COVID, Cryptography and Certificates

What if coronavirus, rather than commerce, drives us to build the digital identity infrastructure that we so desperately need?

The role of new technology, and mobile phones in particular, to fight the COVID-19 pandemic is critical to getting things back under control and restoring the economy to some semblance of normality. The Economist made this point and described the three categories of tools being developed and deployed in the battle against the virus. The first is documentation: using technology to say where people are, where they have been or what their disease status is. The second is modelling: gathering data which help explain how the disease spreads. The third is contact tracing: identifying people who have had contact with others known to be infected.

In a modern society with near-complete smartphone penetration, these tools can be very effective. In China, to begin with the obvious case study, the authorities use algorithms to estimate the probability that a given neighbourhood or has exposure to the virus by matching smartphone location data against the known locations of infected individuals or groups. This information is then used to target limited medical resources more efficiently by, for example, directing tests for the virus to high-risk subjects identified by the artificial intelligence algorithm.

South Korea has been especially effective at containing the virus with an aggressive testing, tracing and monitoring regime.

People who tested positive were asked to describe their recent movements, aided by GPS phone tracking, surveillance camera records and credit card transactions. Those details enabled the Korea Centres for Disease Control and Prevention to issue alerts, in real time, about where infected people had been before their positive status was confirmed.

From Test, trace, contain: how South Korea flattened its coronavirus curve | World news | The Guardian:

When it comes to contact tracing, it is obviously more effective to protect the population by using new technology rather than by relying on the memories and notes of people who test positive. Implementing a system to do this doesn’t have to be a Big Brother option. I think that through the miracles of cryptographic blinding, differential privacy and all sorts of other techniques that are actually quite simple to implement in the virtual world (but have no conventional analogues) we ought to be able to find ways to provide privacy that is a defence against surveillance capitalism or state invasion but also flexible enough to come to our aid in the case of national emergency.

One of the first countries to go with a more privacy-sensitive approach was Singapore, for example, the Ministry of Health worked with the Government Technology Agency to launch an app for contact tracing. This app, called “TraceTogether”, was installed by more than 600,000 Singapore resident within the first week of its launch in March 2020. The app works by using Bluetooth signals between phones to detect other participating TraceTogether users in close proximity (ie, with 2m) for some time (originally for 30 minutes). Records of such encounters are stored locally on each person’s phone. If a person tests positive for the virus, then that person can consent to send the contact records from their phone up to the Ministry of Health, which can then message the people that the person was in contact with to suggest they get tested. That contact data is stored in encrypted form on the consumer device, is deleted after 21 days and has the person’s identity (and those of their contacts) pseudonymised. However, it remains a centralised darabase and identities could be de-anonymised relatively easily.

Privacy, Please

In Europe, a collaborative effort called “Decentralized Privacy-Preserving Proximity Tracing” (D3PT) put forward a Bluetooth-based solution similar to TraceTogether but with a privacy-preserving architecture. At the heart of this architecture is an open protocol for proximity tracing using Bluetooth Low Energy (BLE) functionality on mobile devices that ensures personal data and stays entirely on an individual’s device. (It was produced by a core team of over 25 scientists and academic researchers from across Europe and open to wide scrutiny).

Under this more private approach, devices broadcast identifiers that change every hour (or day or whatever) and these “ephemeral IDs” (ephIDs) are stored by other nearby devices together with the duration the contact and a “coarse” timestamp (ie, to the nearest day). When someone is diagnosed with the diseases, their phone can upload all of the ephIDs that it broadcast while the person was infected to a health authority server somewhere. Everyone’s phone periodically checks this server to see if it had heard any of the ephIDs from an infected person and if so how long for, and can then calculate the risk and tell the user whether to go for testing or not. Since all the devices (and the health server) ever store is the ephIDs, no personal data can leak through the system.

One particularly attractive aspect of the D3pT approach is “graceful dismantling”, which means that the tracking system will dismantle itself when a pandemic ends because people will stop using the app and will top uploading their data to the central server (server data is removed after 14 days in the case of COVID-19 tracking, but with other diseases I can imagine that the time during which infected people can infect others might be different). This is a good basis to proceed. Someone who I always take seriously about this sort of thing is Gus Hosein, the executive director of Privacy International. Gus has said that he is “relatively relaxed about contact-tracing apps in which data is anonymised and well-regulated” and I agree. Although, of course, notions of what might constitute “well-regulated” might differ between stakeholders.

This privacy-enhanced approach to contact tracing received a significant boost when Google and Apple announced that they would work together to deliver a similar solution for the mass market. They published a specification for just such a privacy-enhancing proximity contact tracking app and APIs for health organisations to use. Even more interestingly, in a coming version of the system (planned for June) Apple and Google say they will add the functionality as the operating system level so that users can enable contact-tracing even without an app installed although I can see some potential problems arising here as it appears that Big Tech will decide who can and cannot use this service.

The row has already broken out in France, where the Minister for Digital Things, Cedric O (who I had the great pleasure of meeting at lunch at the Paris Fintech Forum this year) says he wants Big Tech to “lift the technical hurdle to allow us to develop a sovereign European health solution”. His motivations are wholly good, but I am not sure if asking Big Tech to turn off privacy protections is the best way forward.

What may be a better way forward is, I think, already clear. I note that both the Austrian and Swiss health authorities have said that they will implement the D3PT system running over the Apple/Google APIs. As I said a few days ago, I thought there was a workable compromise coming here: that is, Big Tech will allow Bluetooth running in the background so long as the data stays on the devices as per D3PT. More evidence to support this view has arrived from Germany, which has now decided to down this route with Reuters reporting that “Apple’s iPhone would under the proposed setup only work properly with decentralized protocols such as DP-3T”.

There remains the question of who will maintain the database of ephermal IDs. In the UK, there is an obvious answer, which is the NHS. And indeed, this is what is happening. The Health Minister, Matt Hancock, announced that just such an app would be deployed. NHSX, the NHS’ new technology unit, has been working on the app in the hope that it can help alleviate lockdown by tracking infections, although whether it will use D3PT or the Apple/Google APIs I couldn’t say since no details have been released so far.

Now, these apps will only have an impact if a significant fraction of the population use them. It is outside my field of expertise to speculate as to what fraction will be required, but in the case of Singapore only around a fifth of population used the apps (when the authorities had been hoping for three-quarters) and this was insufficient to stave off lockdown. However, I am optimistic: if a privacy-enhanced contact tracing capability is standard on smartphones and people can be encourage to turn it on once every few years when a pandemic sweeps through, we can make progress against these diseases.

(Even if it arrives too late to help with COVID-19, it will be a useful capability to have in place for the next pandemic.)

Papers, Please

There’s a fourth category of tool not mentioned in that Economist article: demonstrating that people have the COVID-19 antibodies and are thus no longer susceptible to infection. Bill Gates has been talking about issuing digital certificates to show “who has recovered or been tested recently or when we have a vaccine who has received it” and in this, as in so many other things, he is certainly correct.

The problem of getting such a certificate is hardly new, by the way. Here is Daniel Defoe writing in his “Journal of the Plague Year” about his experiences in London in 1665, noting that “there was no getting at the Lord Mayor’s door without exceeding difficulty; there were such pressing and crowding there to get passes and certificates of health for such as travelled abroad, for without these there was no being admitted to pass through the towns upon the road, or to lodge in any inn”.

Now, we might imagine that the certificate that you need to present to the Woking Holiday Inn on check in might now be on a mobile phone rather than on paper, lovingly hand scribe by the Mayor of Woking in person, but you get the point. Other countries are proceeding with similar plans. Germany, for example, plans to test 100,000 people at a time, issuing documentation to those who have built up an immunity. Here in the UK, there are similar calls for action, asking for members of the public to be issued with “an all-clear ‘certificate’ allowing them out of lockdown”.

There certificates must be secure, of course. The national emergency of the pandemic does not prevent the unscrupulous or downright criminal from attempting to obtain advantage. I was surprised, but hardly shocked, to read that Amazon and eBay had to remove NHS lanyards from sale because of worries that non-NHS people would buy them in order to gain access to supermarkets during time set aside for key workers to shop. I must mention that my good friends over at Yoti have created a mobile version of the NHS ID that should put a stop to this kind of abuse.

But as a general point, as Ross Anderson points out, compulsory services (as for quarantine) face threats. If you need a certificate to get into the cinema, then people will pay for bogus certificates or otherwise try to game the system (which is why it needs to be built on a proper, privacy-enhancing digital identity infrastructure and not hacked up on top of something knocked up in a crisis). There are a great many non-technological issues that need to be addressed here to set up the right ethical and more framework. I do not underestimate the importance of these. As Emily Mullins wrote

Immunity certificates could be the get-out-jail-free card that many Americans so desperately want, but they could also create more uncertainty and risks for the people they are meant to help most.

From ‘Immunity Passports’ Could Create a New Category of Privilege:

The point I want to make here is that, as with contact tracing, cryptography and can help to deliver the right kind of system. There’s no reason why your certificate to show you are recovered from the virus should give up any other personal information. And this, to me, is a very interesting example of how technology can be used in ways that enhance privacy if the decision is made to go in this direction. And, as far as trade-offs go, allowing the majority of the population to move out of quarantine and reboot their lives seems pretty important when compared to the continued lockdown of those without certificates.

(The technology could go further, of course. In China, the authorities check records of medicine purchases to track down people who have attempted to get out of quarantine. In South Korea, the authorities link mobile phone location records, payment card purchases records and so on to make an effective tracking and tracing routine.)

Dealing with the pandemic has brought issues of security and privacy to the fore and made many of us rethink some of the issues. It is time for serious and informed national debate about building a digital identity infrastructure that will support not only government and business but also society in an interconnected age. It is more important than HS2. We wouldn’t have wanted it this way, but we must not let the coronavirus catastrophe go to waste.

My opinions are my own (I think).