Too complex, misses the point

[miraculixx]

Assessment

The proposal is well described and conclusive, technically sane vv. requirements. However it will require a lot of things to work out.

Too complex:

• Event organizers need to set up their event
• Participants must install the app
• Participants must scan the entry code
• Positive cases must enter the fact that they are positive v.v. the specific event

Misses the point:

• Not all infection spreading events are organized such that there is a clear "entry point"; thus the process breaks down (eg. street musician that draws a crowd, Weihnachtsmärkte, shopping malls etc.)

While "not difficult" these are too many variables that can go wrong/take time to adopt. Similar experience is evident with the Covid App - in theory, the app is simple to use for every participant, simple to use for health authorities, yet there are medium breaks in the process and the required hand offs do not work well, rendering the effort not as effective as it could be in practice.

Proposal

Thus I propose a simpler approach. It is not yet well thought out in all aspects yet. My hope is that this is thought provoking and taken as a constructive criticism.

In a nutshell, I propose to extend the existing Covid App to record location data. Bear with me:

Approach

• The Covid19 App is extended to continuously log location records, e.g. every 15 minutes. Only location change + duration are required (area/start/end)
• The records are kept local to the phone, are encrypted on the device, such that lookup of location data is only possible by the app itself (hand weaving here)
• If a positive person enters the covid code, all of their app's location data recorded for the past N days is uploaded to the server (list of tuples area/start/end), also encrypted and disassociated from the device.
• On some interval the covid app checks all its own locations/times vv the servers known positive location data, if there is a match will alert the user to get tested

Advantages

• Uses existing app - immediately active upon app update
• No need to set up per event records with its cumbersome process
• No need to scan any entry codes (after all the virus does not care if someone was at an event or just happened to pass by/linger for long enough to get infected)
• No need to educate the public on a complicated looking process

Caveats

• Need to find a secure way to store the location data so that is not usable for other purpose but by the app itself (the original proposal faces the same challenge to some degree, perhaps approaches can be merged)
• Need to convince public of the privacy preserving nature of this approach (the original proposal faces the same challenge)
• There is a central database of sorts, however that is essentially already the case with the covid app. No part of the system however is able to identify a person, nor to identify groups of people, who attended an event or were present in a given location.

General remark

• privacy concerns should be mitigated at least partially by using a Swiss cloud provider instead of a US based
• Location records can be made less privacy risking by extending the area from specific coordinate to some larger area - e.g. 100x100m. It does not seem relevant to have any more precision as the purpose is to alert participants of a possible infection, not to identify a precise location.
• From my POV the Covid app's main drawback is that it does not record location data. Thus this proposal could actually be used to amend that, with hindsight

[agreulich]

I think this would be very tricky (location records) and needs support from GAEN. The nice thing of a separate app is that it will also work on older phones (iPhone 6 etc), and people not trusting PT because of BTLE might trust that one better - after all it does not emit anything to the outside, it only receives. Nothing speaks against doing both however, adding the functions to SwissCovid AND building an app of its own, so users can choose. One technical issue on iOS in a separate app is that GAEN offers more priority to background tasks (for the regular match checks, e.g. all 2 hours) than to normal apps, and a separate app would not automatically have these privileges as well.

However, I could imagine combining both apps, SwissCovid and CrowdNotifier, to additionally support the step where a positively tested person (using both apps, or the combined one) should remember the venues she visited. Instead of or in addition to a manual interview with a health organization, venues (at least those that are willing/able to) could run a specially designed PT app at their entries that only log EphIDs but never emit any, but ignore the 15min/2m rule, so this "venue PT app" would constantly log all it sees; it might even also display the entry QR code in combination. So, visitors leave one of their EphIDs in it with very high probability. At upload of the patient's SwissCovid code, the "venue app" will of course be warned, and then the venue organizer can become active and upload himself the relevant tracing QR codes (or do this via contacting the health organization). It might even be possible to know the presence time more precisely, if several EphIDs were recorded. Venues could also place several such smartphones with these apps at different spots. The whole thing would only supplement the manual interview and create more completeness. However, it would require this special "venue PT app" and dedicated devices.

[palmeida]

Location is very difficult to anonymize, if at all possible. I think doing it in areas of 100x100m would drastically reduce the usefulness for contact tracing, especially when there's already wide community spreading, without even protecting privacy that much.

Here is an alternative, or modification: you record your location data, as in the original proposal; after you test positive for Covid, location data is uploaded to the server, but: a) you are presented with an interface to delete any locations you choose, by date, from a map; b) the upload is done through a network of distributed servers (something like Tor) and not all at once (so it's harder for the server to link your locations); c) some of your locations are randomly deleted and some new ones where you didn't go are randomly added. This last step adds some noise, but on aggregate, if a location is indeed a hotspot for spreading, it will eventually be marked as such. This can work, imperfectly, even if you don't have an app, or a phone. After you get a positive test you can go on a web site and mark the locations you remember (venues you visited, public transportation you used).

I realize this is quite vague, just leaving it here as a comment on this proposal in case someone wants to pursue the discussion.

[carmelatroncoso]

Thanks for the suggestions and the informative discussion.

Complexity: As we mentioned in #21 #22, we take at starting point the existence of these apps, which are already in use in several countries without problem, and provide an alternative design.

Entry point: Entry is a shorthand for "arriving to the place" There is no need to have the QR code at the entrance, but can be replicated around the location where the crowd to be notified is

Use of location: unfortunately, there exist no effective means of anonymizating location traces in a way that their utility is preserved. Even using an anonymous communication network to split the traces is not effective, and it is not possible to bound the privacy guarantees obtained without having a strong impact on utility.

Moreover, location is sometimes imprecise, especially indoors, and would require extensive experimentation to demonstrate suitability (e.g., to distinguish small meeting room within a building).
We will add these insights to the paper

[palmeida]

I agree with all your points (and you're much more of an expert on the subject, so I wouldn't argue on the technical side anyway), I'll just note that two of my points, explicitly deleting sensitive locations and adding noise, were meant to mitigate the re-identification of individuals, not prevent it.

The issue with location being imprecise is particularly important, it was also somewhat hand-waved in @miraculixx's proposal (and my comment), and it relates to issue #25. The consecutive deployment of applications that have no established measure of success can be deleterious to public trust. In my country (Portugal) there has been lots of discussion on whether the proximity tracing app is useful at all. To be honest, I'm not convinced either way and I wish small-scale realistic pilots (as @peterkwells proposes in issue #25) had been done to establish usefulness before deploying them country-wide. Now MDs are getting training to improve the system, which diverts their attention from other tasks, and I don't know if it's worth it. This is just to say that the fact these apps are in use in several countries without problem doesn't mean new ones, or additional features, won't meet resistance if previous functionality hasn't proven effective (yet). This is important to fight the pandemic, obviously, but also to not undermine the acceptance of future iterations of technological solutions.