Re: COVID-19 contacts tracker (Re: a brief pondering)

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



I would like to offer up a solution using BLE that was open sourced
last week. The code is available on a GPLv3 license.

The project is called OpenTrace [0] and it implements a protocol
called Blue Trace - bluetrace.io [1] has the whitepaper [2] describing
it.

The protocol is designed to be able to federate authorised health
authorities. The protocol does not define what data is captured from
the user. That is entirely up to the authorised health authority to
decide/implement.

The operational reference implementation of the upstream OpenTrace is
called TraceTogether [3]. TraceTogether was rolled out here in
Singapore on 20 March 2020. TraceTogether was built by GovTech [4] -
the Singapore Government Technology Agency. One of the GovTech
engineers who helped build it, Joel Kek, speaks about it here [5].

I am helping with the OpenTrace project and one of the ideas the
community is considering is to see if it makes sense to have BlueTrace
be drafted as a RFC. Disclosure: I assisted GovTech in open sourcing
TraceTogerher as a member of the open source community.

In a nutshell, TraceTogether works by asking for the mobile phone # of
the user at initial run. That is the only detail - granted, a possible
personally identifiable information - that is captured. The phone
number is what the app sends to the health authority. Once the phone
number is sent, a SMS containing an OTP is sent and the user enters
that in to complete the registration. The user is then sent an
encrypted ID which is the identifier the phone will use. This
encrypted ID is signed by the private key of the health authority.

When similarly registered phones come within the 10m bluetooth range,
they exchange the encrypted ID, their signal strengths and a
timestamp. Should one of the users become infected and goes to the
hospital, with the permission of that user, the user will unlock the
phone and the health authority (in our case the Singapore Ministry of
Health) will extract the contact log. With that log, the MOH will
decrypt the IDs in the logs and check against their system for a
matching mobile phone number. From that moment on, the rest of the
contact tracing effort is human-led. The contact tracing will
determine things like how long ago was a contact established, how
close-by was the contact, how long was the encounter etc. Contact data
stored in the phone that is 21 days or older is automatically deleted.
The user can also opt out of the app at anytime.

Comments/criticisms welcome especially is we should even consider
drafting a proposal for a RFC. Also welcome are any and all interested
devs to make the project even more robust and privacy
enforcing/respecting.

Harish
[0] https://github.com/opentrace-community
[1] https://bluetrace.io/
[2] https://bluetrace.io/static/bluetrace_whitepaper-938063656596c104632def383eb33b3c.pdf
[3] https://www.tracetogether.gov.sg/
[4] https://tech.gov.sg/
[5] https://www.youtube.com/watch?v=638Hwg0pkX0




[Index of Archives]     [IETF Annoucements]     [IETF]     [IP Storage]     [Yosemite News]     [Linux SCTP]     [Linux Newbies]     [Mhonarc]     [Fedora Users]

  Powered by Linux