does not become complacent and assume that CTA operates as an invisible shield, making us and our families impenetrable or immune to the disease. We propose to build on some of the digital solutions already under development that, with addition of a Bayesian model that predicts likelihood for infection supplemented by traditional symptom and contact tracing, that can enable us to reach 90% of a population. When combined with an effective communication strategy and social distancing, we believe solutions like the one proposed here can have a very beneficial effect on containing the spread of this pandemic.

Computers and Society

Kristof Roomp,Nuria Oliver

DOI: https://doi.org/10.48550/arXiv.2004.07463

2020-04-16

Abstract:As we enter the control phase of the COVID-19 pandemic, many efforts have been dedicated to developing smartphone-based contact tracing apps in order to automatically identify people that a person with COVID-19 might have infected. These applications while potentially useful, present significant adoption, societal, technical and privacy challenges. We propose ACDC-Tracing, a simpler, anonymous, voucher-based contact tracing solution that relies on peoples' knowledge of their own close contacts. People who test positive are given an anonymous voucher which they can share with a limited number of people whom they think they might be infected. The recipients can use this voucher to book a COVID-19 test and can receive their test results without ever revealing their identity. People receiving positive result are given vouchers to further backtrack the path of infection. This is a fully anonymous solution which does not require any sharing of location data, Bluetooth, or having an app installed on people's mobile device. Moreover, ACDC-Tracing can be tested for effectiveness at a small scale without requiring adoption by the entire population, which would enable acquiring fast evidence about its efficacy and scalability. Finally, it is compatible with and complementary to alternative approaches to contact tracing.

Computers and Society

Tianshi Li,Jackie,Yang,Cori Faklaris,Jennifer King,Yuvraj Agarwal,Laura Dabbish,Jason I. Hong

DOI: https://doi.org/10.48550/arXiv.2005.11957

2020-05-25

Abstract:Contact-tracing apps have potential benefits in helping health authorities to act swiftly to halt the spread of COVID-19. However, their effectiveness is heavily dependent on their installation rate, which may be influenced by people's perceptions of the utility of these apps and any potential privacy risks due to the collection and releasing of sensitive user data (e.g., user identity and location). In this paper, we present a survey study that examined people's willingness to install six different contact-tracing apps after informing them of the risks and benefits of each design option (with a U.S.-only sample on Amazon Mechanical Turk, $N=208$). The six app designs covered two major design dimensions (centralized vs decentralized, basic contact tracing vs. also providing hotspot information), grounded in our analysis of existing contact-tracing app proposals. Contrary to assumptions of some prior work, we found that the majority of people in our sample preferred to install apps that use a centralized server for contact tracing, as they are more willing to allow a centralized authority to access the identity of app users rather than allowing tech-savvy users to infer the identity of diagnosed users. We also found that the majority of our sample preferred to install apps that share diagnosed users' recent locations in public places to show hotspots of infection. Our results suggest that apps using a centralized architecture with strong security protection to do basic contact tracing and providing users with other useful information such as hotspots of infection in public places may achieve a high adoption rate in the U.S.

Human-Computer Interaction,Computers and Society

Lucie White,Philippe van Basshuysen

DOI: https://doi.org/10.1007/s11948-021-00301-0

IF: 3.777

2021-03-29

Science and Engineering Ethics

Abstract:Abstract At the beginning of the COVID-19 pandemic, high hopes were placed on digital contact tracing. Digital contact tracing apps can now be downloaded in many countries, but as further waves of COVID-19 tear through much of the northern hemisphere, these apps are playing a less important role in interrupting chains of infection than anticipated. We argue that one of the reasons for this is that most countries have opted for decentralised apps, which cannot provide a means of rapidly informing users of likely infections while avoiding too many false positive reports. Centralised apps, in contrast, have the potential to do this. But policy making was influenced by public debates about the right app configuration, which have tended to focus heavily on privacy, and are driven by the assumption that decentralised apps are “privacy preserving by design”. We show that both types of apps are in fact vulnerable to privacy breaches, and, drawing on principles from safety engineering and risk analysis, compare the risks of centralised and decentralised systems along two dimensions, namely the probability of possible breaches and their severity. We conclude that a centralised app may in fact minimise overall ethical risk, and contend that we must reassess our approach to digital contact tracing, and should, more generally, be cautious about a myopic focus on privacy when conducting ethical assessments of data technologies.

ethics,history & philosophy of science,multidisciplinary sciences,engineering, multidisciplinary

Pai Chet Ng,Petros Spachos,Stefano Gregori,Konstantinos Plataniotis

DOI: https://doi.org/10.48550/arXiv.2108.02008

2021-08-03

Abstract:Digital contact tracing has emerged as a viable tool supplementing manual contact tracing. To date, more than 100 contact tracing applications have been published to slow down the spread of highly contagious Covid-19. Despite subtle variabilities among these applications, all of them achieve contact tracing by manipulating the following three components: a) use a personal device to identify the user while designing a secure protocol to anonymize the user's identity; b) leverage networking technologies to analyze and store the data; c) exploit rich sensing features on the user device to detect the interaction among users and thus estimate the exposure risk. This paper reviews the current digital contact tracing based on these three components. We focus on two personal devices that are intimate to the user: smartphones and wearables. We discuss the centralized and decentralized networking approaches that use to facilitate the data flow. Lastly, we investigate the sensing feature available on smartphones and wearables to detect the proximity between any two users and present experiments comparing the proximity sensing performance between these two personal devices.

Cryptography and Security,Machine Learning,Networking and Internet Architecture

A. De Carli,M. Franco,A. Gassmann,C. Killer,B. Rodrigues,E. Scheid,D. Schoenbaechler,B. Stiller

DOI: https://doi.org/10.48550/arXiv.2004.08812

2020-04-19

Abstract:For the protection of people and society against harm and health threats -- especially for the COVID-19 pandemic -- a variety of different disciplines needs to be involved. The data collection of very basic and health-related data of individuals in today's highly mobile society does help to plan, protect, and identify next steps health authorities and governments can, shall, or need to plan for or even implement. Thus, every individual, every human, and every inhabitant of the world is the key player -- very different to many past crises'. And since the individual is involved -- all individuals -- his/her (a) health and (b) privacy shall be considered in a very carefully crafted balance, not overruling one aspect with another one or even prioritizing certain aspects. Privacy remains the key. Thus, the solution of the current pandemic's data collection can be based on a fully privacy-preserving application, which can be used by individuals on their mobile devices, such as smartphones, while maintaining at the same time their privacy. Additionally, respective data collected in such a fully distributed setting does help to confine the pandemic and can be achieved in a democratic and very open, but still and especially privacy-protecting world. Therefore, the WeTrace approach and application as described in this paper utilizes the Bluetooth Low Energy (BTE) communication channel, many modern mobile devices offer, where asymmetric cryptography is being applied to allows for the decyphering of a message for that destination it had been intended for. Since literally every other potential participant only listens to random data, even a brute force attack will not succeed. WeTrace and its Open Source implementation is the only known approach so far, which ensures that any receiver of a message knows that this is for him/her, but does not know who the original sender was.

Cryptography and Security

Hao Xu,Lei Zhang,Oluwakayode Onireti,Yang Fang,William J. Buchanan,Muhammad Ali Imran

DOI: https://doi.org/10.1109/jiot.2020.3025953

IF: 10.6

2021-03-01

IEEE Internet of Things Journal

Abstract:The outbreak of the coronavirus disease 2019 (COVID-19) pandemic has exposed an urgent need for effective contact tracing solutions through mobile phone applications to prevent the infection from spreading further. However, due to the nature of contact tracing, public concern on privacy issues has been a bottleneck to the existing solutions, which is significantly affecting the uptake of contact tracing applications across the globe. In this article, we present a blockchain-enabled privacy-preserving contact tracing scheme: BeepTrace, where we propose to adopt blockchain bridging the user/patient and the authorized solvers to desensitize the user ID and location information. Compared with recently proposed contact tracing solutions, our approach shows higher security and privacy with the additional advantages of being battery friendly and globally accessible. Results show viability in terms of the required resource at both server and mobile phone perspectives. Through breaking the privacy concerns of the public, the proposed BeepTrace solution can provide a timely framework for authorities, companies, software developers, and researchers to fast develop and deploy effective digital contact tracing applications, to conquer the COVID-19 pandemic soon. Meanwhile, the open initiative of BeepTrace allows worldwide collaborations, integrate existing tracing and positioning solutions with the help of blockchain technology.

computer science, information systems,telecommunications,engineering, electrical & electronic

Meng Shen,Yaqian Wei,Tong Li

2020-01-01

Abstract: Large-scale COVID-19 infections have occurred worldwide, which has caused tremendous impact on the economy and people's lives. The traditional method for tracing contagious virus, for example, determining the infection chain according to the memory of infected people, has many drawbacks. With the continuous spread of the pandemic, many countries or organizations have started to study how to use mobile devices to trace COVID-19, aiming to help people automatically record information about incidents with infected people through technologies, reducing the manpower required to determine the infection chain and alerting people at risk of infection. This article gives an overview on various Bluetooth-based COVID-19 proximity tracing proposals including centralized and decentralized proposals. We discussed the basic workflow and the differences between them before providing a survey of five typical proposals with explanations of their design features and benefits. Then, we summarized eight security and privacy design goals for Bluetooth-based COVID-19 proximity tracing proposals and applied them to analyze the five proposals. Finally, open problems and future directions are discussed.

Jack K. Fitzsimons,Atul Mantri,Robert Pisarczyk,Tom Rainforth,Zhikuan Zhao

DOI: https://doi.org/10.48550/arXiv.2004.05116

2020-04-11

Abstract:The current COVID-19 pandemic highlights the utility of contact tracing, when combined with case isolation and social distancing, as an important tool for mitigating the spread of a disease [1]. Contact tracing provides a mechanism of identifying individuals with a high likelihood of previous exposure to a contagious disease, allowing additional precautions to be put in place to prevent continued transmission. Here we consider a cryptographic approach to contact tracing based on secure two-party computation (2PC). We begin by considering the problem of comparing a set of location histories held by two parties to determine whether they have come within some threshold distance while at the same time maintaining the privacy of the location histories. We propose a solution to this problem using pre-shared keys, adapted from an equality testing protocol due to Ishai et al [2]. We discuss how this protocol can be used to maintain privacy within practical contact tracing scenarios, including both app-based approaches and approaches which leverage location history held by telecoms and internet service providers. We examine the efficiency of this approach and show that existing infrastructure is sufficient to support anonymised contact tracing at a national level.

Cryptography and Security

Pai Chet Ng,Petros Spachos,Konstantinos N. Plataniotis

DOI: https://doi.org/10.1109/jsyst.2021.3055675

IF: 4.802

2021-12-01

IEEE Systems Journal

Abstract:While contact tracing is of paramount importance in preventing the spreading of infectious diseases, manual contact tracing is inefficient and time consuming as those in close contact with infected individuals are informed hours, if not days, later. This article proposes a smart contact tracing (SCT) system utilizing the smartphone's Bluetooth low energy signals and machine learning classifiers to automatically detect those possible contacts to infectious individuals. SCT's contribution is two-fold: a) classification of the user's contact as high/low-risk using precise proximity sensing, and b) user anonymity using a privacy-preserving communication protocol. To protect the user's privacy, both broadcasted and observed signatures are stored in the user's smartphone locally and only disseminate the stored signatures through a secure database when a user is confirmed by public health authorities to be infected. Using received signal strength each smartphone estimates its distance from other user's phones and issues real-time alerts when social distancing rules are violated. Extensive experimentation utilizing real-life smartphone positions and a comparative evaluation of five machine learning classifiers indicate that a decision tree classifier outperforms other state-of-the-art classification methods with an accuracy of about 90% when two users carry their smartphone in a similar manner. Finally, to facilitate research in this area while contributing to the timely development, the dataset of six experiments with about 123 000 data points is made publicly available.

computer science, information systems,telecommunications,engineering, electrical & electronic,operations research & management science

Hyunghoon Cho,Daphne Ippolito,Yun William Yu

DOI: https://doi.org/10.48550/arXiv.2003.11511

2020-03-25

Cryptography and Security

Abstract:Contact tracing is an essential tool for public health officials and local communities to fight the spread of novel diseases, such as for the COVID-19 pandemic. The Singaporean government just released a mobile phone app, TraceTogether, that is designed to assist health officials in tracking down exposures after an infected individual is identified. However, there are important privacy implications of the existence of such tracking apps. Here, we analyze some of those implications and discuss ways of ameliorating the privacy concerns without decreasing usefulness to public health. We hope in writing this document to ensure that privacy is a central feature of conversations surrounding mobile contact tracing apps and to encourage community efforts to develop alternative effective solutions with stronger privacy protection for the users. Importantly, though we discuss potential modifications, this document is not meant as a formal research paper, but instead is a response to some of the privacy characteristics of direct contact tracing apps like TraceTogether and an early-stage Request for Comments to the community. Date written: 2020-03-24 Minor correction: 2020-03-30

Xiao Li,Wei Wu,Tiantian Chen

2022-01-01

Abstract:—Contact tracing has been proven an effective approach to mitigate the virus spread in pandemics like COVID-19. As an emerging powerful decentralized data sharing and storage technique, blockchain has been explored to ensure data privacy and security in contact tracing processes. Existing work mostly treats blockchain as a separate storage system requiring third-party servers to perform data collection and computation, and avoids revealing detailed interior design of blockchain storage. However, blockchain system is capable to work as a fully automatic distributed contact tracing system without any third-party server by tackling the following challenges: 1) how to ensure the contact tracing correctness without compromising privacy; 2) how to design efficient and effective consensus mechanism to ensure the system security and robustness; 3) how to design an incentive mechanism to motivate people to behave honestly. In this article, we present the Blockchain Based Contact Tracing Framework for the contact tracing problem. In the framework, RSA encryption based transaction verification algorithm (RSA-TVA) is proposed to ensure contact tracing correctness, which can achieve more than 97% contact case recording accuracy even when each person has 60% chance of failing to verify the contact information. Reputation Corrected Delegated Proof of Stack (RC-DPoS) consensus mechanism is applied to jointly work with the proposed incentive mechanism, which can ensure timeliness of reporting contact cases and meanwhile balance the reward gained by different people. A novel contact tracing simulation environment is created in the simulation part, which considers three different contact scenarios. The simulation results demonstrate the effectiveness, robustness and attack resistance of RSA-TVA and RC-DPoS in the proposed Blockchain Based Contact Tracing Framework.

Computer Science

Nadeem Ahmed,Regio A. Michelin,Wanli Xue,Sushmita Ruj,Robert Malaney,Salil S. Kanhere,Aruna Seneviratne,Wen Hu,Helge Janicke,Sanjay Jha

DOI: https://doi.org/10.1109/ACCESS.2020.3010226

2020-07-27

Abstract:The recent outbreak of COVID-19 has taken the world by surprise, forcing lockdowns and straining public health care systems. COVID-19 is known to be a highly infectious virus, and infected individuals do not initially exhibit symptoms, while some remain asymptomatic. Thus, a non-negligible fraction of the population can, at any given time, be a hidden source of transmissions. In response, many governments have shown great interest in smartphone contact tracing apps that help automate the difficult task of tracing all recent contacts of newly identified infected individuals. However, tracing apps have generated much discussion around their key attributes, including system architecture, data management, privacy, security, proximity estimation, and attack vulnerability. In this article, we provide the first comprehensive review of these much-discussed tracing app attributes. We also present an overview of many proposed tracing app examples, some of which have been deployed countrywide, and discuss the concerns users have reported regarding their usage. We close by outlining potential research directions for next-generation app design, which would facilitate improved tracing and security performance, as well as wide adoption by the population at large.

Cryptography and Security

Teng Li,Siwei Yin,Runze Yu,Yebo Feng,Lei Jiao,Yulong Shen,Jianfeng Ma

DOI: https://doi.org/10.1109/jsac.2022.3211547

IF: 16.4

2022-11-15

IEEE Journal on Selected Areas in Communications

Abstract:To fight against infectious diseases (e.g., SARS, COVID-19, Ebola, etc.), government agencies, technology companies and health institutes have launched various contact tracing approaches to identify and notify the people exposed to infection sources. However, existing tracing approaches can lead to severe privacy and security concerns, thereby preventing their secure and widespread use among communities. To tackle these problems, this paper proposes CoAvoid, an edge-based, privacy-preserved contact tracing system that features good dependability and usability. CoAvoid leverages the Google/Apple Exposure Notification (GAEN) API to achieve decent device compatibility and operating efficiency. It utilizes Bluetooth Low Energy (BLE) to detect close contact with other people and leverages GPS with fine-grained matching algorithms to verify user information. In addition, to enhance privacy protection, CoAvoid applies fuzzification and obfuscation measures to shelter sensitive data, making both servers and users agnostic to information of both low and high-risk populations. The evaluation demonstrates good efficacy and security of CoAvoid. Compared with four state-of-the-art contact tracing applications, CoAvoid can reduce the size of upload data by at least 90% and reduce the verification time by 92%. More importantly, CoAvoid can preserve user privacy and resist replay and wormhole attacks in all analysis scenarios.

telecommunications,engineering, electrical & electronic

Ruoxi Sun,Wei Wang,Minhui Xue,Gareth Tyson,Seyit Camtepe,Damith C. Ranasinghe

DOI: https://doi.org/10.48550/arXiv.2006.10933

2021-01-22

Abstract:The rapid spread of COVID-19 has made manual contact tracing difficult. Thus, various public health authorities have experimented with automatic contact tracing using mobile applications (or "apps"). These apps, however, have raised security and privacy concerns. In this paper, we propose an automated security and privacy assessment tool, COVIDGUARDIAN, which combines identification and analysis of Personal Identification Information (PII), static program analysis and data flow analysis, to determine security and privacy weaknesses. Furthermore, in light of our findings, we undertake a user study to investigate concerns regarding contact tracing apps. We hope that COVIDGUARDIAN, and the issues raised through responsible disclosure to vendors, can contribute to the safe deployment of mobile contact tracing. As part of this, we offer concrete guidelines, and highlight gaps between user requirements and app performance.

Cryptography and Security,Software Engineering

Didem Demirag,Erman Ayday

DOI: https://doi.org/10.48550/arXiv.2003.13073

2020-03-29

Cryptography and Security

Abstract:Today, tracking and controlling the spread of a virus is a crucial need for almost all countries. Doing this early would save millions of lives and help countries keep a stable economy. The easiest way to control the spread of a virus is to immediately inform the individuals who recently had close contact with the diagnosed patients. However, to achieve this, a centralized authority (e.g., a health authority) needs detailed location information from both healthy individuals and diagnosed patients. Thus, such an approach, although beneficial to control the spread of a virus, results in serious privacy concerns, and hence privacy-preserving solutions are required to solve this problem. Previous works on this topic either (i) compromise privacy (especially privacy of diagnosed patients) to have better efficiency or (ii) provide unscalable solutions. In this work, we propose a technique based on private set intersection between physical contact histories of individuals (that are recorded using smart phones) and a centralized database (run by a health authority) that keeps the identities of the positive diagnosed patients for the disease. Proposed solution protects the location privacy of both healthy individuals and diagnosed patients and it guarantees that the identities of the diagnosed patients remain hidden from other individuals. Notably, proposed scheme allows individuals to receive warning messages indicating their previous contacts with a positive diagnosed patient. Such warning messages will help them realize the risk and isolate themselves from other people. We make sure that the warning messages are only observed by the corresponding individuals and not by the health authority. We also implement the proposed scheme and show its efficiency and scalability via simulations.