A better way to Contact Trace Part II
Code Samples for Confidential Contact Tracing on a Secure and Distributed Computing Platform
In the previous article we identified that contact tracing applications can be made more useful by increasing privacy and gaining access to more data. Our proposed solution was to use a secure, distributed computing platform to (abstractly) centralize analysis of participants’ location and health data. As the data is kept private and its access auditable, there’s little barrier to contributing to a public shared dataset.
In this piece we venture into the technical details of how we use the Oasis platform for a contact tracing app.
Oasis as a Secure Distributed Computing Platform
Let’s start with what we mean by secure distributed computing platform. In abstract, it’s a piece of infrastructure that runs verified programs on users’ private data such that the data is never revealed to either the application developer or the platform. Crucially, the platform provides a way for users and developers to verify that the programs are faithfully and securely executed. Through distribution, the verification mechanism is made highly available so that no bad actor can hide its misdeeds. In essence, distribution eliminates needing to trust any single single computation provider, and security at runtime is what makes this possible.
The Oasis network implements a secure distributed computing platform using distributed blockchain-based consensus and trusted execution environments (TEEs) for security. For those unfamiliar with blockchain, the general idea is fault-tolerant replicated state machine. For those unfamiliar with TEEs, they’re basically CPUs with a memory encryption engine and baked-in cryptographic keys that allow them to attest that they’re running authentic code on genuine hardware.
For those familiar with both TEEs and blockchain, the Oasis platform is, at its core, a protocol that verifiably instantiates a program in a TEE and provisions it with encryption and signing keys. Once consensus is achieved over the program’s (encrypted) output, the details of the invocation are appended to the immutable transaction log. Interested parties–both developers and users–can retrieve the authenticated results from the log and use them as trusted inputs to downstream applications. The platform hides the low-level details like scheduling, key management, and attestation, to provide an interface that looks like that of a centralized platform, but with confidentiality guarantees.
In our contract tracing app, we use the Oasis network to allow participants to share health and location data; have their risk analyzed and reported from a TEE-based algorithm; and construct an audit trail of how the data was used. For efficiency, the shared data is encrypted and posted to an immutable blob store. The encryption key is managed by the Oasis network and is only released to trusted contact tracing algorithms. With all users’ data now in one place, deploying a new contract tracing app simply requires obtaining consent from users to run the algorithm within the confines of a TEE. As granting, revoking, and requesting access are done through the Oasis platform, the transaction log leaves a nigh-unforgable trail of which data was used by whom, and when.
With the requisite background in place, we can now forge onward to some code (no pun intended)…
Show me the code! Contact Tracing on Oasis
Developing a privacy-preserving contact tracing app on the Oasis network is made easy through the use of the Parcel SDK (more to come on this product in future posts), which frames data sharing as an interaction between identities, datasets, and data-use policies. A Parcel identity is a user’s entrypoint to the rest of the system and is the focal point of data management. Using a Parcel identity, the user uploads encrypted location data and creates a dataset on the Oasis platform that holds the decryption key. She then chooses to share her data with one (or more!) contact tracing applications by attaching a policy program to the dataset. She proceeds to sleep soundly knowing that the data cannot be directly read by the application developer, and that access can be revoked at any time. Then, at some later time, the contact tracing algorithm aggregates all users’ data and posts encrypted results back to each. The best part is that the privacy-preserving application affords exactly the same usability as a non-private alternative.
At this point, you may be thinking that creating an app with all these privacy controls must be a nightmare for the developer. And indeed, that would be the case were it not for the Parcel SDK, which neatly abstracts the concept of data sharing. The following code snippet (in TypeScript intended to target React Native) demonstrates the core functionality: identity creation, data upload, and sharing. You’ll hopefully note the lack of obvious blockchain-y-ness.
Getting the data into the contact tracing backend algorithm is similarly straightforward. This next snippet runs in a trusted execution environment operated by a suitable cloud provider. The idea is to exchange a cryptographic attestation of the code and environment for the dataset decryption keys.
Related Work: Mt. Sinai Hospital and Secure Biomedical Data Sharing on Blockchain
The contact tracing app we sketched above bears similarity to a DApp for secure biomedical data sharing created by the Center for Biomedical Blockchain Research at Mt. Sinai Hospital that also uses the Oasis platform. This related work, designed before the pandemic, demonstrates utility health and location data sharing in a context beyond contact tracing. You can learn more about the project and the team behind it in our recent Developer Spotlight.
For more information you can reach us on the Oasis community slack or via github.
