COVID-19 Tracker Apps and Apple Google Contact Tracing API
The need for interoperability and standardisation
The global countermeasures to contain the current pandemic are still at the very beginning. Effective tracking of infections and early containment will be a critical success factor in the upcoming months. Tracking apps might assist health authorities but need to address privacy concerns and lack interoperability. There won’t be one app to track them all but many apps that address local regulations and specificities. The key to a global containment of the pandemic is the interoperability between those apps. The new Contact Tracing API and the proposed extension Contact Tracing Backend might be a step further in achieving this goal.
Contact Tracing API
In a remarkable joined effort Apple and Google published the first draft of their Contact Tracing API Specification, which will be available in May. This marks a first step towards the required standardisation of COVID-19 tracking apps. Up until now Tracking apps had to rely on initiatives such as PEPP-PT, DP-3T or their own implementations to handle technical details to detect proximity, cryptography and privacy.
First reviews of the Contact Tracing API focused on privacy and the core concepts seem to be legit and sound. But there is a simple truth: The Contact Tracing API is neither an application framework nor blueprint, but a core API.
Key questions and architectural decisions for app developers are not addressed, such as
(a) How does an app pull published diagnosis keys?
(b) Who is allowed to pull the published diagnosis keys?
(c) When and how often shall apps pull diagnosis keys?
(d) How does an app push its diagnosis keys in case of a positive diagnosis?
(e) How is the push of diagnosis keys secured to prevent pranksters and fraud attempts?
(f) Where and how are the diagnosis keys stored?
(g) What data needs to be stored in the cloud beside the diagnosis keys?
(h) How can apps of different developers share diagnosis keys?
The first draft of the Contact Tracing Bluetooth Specification does not answer those questions. Apple and Google seem to leave it up to the app developers to close the gaps.
Status quo: COVID-19 Tracking Apps
Apple App Store and Google Play Store are currently flooded by COVID-19 Tracking apps developed by private, NGO, corporate or government developers. The convenient truth is that frictioned tracking with separate data pools probably won’t reach its full potential containing the current pandemic.
The current approach by governments and health authorities seems to be to choose one app out of the existing pool and to endorse it as the official tracking app for their national or regional realm. But each government or health authority will choose their own favorite. Hence a global standardisation by focusing on one single app is not to be expected. This approach might help during the beginning of the expected phase 2 to track new infections on a constrained regional/national level, but will reach its limits as soon as travel restrictions are reduced.
Proposed solution: Contact Tracing Backend
A solution to tackle this problem would be an interoperability mechanism between tracking apps. Apps could use the standardised Contact Tracing API to do the heavy lifting on-device and a standardised Contact Tracing Backend to do the heavy lifting required to exchange diagnosis keys.
The key concepts are
(1) Health authorities send a signed one-time token (SOTT) with the preferred Contact Tracing Backend Provider to users in case of a positive diagnosis. This could be done e.g. by encoding the data in a QR Code
(2) Users use the SOTT, e.g. by scanning the QR Code to authorize their preferred app to push the diagnosis keys
(3) App pushes the diagnosis keys of the user, a geohash, the SOTT and the Health Authority (HA) ID to the preferred Contact Tracing Backend Provider
(4) Contact Tracing Backend Providers validate the push with pre shared public keys of HA and reject unauthorized pushes
(5) Contact Tracing Backend Providers can synchronize their data with other Contact Tracing Backend Providers
(6) App can pull diagnosis keys from Contact Tracing Backend Providers by geohash and date
(7) A Contact Tracing Registry lists all Contact Tracing Backend Provider and their public keys
Next steps
The first draft of a Contact Tracing Backend Specification is published as a discussion paper at github.com/credeo/covid19-ctb-spec.
