Contact Tracing Mobile Apps for COVID-19:Privacy Considerations and Related Trade-offs

Hyunghoon Cho∗

Broad Institute of MIT and Harvard

hhcho@broadinstitute.org

Daphne Ippolito∗

University of Pennsylvania

daphnei@seas.upenn.edu

Yun William Yu∗

University of Toronto

ywyu@math.toronto.edu

Abstract

Contact tracing is an essential tool for pub-lic health officials and local communities tofight the spread of novel diseases, such as forthe COVID-19 pandemic. The Singaporeangovernment just released a mobile phone app,TraceTogether, that is designed to assist healthofficials in tracking down exposures after an in-fected individual is identified. However, thereare important privacy implications of the exis-tence of such tracking apps. Here, we analyzesome of those implications and discuss waysof ameliorating the privacy concerns withoutdecreasing usefulness to public health. Wehope in writing this document to ensure thatprivacy is a central feature of conversationssurrounding mobile contact tracing apps and toencourage community efforts to develop alter-native effective solutions with stronger privacyprotection for the users. Importantly, thoughwe discuss potential modifications, this docu-ment is not meant as a formal research paper,but instead is a response to some of the privacycharacteristics of direct contact tracing appslike TraceTogether and an early-stage Requestfor Comments to the community.

Date written: 2020-03-24

Minor correction: 2020-03-30

1 Introduction

The COVID-19 pandemic has spread like wildfireacross the globe [1]. Very few countries have man-aged to keep it well-controlled, but one of the keytools that several such countries use is contact trac-ing [2]. More specifically, whenever an individualis diagnosed with the coronavirus, every personwho had possibly been near that infected individualduring the period in which they were contagiousis contacted and told to self-quarantine for twoweeks [3]. In the early days of the virus, when

∗Authors listed alphabetically.

there were only a few cases, contact tracing couldbe done manually. With hundreds to thousands ofcases surfacing in some cities, contact tracing hasbecome much more difficult [4].

Countries have been employing a variety ofmeans to enable contact tracing. In Israel, legisla-tion was passed to allow the government to trackthe mobile-phone data of people with suspectedinfection [5]. In South Korea, the government hasmaintained a public database of known patients,including information about their age, gender, oc-cupation, and travel routes [6]. In Taiwan, medicalinstitutions were given access to patients travel his-tories [7], and authorities track phone location datafor anyone under quarantine [8]. And on March20, 2020, Singapore released an app that tracksvia Bluetooth when two app users have been inclose proximity: when a person reports they havebeen diagnosed with COVID-19, the app allows theMinistry of Health to determine anyone logged tobe near them; a human contact tracer can then callthose contacts and determine appropriate follow-upactions.

Solutions that have worked for some countriesmay not work well in other countries with differ-ent societal norms. We believe that in the UnitedStates, in particular, the aforementioned measuresare unlikely to be widely adopted. On the legal side,publicly revealing patients’ protected health infor-mation (PHI) is a violation of the federal HIPAAPrivacy Rule [9], and the Fourth Amendment barsthe government from requesting phone data with-out cause [10]. Some of these norms may be sus-pended during times of crisis—HIPAA has recentlybeen relaxed via enforcement discretion during thecrisis to allow for telemedicine [11], and a pub-lic health emergency could well be argued to be avalid cause [12]. However, many Americans arewary of sharing location and/or contact data withtech companies or the government, and any privacy

arX

iv:2

003.

1151

1v2

[cs

.CR

] 3

0 M

ar 2

020

concerns could slow adoption of the system [13].Singapore’s approach of an app, which gives in-

dividuals more control over the process, is perhapsthe most promising solution for the United States.However, while Singapore’s TraceTogether appprotects the privacy of users from each other, it hasserious privacy concerns with respect to the gov-ernment’s access to the data. In this document, wediscuss these privacy issues in more detail and intro-duce approaches for building a contact tracing ap-plication with enhanced privacy guarantees, as wellas strategies for encouraging rapid and widespreadadoption of this system. We do not make explicitrecommendations about how one should build aprivacy-preserving contact tracing app, as any de-sign implementation should first be carefully vettedby security, privacy, legal, ethics, and public healthexperts. However, we hope to show that there existoptions for preserving several different notions ofuser privacy while still fully serving public healthaims through contact tracing apps.

2 Singapore’s TraceTogether App

On March 20, 2020, the Singaporean Ministry ofHealth released the TraceTogether app for Androidand iOS [14]. It operates by exchanging tokensbetween nearby phones via a Bluetooth connec-tion. The tokens are also sent to a central server.These tokens are time-varying random strings, as-sociated with an individual for some amount oftime before they are refreshed. Should an indi-vidual be diagnosed with COVID-19, the healthofficials will ask* them to release their data on theapp, which includes a list of all the tokens the apphas received from nearby phones. Because the gov-ernment keeps a database linking tokens to phonenumbers and identities, it can resolve this list oftokens to the users who may have been exposed.

By using time-varying tokens, the app does keepthe users private from each other. A user has noway of knowing who the tokens stored in their appbelong to, except by linking them to the time thetoken was received. However, the app provideslittle to no privacy for infected individuals; afteran infected individual is compelled to release theirdata, the Singaporean government can build a listof all the other people they have been in contactwith. We will formalize these several notions ofprivacy in Section 3.

*While the health officials ask, it is a crime in Singa-pore not to assist the Ministry of Health in mapping one’smovements, so ‘ask’ is a bit of a misnomer [15].

3 Desirable Notions of Privacy

Here, we discuss three notions of privacy that arerelevant to our analysis of contact-tracing systems:(1) privacy from snoopers, (2) privacy from con-tacts, and (3) privacy from the authorities. Notethat in this document, we do not rigorously definewhat it means for information to be private, as thisis a topic better left for future works; some populardefinitions include information theoretic privacy[16], k-anonymity [17], and differential privacy[18]. Furthermore, we discuss only these threenotions of privacy to illustrate some of the short-comings of direct contact-tracing systems. Otherrecent work has presented a useful taxonomy of therisks and challenges of contact tracing apps [19].

For any contact tracing app that achieves the aimof telling individuals that they might have beenexposed to the virus, there is clearly some amountof information that has to be revealed. Even ifthe only information provided is a binary yes/noto exposure, a simple linkage attack [20] can beperformed: if the individual was only near to oneperson in the last two weeks, then there will bean obvious inference about the infection status ofthat person. The goal is of course to reduce theamount of information that can be inferred by eachof the three parties (snoopers, contacts, and theauthorities) while still achieving the public healthgoal of informing people of potential exposures tohelp slow the spread of the disease.

Of note, here we use a semi-honest model forprivacy [21], where we do not consider the pos-sibility of malicious actors polluting the databaseor sending malformed queries, but rather insteadjust analyze the privacy loss from the informationrevealed to each party. A nefarious actor could,for example, falsely claim to be infected to spreadpanic; this is not a privacy violation, though we doconsider this further in the Discussion. Alternately,when a server exposes a public API, queries can becrafted to reveal more information than intendedby the system design, which is indeed a privacyviolation. We leave a more thorough analysis ofsafeguards for the malicious model to future work.

3.1 Privacy from Snoopers

Consider the most naıve system for contact trac-ing, which no reasonable privacy-conscious societywould ever use, where the app simply broadcaststhe name and phone number of the phone’s owner,and nearby phones log this information. Then,

2

upon diagnosis of COVID-19, the government pub-lishes a public list of those infected, which the appthen checks against its list of known recent contacts.This is clearly problematic as a nefarious passiveactor (a ‘snooper’) could track the identities of peo-ple walking past them on the street.

A slightly more reasonable system would as-sign a unique user-ID to each individual, whichis instead broadcast out. This does not have quiteas many immediate security implications, thoughall it would take is a nefarious actor linking eachID to a user before one runs into the same prob-lem, which is known as a ‘linkage attack.’ Givenhow easy and common linkage attacks are, this ap-proach also provides insufficient levels of privacyfor users [22; 23].

The Singaporean app TraceTogether does better,in that it instead broadcasts random time-varyingtokens as temporary IDs. Because these tokensare random and change over time, someone scan-ning the tokens while walking down the street willnot be able to track specific users across differenttime points, as their tokens are constantly refreshed.Note that the length of time before refreshing a to-ken is an important parameter of the system (tooinfrequent and users can still be tracked, too fre-quent and the amount of tokens that need to bestored by the server could be huge), but with a rea-sonable refresh rate, the users are largely protectedagainst attacks by snoopers in public spaces.

3.2 Privacy from Contacts

Here, the term contact is defined as any individ-ual with whom a user has exchanged tokens in thecontact tracing app based on some notion of phys-ical proximity. Privacy from contacts is harder toachieve, because the information that needs to bepassed along is whether one of the individual’s con-tacts has been diagnosed with COVID-19, so someinformation has to be revealed.

The TraceTogether app gives privacy from con-tacts by instead putting trust in government authori-ties. When TraceTogether alerts a contact that theyhave been exposed to COVID-19, the informationcomes directly from the Singaporean Ministry ofHealth, and no additional information is shared (toour knowledge) that could identify the individualthat was diagnosed. Thus, TraceTogether does pro-tect users’ privacy from each other, except for whatcan be inferred based on the user’s full list of con-tacts, as the only information that is revealed to

the user is a binary exposure indicator, which is ar-guably the minimum possible information releasefor the system to be useful.

3.3 Privacy from the Authorities

Protecting the privacy of the users from the au-thorities, i.e. whoever is administering the app,whether that is a government agency or a largetech company, is also a challenging task. Clearly,in the absence of a fully decentralized peer-to-peersystem, any information sharing among phoneswith the app installed will have to be mediated bysome coordinating servers. Without any protectivemeasures (e.g. based on cryptography), the coordi-nating servers are given an inordinate amount ofknowledge.

TraceTogether does not privilege this type of pri-vacy, instead making use of relatively high trustin the government in its design. While it does notdeliberately gather more information than neces-sary to build a contact map—for example, it doesnot use GPS location information, as Bluetoothis sufficient for finding contacts—it also does nottry to hide anything from the Singaporean govern-ment. When a user is diagnosed with COVID-19and gives their list of tokens to the Ministry ofHealth, the government can retrieve the mobilenumbers of all individuals that user has been incontact with. Thus, neither the diagnosed user, northe exposed contacts, have any privacy from thegovernment.

Furthermore, because the government maintainsa database linking together time-varying tokenswith mobile numbers, they can also, in theory, trackpeople’s activities without GPS simply by placingBluetooth receivers in public places. There is noreason to disbelieve the TraceTogether team whenthey state that they do not attempt to track people’smovements directly; however, the data they havecould be employed to do so. Citizens of countriessuch as the U.S. trust authorities much less thanSingaporeans [24], so the privacy trade-offs thatSingaporeans are willing to make may not be thesame ones that Americans will accept.

4 Privacy-Enhancing Augmentations tothe TraceTogether System

Here, we discuss potential approaches to buildupon the TraceTogether model to obtain a con-tact tracing system with differing privacy char-acteristics for the users. Though important and

3

Table 1: Comparison of contact tracing systems discussed in this document with respect to privacy ofthe users in the semi-honest model and required computational infrastructure.

Privacyfromsnoopers

Privacy from contacts Privacy from authorities InfrastructurerequirementsExposed

user Diagnosed user Exposed user Diagnosed user

Trace To-gether [14] Yes Yes Yes

No. Exposurestatus and all tokensrevealed.

No. Infection status,all tokens, and allcontact tokensrevealed.

Minimal

Polling-based*

(§4.1)Yes Yes Yes† Partial. Susceptible

to linkage attacks.Partial. Susceptibleto linkage attacks.

Low. Singleserver.

Polling-based withmixing(§4.3)

Yes Yes Yes†

Almost private.Protects againstlinkage attacks bymixing tokens fromdifferent users.

Almost private.Protects againstlinkage attacks bymixing tokens fromdifferent users.

Medium.Multipleservers formixing.

Publicdatabase(§4.4)

Yes Yes

Partial. Infoleaked at timeof tokenexchange.

Yes Partial. Susceptibleto linkage attacks.

Communica-tion cost tophones ishigh.

Privatemessagingsystem(§5)

Yes Yes

Partial. Infoleaked at timeof tokenexchange. ‡

Yes Yes

High.Multipleserversperformingcrypto.

* Augmenting with random tokens does not improve privacy.† However, if contacts are malicious, and they send malformed queries (e.g. a query that includes only a single token),

the diagnosed individual only has the same privacy level as in the public database solution. Namely, there’s only partialprivacy because information is leaked through knowing the time of token exchange.‡ This information leakage might be fixable using data aggregation based on multi-key homomorphic encryption, but we

do not do so here.

highly nontrivial, various technical and engineer-ing challenges behind the exchange of Bluetoothtokens [25] are outside the scope of this document.Our abstraction is that there exists some mecha-nism for nearby phones to exchange short tokens ifthe devices come within 6 feet of each other—theestimated radius within which viral transmissionis a considerable risk [26]. We are primarily con-cerned with the construction of those tokens, andhow those tokens can be used to perform contacttracing in a privacy-preserving manner.

First, we formally describe the TraceTogethersystem. Let Alice and Bob be users of the app, andlet Grace be the government server (or other cen-tral authority). Alice generates a series of randomtokens A = {a0, a1, . . .}, one for each time inter-val, and Bob generates a similar series of tokensB = {b0, b1, . . .}, all drawn randomly from somespace {0, 1}N . They also both report their list oftokens A and B, as well as their phone numbersto Grace. At a time t, Alice and Bob encountereach other, exchanging at and bt. Alice and Bobkeep lists of contact tokens A = {a0, a1, . . .} andB = {b0, b1, . . .} respectively. These consist oftokens from every person they were exposed to;

i.e. bt ∈ A and at ∈ B because Alice and Bobexchanged tokens at time t. Five days later, Bobis diagnosed with COVID-19, and sends his listof contact tokens B, which includes at, to Grace.Grace then matches each bi to a phone number,reaches out to those individuals, including Alice,and advises them to quarantine themselves becausethey may have been exposed to the virus.

4.1 Partially Anonymizing via Polling

Instead of having Grace reach out to Alice whenBob reports that he has been diagnosed, a moreprivacy-conscious alternative is for Alice to “poll”Grace on a regular basis. In this setting, Gracemaintains the full database, and Alice asks Graceif she has been exposed. This alternative does notrequire Alice and Bob to send their phone numbersto Grace. In this setting, there are two reportingchoices for when Bob wishes to declare his diag-nosis of COVID-19. Bob can send his own tokensB to Grace, or he can send the contact tokens Bto Grace. In the former case, Alice needs to sendGrace her contact tokens A to see if any have beendiagnosed with COVID-19. In the latter case, Aliceneeds to send Grace her own tokens A to ask if any

4

of them have been published. Either way, Graceis able to inform Alice that she has been exposed,without revealing Bob’s identity. This presupposesthat Alice is Honest but Curious (semi-honest); ifAlice is malicious and crafts a malformed querycontaining only the token she exchanged with Bob,she may be able to reveal Bob’s identity.

Note that in either version of this system, indi-viduals still have privacy from snoopers and fromcontacts. However, they additionally gain someamount of privacy from authority, as Grace doesnot have their mobile numbers. Of course, Gracedoes have some ability to perform linkage attacks.If Bob publishes to Grace his own tokens B uponbeing diagnosed, and Alice queries Grace with allher contact tokens A, then Grace can attempt to linkthose sets of tokens to individuals or geographicareas; further, Grace can also monitor the sourceof Alice and Bob’s queries (i.e. IP addresses ofphones). For example, if Grace has Bluetooth sen-sors set up in public places, she can then traceAlice and Bob’s geographic movements. That kindof location trace is often sufficient to deanonymizepersonal identities [23]. Alternatively, the same istrue if Bob publishes his contact tokens to Graceand Alice queries Grace with her own tokens. Thus,there is not perfect privacy from the authorities, butstill better than in the original TraceTogether sys-tem, at the cost of potentially lower privacy for Bobin the malicious model.

4.2 Ineffectiveness of Adding SpuriousTokens for Further Anonymization

To further anonymize the polling-based systemto increase privacy from authorities, there are anumber of techniques that can be used to hide Al-ice and Bob’s identities. Let’s begin with a sim-ple approach—that doesn’t actually work—to givesome intuition before moving on to more effectiveapproaches. Consider injecting random noise byaugmenting the data with artificial tokens. When-ever Alice and Bob send information to Grace (ei-ther in the form of a diagnosis report or a query),they can augment their tokens with random ones.Note that some care has to be taken in decidingwhich distribution to draw the random tokens from.Not only should the system keep the probability ofspurious matches low, but the distributions shouldalso be designed to make inferences by Grace diffi-cult.

For example, assume that Alice and Bob sam-

ple their tokens uniformly at random from {0, 1}N ,where N is chosen to be sufficiently large that ac-cidental collisions between individuals’ tokens areunlikely. Suppose Bob sends to Grace his own to-kens B upon being diagnosed, and Alice queriesGrace with all her contact tokens A. In theory,Bob could augment his own tokens with a set ofn random tokens {ri}ni=1 drawn uniformly from{0, 1}N , and send those to Grace as well. Un-fortunately, N was chosen to prevent accidentalcollisions; this means that the probability that theadditional random tokens correspond to the tokensbroadcast by any individual is vanishing small. Butthen, there is actually little to no privacy gained.Grace can just assume that the augmented set oftokens correspond to Bob, and perform the samelinkage analysis that she would with only the cor-rect set of tokens. This does nothing but polluteGrace’s database with extra data, without affordingany real privacy gains for Bob. Similarly, Alicealso cannot obfuscate her exposure through Bobfrom Grace, because any extra tokens she sends toGrace will not change the fact that she has Bob’stoken as one of her contacts.

The root of the problem is that Grace has accessto the universe of all tokens through user queries,and so can simply filter out all of the random tokensgenerated. Thus, random noise is ineffective forhiding information from Grace.

4.3 Enhancing Anonymity by MixingDifferent Users’ Tokens

Although introducing spurious random tokens intothe system achieves little in terms of privacy, asdiscussed in the previous subsection, a slight mod-ification of this idea leads to meaningful privacyguarantees. The issue is that Grace has access tothe entire universe of tokens, as well as both ofthe sets of tokens corresponding to Alice and Bob,possibly augmented with random noise. Insteadof hiding true tokens with random noise, supposethe system includes a set of M honest-but-curiousnon-colluding “mixing” servers not controlled byGrace that aggregate data before forwarding it onto Grace.

When Bob is diagnosed with COVID-19, he par-titions the tokens he wishes to send (depending onthe setup of the system, either his own tokens, orthose of his contacts) into M groups, and sendseach group to one of the mixing servers. The mix-ing servers then combine Bob’s data with that of

5

other users diagnosed with COVID-19 before for-warding it onto Grace. Similarly, Alice does thesame thing for querying, except she also needs towait on a response from the mixing server for eachof the tokens she sends. The linkage problem thenbecomes much more difficult for Grace, becausethe valid tokens for individuals have been split up.Similarly, each mixing server only has access toa subset of the tokens corresponding to each indi-vidual, making the linkage analysis more difficultfor them. Of course, if the mixing servers collude,then the privacy reduces to that of the standardpolling-based approach.

Note that this approach can also be simulatedwithout the mixing servers by either Alice or Bobif they have access to a large number of distinctIP addresses. They can simply send their queriesand tokens with some time delay from the differentIP addresses, preventing Grace from linking all ofthem together. However, this approach may not befeasible for most users.

4.4 Public Database of Infected Users’Tokens is Efficient but Less Private

Alternatively, Grace can simply publish the entiredatabase of tokens she receives from infected in-dividuals, including the ones from Bob. If Alicesimply downloads the entire database, and locallyqueries against it, then no information about Al-ice’s identity is leaked to Grace.

This approach may seem less computationallyfeasible, especially on mobile devices. In circum-stances where the total number of people infected isnot very high, this approach works, as evidenced bythe South Korean model [6], though the approachmay fail as the epidemic reaches a peak. However,the computational and transmission cost can bepartially ameliorated by batching together Grace’sdatabase, so that Alice is not downloading the en-tire thing. For example, in the version where Bobsends his own tokens B to Grace, Alice can down-load batches corresponding to her contact tokens A.If each batch has e.g. 50 tokens, then Grace doesnot know which of those 50 tokens Alice came intocontact with.

Unfortunately, it is worth noting that this ap-proach decreases Bob’s privacy from Alice, be-cause Alice knows when she encountered the tokenBob sent; she can then limit the number of possibleindividuals who could have sent the token based onwho she was in contact with during the time she en-

countered Bob’s token. If the token she exchangedwith Bob is present in the database, she gets a hintas to the disease status of one of the individuals shewas in contact with during the token exchange.

5 Privacy from Authorities based onPrivate Messaging Systems

None of the easy-to-implement augmentation ideasgiven in Section 4 guarantee full privacy from theauthorities. At a cost of more computation, how-ever, we believe that a solution for secure contacttracing can be built using modern cryptographicprotocols. In particular, private messaging systems[27; 28; 29] and private set intersection (cardinal-ity) [30; 31; 32; 33] protocols seem especially rel-evant. The sketch we provide below is based onprivate messaging systems, though we do not claimthis to be an optimal implementation.

We will give the intuition here before going intotechnical details necessary for an effective imple-mentation. First, we replace the random tokens(at, bt) exchanged by Alice and Bob with randompublic keys (pkAt , pkBt ) from asymmetric encryp-tion schemes [34]. The matching secret keys arestored locally on each of Alice’s and Bob’s phones.Then, imagine that Grace has established a collec-tion of mailboxes, one for each public key that Al-ice and Bob exchange. Additionally, we introduceFrank and Fred. Frank forwards messages to/fromFred. Fred forwards messages to/from Grace. Theydo not tell each other the source of the messages.At fixed time points after Bob’s contact with Al-ice (up to some number of days), Bob addresses amessage to Alice encrypted using the public keyAlice gave Bob. Bob gives the message to Frank,who then forwards it on to Grace (through Fred),who puts it in Alice’s mailbox. The content of themessage is Bob’s current infection status, and thereason he sends messages at fixed time points isto prevent Frank from figuring out Bob’s infectionstatus from the fact that he is sending messages.Alice checks all of the mailboxes corresponding toher last several days worth of broadcasted publickeys. In one of the mailboxes, she then receivesand decrypts Bob’s message, and learns whethershe has been exposed to the virus. Grace cannot de-crypt the message Bob sends to Alice because it isprotected by asymmetric encryption. Furthermore,to protect Alice’s privacy, she can also access hermailboxes through Frank and Fred, who deliverthe messages in Alice’s mailboxes to her without

6

Alice

Bob

At Contact

Alice and Bobexchange public keys

Periodically After Contact

Bluetooth

Alice

Bob

Bob sends encrypted infectionstatus to Alice’s mailbox

Proxy servers obfuscatemailbox access patterns

Grace maintains mailboxes, butcannot tell Bob sent a message to Alice

GraceProxy Servers(Frank and Fred)

“I am (not) infected.”

Alice retrieves and decryptsmessages in mailbox

Server 1

Server 2

Server

Figure 1: Overview of contact tracing based on private messaging systems. When Alice and Bob are near eachother they exchange public keys as tokens. They then periodically encrypt (using each other’s public key, followedby the public keys of the proxy servers) a message indicating their infection status, and send it to the proxy server.They also periodically query the proxy server for messages posted to the mailboxes corresponding to their publickeys to find out whether they have been exposed to the virus.

revealing which mailboxes she owns.Contact tracing can be viewed as a problem of

secure communication between pairs of users whocame into contact in the physical world. The com-munication patterns of who is sending messagesto whom can reveal each individuals contact his-tory to the service provider (Grace). This notionis known as metadata privacy leakage in computersecurity [35], where the metadata associated with amessage (e.g. sender/recipient and time) is con-sidered sensitive, in addition to the actual mes-sage contents. In the contact tracing case, suchmetadata could reveal who has been in contactwith whom, potentially revealing the users’ sen-sitive activities. We believe that recent technicaladvances [36; 27; 29] for designing scalable privatemessaging systems with metadata privacy presenta promising path for developing a similar platformfor secure contact tracing.

Following recent works, our idea is to leveragea ‘mix network [37], which is a routing protocolthat uses a chain of proxy servers (Frank/Fred)that individually shuffle the incoming messagesbefore passing them onto the next server, therebydecoupling the sender of each message from itsdestination—these types of mix networks are per-haps most well-known for being the basis of theOnion Router/Tor anonymity network [38]. This is

a more sophisticated use of mixing servers than de-scribed in Section 4.3 for the polling based solution.When Bob wishes to send his encrypted messageto Alice, he first encrypts it multiple times withpublic keys corresponding to each of the serversin the mix network. Because the messages are en-crypted in multiple layers, and each server peelsonly the outermost layer, the final destination (Al-ice’s mailbox) is revealed only to the last server,and only Alice can read the content of the mes-sage (i.e. infection status). To prevent Grace fromlearning the identity associated with each mailbox,Alice can also access her mailboxes through themix network, which shuffles the traffic to decouplethe mailboxes from their owners. As long as oneof the servers is neither breached nor controlled bythe adversary, the final message cannot be linkedto a specific sender even if the adversary has fullcontrol of the rest of the network. Such a systemfor private communication could allow the users(Bob) to share their infection status with their re-cent contacts (Alice) while hiding the metadata oftheir contact patterns from the service providers.The involvement of non-government entities, suchas an academic institution or a hospital, in the mixnetwork may help increase users trust in the systemand lower the bar for adoption.

There are several remaining issues that will

7

need to be addressed for this system to be widelyadopted. First, if time-varying IDs are used, thenthe user receiving a token from a nearby personcould infer the identity of the sender based on theirtravel history; i.e. Alice might be able to infer whoBob is based on the time they exchanged the tokens,as described in Section 4.4 in the case where thedatabase is made public. This loss of privacy fromcontacts can be partially alleviated by choosing aless frequent token refresh, so that with high like-lihood, Alice cannot completely identify Bob bythe time interval. Actual implementations much de-cide on the right tradeoffs between Alice and Bob’sprivacy from eachother and authorities, as well ascontact tracing effectiveness. Another possible wayto mitigate this problem would be to aggregate themessages for Alice on the server before makingthe results available to her. The messages are en-crypted under different public keys, but it may bepossible to use multi-key homomorphic encryptionschemes [39; 40] which allow computation overciphertexts encrypted with different public keys tosum up the count of ‘infected’ messages. We deferthe details of approach to future work.

One other issue is that the volume of messagesdelivered to each user may reveal how socially ac-tive each user has been, which could be consideredsensitive by some users. Approaches to flatten thedistribution with dummy messages could allevi-ate this concern. Flattening the distribution withdummy messages may however lead to scalabilitychallenges for existing private messaging systems.Though many techniques [36; 27; 29] have beenproposed to address this challenge, further discus-sion among the stakeholders is needed to determinethe suitable trade-off between the level of latencythat can be tolerated and the level of privacy guar-antees desired by the users. Ultimately, though,private messaging systems enable provable privacyfrom the authorities while still maintaining the use-fulness of contact tracing.

6 Strategies for EncouragingWidespread Adoption

Contact tracing apps depend on the network effectand critical mass to work. Having the app go ‘vi-ral’ requires that people trust the app enough toinstall it and are enthusiastic enough to convincetheir friends to do the same. After all, app adop-tion must have a higher ‘transmission rate’ than thevirus itself in order for it to be effective. Providing

strong privacy guarantees would likely encouragevoluntary adoption. Any app needs to clearly ex-plain privacy guarantees in ways understandableby the average user, which was our motivation indescribing here the different types of privacy (fromsnoopers, contacts, and the authorities) that the appshould be able to provide to users in order to earntheir trust.

On that note, we believe it is imperative for anyapp to be open source and audited by both secu-rity professionals and privacy advocates. This isnot yet true for TraceTogether, but the app’s cre-ators do claim that they will release the source codesoon [41]. Furthermore, open sourcing allows dif-ferent countries to customize such apps for theirparticular use cases and cultural preferences.

Also, while in some countries it may be difficultto enforce a government mandate that all residentsinstall an app, it is possible to have this as a require-ment for entering certain public places. Such a prac-tice has precedence in so-called implied consentlaws, such as agreeing to field sobriety tests whengetting a driver’s license [42]. One could imaginegrocery stores, schools, and universities requiringinstalling a contact tracing app as a preconditionfor entrance. This does not stop users from unin-stalling or turning off the app off-premises, but itwould at least be useful in getting people over theinitial activation barrier of installation.

Finally, some amount of social pressure may alsoassist in reaching widespread adoption. Contacttracing apps, by design, know how many otherpeople close by have the app installed. An appcould display that number. Given this knowledge,a user may be incentivized to attempt to persuadeothers nearby to install the app, in the interest ofpublic health.

7 Discussion

In this document, we discuss ways to build an appfor contact tracing, based upon the premise thatphones can broadcast tokens to all nearby phones.Notably, we do not address the engineering behindapplying Bluetooth to enable such a feature. Nordo we address the possibility of location data col-lection for assisting epidemiologists in forecastingdisease spread [43]. We also do not discuss ap-propriate selection of token refresh interval andfrequency at which phones should poll for nearbyones, which are important factors for balancingprivacy and efficiency—stale IDs have been seen

8

to permit linkage attacks in other similar contexts[44]. Lastly, we also do not build a full model forprivacy of contact tracing, which is a delicate andeasy-to-get-wrong task that requires much morecareful research. Instead, we focus only on theprivacy implications of a dedicated contact tracingapp, in the hopes that providing sufficiently strongprivacy guarantees would assist an app in gainingthe critical mass needed to be effective.

Note that here we only discuss direct contact trac-ing using Bluetooth proximity networks, withoutusing any location data. Some indirect proposalsfor contact tracing instead simply securely log theuser’s location history, which is then given to the au-thorities if a user is diagnosed with COVID-19 [45].This approach has the benefit of not requiring net-work effects, because single individuals can tracktheir locations without needing their contacts tohave the app. The approach of logging locationhistory is inherently less private than direct con-tact tracing, but that may possibly be resolved withappropriate safeguards and redactions [45]. Fur-thermore, hybrid approaches involving both GPSdata and Bluetooth proximity networks may proveto be useful to public health officials in modellingdisease spread beyond just contact tracing [46].

We first discussed how, with just minor mod-ifications, a polling-based direct contact tracingsolution allows for some anonymity from authori-ties, which is lacking in the Singaporean Ministryof Health app TraceTogether. We believe that thismay help an app succeed in countries such as theU.S., where many citizens are loath to give toomuch data to the government.

Even the polling-based solution still reveals quitea bit of information to the authorities, who couldmake use of linkage analysis to track individualusers. However, utilizing additional mixing serversis relatively practical and does provide additionalprotection. Alternately, a system can follow theSouth Korean model of openly publishing dataabout patients diagnosed with COVID-19, tradingoff some of their privacy to enhance the privacyof individuals who are trying to determine if theyhave been exposed.

However, if we are willing to invest in additionalcomputational resources, it is possible to achieveincreased privacy from snoopers, contacts, and theauthorities, and we propose the beginnings of oneapproach using private messaging systems, whichwe hope will be further expanded upon in future

works. This is more computationally expensive,but would assure users that they do not have to giveup their privacy in order to take part in public con-tact tracing efforts. Indeed, the chief selling pointwould be that they would get additional informa-tion on their exposure without needing to trust anyindividual third party with their private location ormedical information. We believe that such a guar-antee would go a long way towards mass adoptionof a contact tracing app in the United States.

Future work remains to actually build such anapp, of course, and additional engineering, security,and policy considerations are sure to arise. For ex-ample, scalability of the data structures used in theservers may become a major issue when the num-ber of infected individuals rises. One additionalconcern which we have not addressed is that ofnefarious actors seeking to spread panic by falselyclaiming to be infected. This could be prevented byallowing only hospital workers to trigger the broad-cast of infection status, as in Singapore’s system,where the Ministry of Health directly contacts thoseexposed, though that of course trades away someof the privacy of diagnosed patients. Alternately,others have proposed cryptographic verification ofcontact events, which could perhaps be extendedto infection event broadcast without giving directaccess of tokens to the authorities [47]. However,given that some cities are already rationing testingkits and doctors’ visits to only the most seriouscases [48; 49], restricting self-reporting might re-sult in many instances of virus spread to be missed.Alternately, the system can also be designed to sep-arate self-reports from confirmed reports by simplykeeping two databases.

Our goal in writing this document is to start aconversation on (1) what kinds of privacy trade-offspeople are willing to endure for the sake of publichealth, and (2) the fact that with sufficient computa-tional resources and use of cryptographic protocols,app-based contact tracing can be accomplishedwithout completely sacrificing privacy. Becausebad early design choices can persist long after roll-out, we hope that developers and policy-makerswill give privacy considerations careful thoughtwhen designing new contact tracing apps.

Acknowledgment

We would like to thank David Rolnick, Adam Seal-fon, Noah Daniels, and Michael Wirth for helpfulcomments.

9

References[1] “Novel Coronavirus Map from HealthMap,”

March 2020. [Online]. Available: https://www.healthmap.org/covid-19/

[2] K. T. Eames and M. J. Keeling, “Contact tracing anddisease control,” Proceedings of the Royal Society ofLondon. Series B: Biological Sciences, vol. 270, no.1533, pp. 2565–2571, 2003.

[3] D. Normile, “Coronavirus cases have droppedsharply in South Korea. Whats the secret to itssuccess?” https://www.sciencemag.org/news/2020/03/coronavirus-cases-have-dropped-sharply-south-korea-whats-secret-its-success, 2020, accessed:2020-03-23.

[4] B. Chappell, “Coronavirus: Sacramento CountyGives Up On Automatic 14-Day Quarantines,”https://www.npr.org/sections/health-shots/2020/03/10/813990993/coronavirus-sacramento-county-gives-up-on-automatic-14-day-quarantines, 2020,accessed: 2020-03-23.

[5] J. Tidy, “Coronavirus: Israel enables emergencyspy powers,” BBC News, March 2020. [Online].Available: https://www.bbc.com/news/technology-51930681

[6] M. J. Kim and S. Denyer, “A travel logof the times in South Korea: Mappingthe movements of coronavirus carriers ,”The Washington Post, March 2020. [Online].Available: https://www.washingtonpost.com/world/asia pacific/coronavirus-south-korea-tracking-apps/2020/03/13/2bed568e-5fac-11ea-ac50-18701e14e06d story.html

[7] C. J. Wang, C. Y. Ng, and R. H. Brook, “Responseto COVID-19 in Taiwan: Big Data Analytics, NewTechnology, and Proactive Testing,” JAMA, 2020.

[8] Y. Lee, “Taiwan’s new ’electronic fence’for quarantines leads wave of virus mon-itoring,” March 2020. [Online]. Avail-able: https://www.reuters.com/article/us-health-coronavirus-taiwan-surveillanc-idUSKBN2170SK

[9] “HIPAA Privacy Rule,” December 2000. [On-line]. Available: https://www.hhs.gov/hipaa/for-professionals/privacy/index.html

[10] C. J. Roberts, “Carpenter v. UnitedStates,” Supreme Court of the UnitedStates, no. 16-402, 2018. [Online]. Avail-able: https://www.supremecourt.gov/opinions/17pdf/16-402 h315.pdf

[11] “Notification of Enforcement Discretion fortelehealth remote communications during theCOVID-19 nationwide public health emer-gency,” March 2020. [Online]. Available: https://www.hhs.gov/hipaa/for-professionals/special-topics/emergency-preparedness/notification-enforcement-discretion-telehealth/index.html

[12] A. J. Jacobs, “Is state power to protect health com-patible with substantive due process rights,” AnnalsHealth L., vol. 20, p. 113, 2011.

[13] R. Prez-Pea, “Virus Hits Europe Harder ThanChina. Is That the Price of an Open Society?,” New York Times, March 2020. [Online]. Avail-able: https://www.nytimes.com/2020/03/19/world/europe/europe-china-coronavirus.html

[14] “Help speed up contact tracing with TraceTo-gether,” Singapore Government Blog, March 2020.[Online]. Available: https://www.gov.sg/article/help-speed-up-contact-tracing-with-tracetogether

[15] T. TraceTogether, “Can I say no to uploading myTraceTogether data when contacted by the Ministryof Health?” https://tracetogether.zendesk.com/hc/en-sg/articles/360044860414-Can-I-say-no-to-uploading-my-TraceTogether-data-when-contacted-by-the-Ministry-of-Health-, 2020,accessed: 2020-03-23.

[16] C. E. Shannon, “Communication theory of secrecysystems,” Bell system technical journal, vol. 28,no. 4, pp. 656–715, 1949.

[17] L. Sweeney, “k-anonymity: A model for protect-ing privacy,” International Journal of Uncertainty,Fuzziness and Knowledge-Based Systems, vol. 10,no. 05, pp. 557–570, 2002.

[18] C. Dwork, F. McSherry, K. Nissim, and A. Smith,“Calibrating noise to sensitivity in private dataanalysis,” in Theory of cryptography conference.Springer, 2006, pp. 265–284.

[19] R. Raskar, I. Schunemann, R. Barbar, K. Vil-cans, J. Gray, P. Vepakomma, S. Kapa, A. Nuzzo,R. Gupta, A. Berke et al., “Apps gone rogue: Main-taining personal privacy in an epidemic,” arXivpreprint arXiv:2003.08567, 2020.

[20] C. Dwork, A. Roth et al., “The algorithmic foun-dations of differential privacy,” Foundations andTrends® in Theoretical Computer Science, vol. 9, no.3–4, pp. 211–407, 2014.

[21] O. Goldreich, S. Micali, and A. Wigderson, “Howto solve any protocol problem,” in Proc. of STOC,1987.

[22] M. M. Merener, “Theoretical results on de-anonymization via linkage attacks,” Transactions onData Privacy, vol. 5, no. 2, pp. 377–402, 2012.

[23] M. Srivatsa and M. Hicks, “Deanonymizing mobil-ity traces: Using social network as a side-channel,”in Proceedings of the 2012 ACM conference on Com-puter and communications security, 2012, pp. 628–637.

[24] E. T. Barometer, “January 20, 2019,” 2019. [On-line]. Available: https://www.edelman.com/sites/g/files/aatuss191/files/2019-02/2019 Edelman TrustBarometer Global Report 2.pdf

10

[25] T. TraceTogether, “How does TraceTogetherwork?” https://tracetogether.zendesk.com/hc/en-sg/articles/360043543473-How-does-TraceTogether-work-, 2020, accessed: 2020-03-23.

[26] “How COVID-19 spreads,” Centers for DiseaseControl and Prevention, March 2020. [Online].Available: https://www.cdc.gov/coronavirus/2019-ncov/prepare/transmission.html

[27] J. Van Den Hooff, D. Lazar, M. Zaharia, and N. Zel-dovich, “Vuvuzela: Scalable private messaging re-sistant to traffic analysis,” in Proceedings of the 25thSymposium on Operating Systems Principles, 2015,pp. 137–152.

[28] N. Tyagi, Y. Gilad, D. Leung, M. Zaharia, andN. Zeldovich, “Stadium: A distributed metadata-private messaging system,” in Proceedings of the26th Symposium on Operating Systems Principles,2017, pp. 423–440.

[29] H. Corrigan-Gibbs, D. Boneh, and D. Mazieres,“Riposte: An anonymous messaging system han-dling millions of users,” in 2015 IEEE Symposiumon Security and Privacy. IEEE, 2015, pp. 321–338.

[30] M. J. Freedman, K. Nissim, and B. Pinkas, “Effi-cient private matching and set intersection,” in Inter-national conference on the theory and applicationsof cryptographic techniques. Springer, 2004, pp.1–19.

[31] L. Kissner and D. Song, “Privacy-preserving setoperations,” in Annual International CryptologyConference. Springer, 2005, pp. 241–257.

[32] E. De Cristofaro and G. Tsudik, “Practical privateset intersection protocols with linear complexity,” inInternational Conference on Financial Cryptogra-phy and Data Security. Springer, 2010, pp. 143–159.

[33] E. De Cristofaro, P. Gasti, and G. Tsudik, “Fast andprivate computation of cardinality of set intersectionand union,” in International Conference on Cryptol-ogy and Network Security. Springer, 2012, pp. 218–231.

[34] G. J. Simmons, “Symmetric and asymmetric en-cryption,” ACM Computing Surveys (CSUR), vol. 11,no. 4, pp. 305–330, 1979.

[35] B. Greschbach, G. Kreitz, and S. Buchegger, “Thedevil is in the metadatanew privacy challenges in de-centralised online social networks,” in 2012 IEEE In-ternational Conference on Pervasive Computing andCommunications Workshops. IEEE, 2012, pp. 333–339.

[36] A. Kwon, D. Lu, and S. Devadas, “{XRD}: Scal-able Messaging System with Cryptographic Pri-vacy,” in 17th {USENIX} Symposium on NetworkedSystems Design and Implementation ({NSDI} 20),2020, pp. 759–776.

[37] D. L. Chaum, “Untraceable electronic mail, re-turn addresses, and digital pseudonyms,” Communi-cations of the ACM, vol. 24, no. 2, pp. 84–90, 1981.

[38] M. G. Reed, P. F. Syverson, and D. M. Gold-schlag, “Anonymous connections and onion rout-ing,” IEEE Journal on Selected areas in Communi-cations, vol. 16, no. 4, pp. 482–494, 1998.

[39] A. Lopez-Alt, E. Tromer, and V. Vaikuntanathan,“On-the-fly multiparty computation on the cloud viamultikey fully homomorphic encryption,” in Pro-ceedings of the forty-fourth annual ACM symposiumon Theory of computing, 2012, pp. 1219–1234.

[40] H. Chen, W. Dai, M. Kim, and Y. Song, “Efficientmulti-key homomorphic encryption with packed ci-phertexts with application to oblivious neural net-work inference,” in Proceedings of the 2019 ACMSIGSAC Conference on Computer and Communica-tions Security, 2019, pp. 395–412.

[41] J. Zhang, “620,000 people installed TraceTogetherin 3 days, Spores open source contact tracingapp,” Mothership, March 2020. [Online]. Avail-able: https://mothership.sg/2020/03/tracetogether-installed-open-source/

[42] A. C. Wagenaar, T. S. Zobeck, G. D. Williams,and R. Hingson, “Methods used in studies of drink-drive control efforts: a meta-analysis of the litera-ture from 1960 to 1991,” Accident Analysis & Pre-vention, vol. 27, no. 3, pp. 307–316, 1995.

[43] S. Pei, S. Kandula, W. Yang, and J. Shaman,“Forecasting the spatial transmission of influenzain the United States,” Proceedings of the NationalAcademy of Sciences, vol. 115, no. 11, pp. 2752–2757, 2018.

[44] S. E. Sarma, S. A. Weis, and D. W. Engels,“RFID systems and security and privacy implica-tions,” in International Workshop on CryptographicHardware and Embedded Systems. Springer, 2002,pp. 454–469.

[45] “Private Kit: Safe Paths- Can we slow the spreadwithout giving up individual privacy?” http://safepaths.mit.edu/, 2020, accessed: 2020-03-23.

[46] “COVID Watch,” https://covid-watch.org/, 2020.

[47] J. Petrie, “Cryptographically Secure Contact Trac-ing,” March 2020.

[48] J. Dolan and B. Mejia, “L.A. County givesup on containing coronavirus, tells doctorsto skip testing of some patients,” Los Ange-les Times, March 2020. [Online]. Available:https://www.latimes.com/california/story/2020-03-20/coronavirus-county-doctors-containment-testing

[49] C. Y. Johnson and L. H. Sun, “Health officials inNew York, California restrict coronavirus testing to

11

health care workers and people who are hospital-ized,” The Philadelphia Inquirer, March 2020. [On-line]. Available: https://www.inquirer.com/health/coronavirus/coronavirus-testing-20200321.html

12