New Digital Contact Tracing app addresses privacy and security concerns

UNSW engineers have demonstrated a new digital contact tracing app as part of the prestigious IEEE International Conference on Blockchain and Cryptocurrency (ICBC).

The Did I Meet You (DIMY)* app, implements a blockchain-based contact tracing protocol, which aims to improve security and increase privacy for users.

It has been showcased by a group from the School of Computer Science and Engineering in collaboration with the Cyber Security Cooperative Research Centre (CSCRC) during the ICBC Conference which ran virtually from May 3-6.

Contact tracing apps have become increasingly important in the battle against the spread of COVID-19 since they can help break the chain of human-to-human transmission of the disease by identifying people potentially exposed to confirmed cases and ensuring they are notified to take precautionary measures such as testing and self-isolation.

But concerns about privacy have deterred large numbers of the population from using such apps. For example, one survey in America indicated that 71% of respondents would refuse to put a contact tracing app on their mobile phone, citing privacy concerns.

The fully functional proof-of-concept DIMY app developed by Dr Nadeem Ahmed, Dr Regio Michelin, Dr Wanli Xue, Guntur Dharma Putra, Wei Song, Professor Salil Kanhere and Professor Sanjay Jha at UNSW and Dr Sushmita Ruj at CSIRO’s Data61, aims to address those concerns.

Several existing privacy-preserving techniques have been integrated on the front end, while a blockchain-based back end reduces the risk of the entire system being hacked into and user data being identified.

Prof. Salil Kanhere, who also chaired the ICBC Conference organising committee, said: “We did a survey of more than 40 existing contact tracing apps and we found that a lot of them do not factor in privacy at all.

“Most of the apps keep an identifier stored in your phone of the person you came into contact with, which is a major privacy issue. Meanwhile, on the back end, there is often potential for the whole server to be hacked and that would give access to the data of everyone using the app.

“With DIMY, the very first thing we do is to protect the identity of the user by setting up a random pseudonym or ID code that does not reveal any sensitive information about the person.

“The next level of privacy comes from the implementation of a Bloom Filter, which is basically a yes-no query about whether you belong to a certain set. We add the pseudonym to a daily Bloom Filter and then actually throw that ID code away.”

With the DIMY protocol, that filter can be packaged up and used to run a daily check to determine whether a user has been in contact with somebody who tested positive for COVID. If not, the packaged information is discarded.

If a user were to test positive for COVID, the past 21 days-worth of Bloom Filters would be made available to the back end, in order to run analysis of anyone who was in contact with that person for more than 15 minutes and therefore at risk of infection.

“The back end of the DIMY system is actually a blockchain and thus virtually impossible to hack into,” said Dr Nadeem Ahmed, a senior research fellow at CSCRC. 

“The matching process is automated and if there is a match, which shows a contact with someone with COVID, the app user is notified to contact the Health Authority for testing and to start the quarantine process.”

Towards Privacy-preserving Digital Contact Tracing

In addition to the DIMY demonstration, the ICBC Conference also highlighted work led by UNSW computer science undergraduates Suebtrakul Kongruangkit and Yu Xia supervised by Dr. Helen Paik (UNSW) and Dr. Sherry Xu (CSIRO’s Data61) into Personal Data Stores.

These would allow website users to store and control their own data in a location separate from online servers, giving true ownership of such information and also opening up the potential to receive a fair share of any revenue generated by usage of that data.

Other topics covered during the ICBC Conference included a panel discussion entitled ‘Transforming Industry and Society: Blockchain Beyond Cryptocurrency’, as well as a keynote speech by Professor Darrell Duffie from Stanford University regarding the ‘Global Impact of China’s Central Bank Digital Currency’.

* The work on DIMY was supported by the Cyber Security Research Centre (CSCRC), which is partially funded by the Australian Government’s Cooperative Research Centres Programme, administered by the Department of Industry, Science and Resources.