The privacy examination in the paper is structured around three "toy" pro-

tocols for the design of an app which can maximise the utility of contact tracing

information while minimising the more general risk to privacy. On this basis,

the paper proceeds to introduce eight questions against which they should be

assessed. The questions raised and the protocols proposed effectively amount to

the creation of a game with different categories of players able to make different

moves. It is therefore possible to analyse the model in terms of optimal game

design

Lawson-Tancred, Hugh

Price, H.

English

Birkbeck Institutional Research Online

BIROn - Birkbeck Institutional Research OnlineLawson-Tancred, Hugh and Price, H. (2020) COVID-19 contact tracing: 8privacy questions explored - a reply to de Montjoye et al. Birkbeck Institutefor Data Analytics, London, UK.Downloaded from: http://eprints.bbk.ac.uk/31739/Usage Guidelines:Please refer to usage guidelines at http://eprints.bbk.ac.uk/policies.html or alternativelycontact lib-eprints@bbk.ac.uk.COVID-19 contact tracing: 8 privacy questionsexplored - a reply to de Montjoye et al.Henry Price and Hugh Lawson-Tancred22 April 2020The privacy examination in the paper is structured around three ”toy” pro-tocols for the design of an app which can maximise the utility of contact tracinginformation while minimising the more general risk to privacy. On this basis,the paper proceeds to introduce eight questions against which they should beassessed. The questions raised and the protocols proposed effectively amount tothe creation of a game with different categories of players able to make differentmoves. It is therefore possible to analyse the model in terms of optimal gamedesign.***The overall purpose of the game is to maximise (pure) contact informationwhile at the same time minimising (noncontact) personal information. As atypical user, Alice should know that she has been in contact with somebody (infact Bob) without knowing that her contact is indeed Bob or indeed knowinganything else at all about Bob. Her ignorance of the latter two facts is asimportant on privacy grounds as her knowledge of the first on grounds of safety.Contact information, however, can connect with personal information in twoways. The first way is that (i) personal information is needed to establish con-tact information, and the second is that (ii) personal information can relativelyeasily be derived from contact information. The ideally designed game will en-able the exchange of contact information without such information having tobe established on the basis of any more general personal information or beingthe possible source of a derivation of such more general personal information.Contact tracing should not involve any sharing with either other users or theauthority of trajectory/social graph information (from which identification ispossible either by the authority or by the adversary).Given these overall parameters, it seems possible that both the protocolsand the questions/answers in the paper could be advantageously altered.***Firstly, in terms of the categories of player, the authority and the adversaryseemed to be relatively straightforward (though the details could perhaps be1fleshed out if any specific app were to be considered/assessed). However, theuser category of player could perhaps be supplemented with a subdivision of thenon-infected group into at risk and risk-free. Presumably non-infected users whohave been in contact with a (previously non-infected) user who has become atrisk will themselves become indirectly or secondarily at risk, and this change oftheir status might be worth notifying either to them or to the authority (in theinterests of tracking the contagious spread).***Secondly and more importantly, there is considerable scope for changing theproposed protocols in order to enable optimisation of the data flow objectives.On this basis, the first protocol needs to be amended so that the authoritydoes not reveal the entire trajectory of an infected user to all non-infected users.To avoid such undesirable disclosure, the authority has to know the trajectoriesof all users, whether infected or not. This arrangement, by which all informationis accumulated with the authority and the minimum possible disclosed to users,could be protocol 1a. It seems to be a limitation of trajectory-based apps (andtherefore a reason for preferring identifier-based apps) that with them it is notpossible to avoid disclosure of entire trajectories to either other users or theauthority (or both). A decision therefore has to be taken, on this paragraph,between dispersion and aggregation of information.This is presumably at least part of the motivation for considering identifier-based protocols; however the differences between the second and third protocolscould also be clarified further. There are two such differences. The first is thatprotocol 2 has a fixed identifier, whereas protocol 3 has a variable identifier(to use a suboptimal term). This is the more conspicuous difference, and itplays a larger part in the response to the questions. The second difference,however, is that protocol 2 also sends its full history of identifier encounters tothe authority, whereas article 3 only sends its identifier change record. In thecase of protocol 3, the authority is not able to figure out for itself the now at riskusers. So it sends the variable identifiers whose status has changed to infect.This seems to decrease the privacy of the infected users while increasing that ofthe non-infected users (both at risk and risk-free). This difference also seems tohave a material effect on the privacy vulnerability. For example, does it reduceor increase the knowledge of the authority about trajectories/social graphs ofeither group? If the authority is able to connect the varying identifiers, then itacquires a finer grained level information about the relevant users. Protocol 3 is,therefore, in effect a bet on the inability of the authority to spot the continuitiesin series of variable identifiers.There seems to be a further assumption built into protocol 3. Any informa-tion available either to the authority or to any or all users is in principle alsopotentially available to the adversary. The existing game model thus makes thefurther assumption that identifier information on mobile phones is more opento hacking than trajectory information. However, such an assumption is notimmune to challenge. It needs to be clarified what are the relative strengthsand weaknesses of the protocols with respect to the adversary.2***Thirdly, the answers to the specific questions also need to be reviewed (partlyin the light of the queries about the protocols). We now look in turn at someof the ways in which the answers to the 8 questions could be changed.Question 1. Protocol 1 obviously discloses the whole trajectory of infectedusers to the authority. The disclosure also to non-infected users can be avoided,but only at the cost of non-infected users also revealing their entire trajectoriesto the authority. This would be the move from protocol 1 to protocol 1a. Ifthere is perceived to be an inverse connection between threat status and privacyentitlement, then it would seem that this change of trajectory-based protocolwould be unfair. A larger number of users who do not constitute a threatwould see their privacy eroded in order to protect the privacy of the smallernumber who have become infected. (It should be noted that this objectionapplies irrespective of whether or not any form of blame is to be attributed tothe change to infected status (e.g. by disregarding social distancing etc).)In terms of the identifier-based protocols, the improvement provided by pro-tocol 3 over protocol 2 depends on the authority not being able to reconstructthe pseudonymous social graph across the changes of identifier. As discussedin connection with the protocols, however, it is not obvious that it will not bepossible for the authority to do that.Question 2. The same objection to the greater innocuousness of protocol 3over protocol 1 and protocol 2 arises as with question 1. Presumably if the gameis to rely on ”special measures” to ”limit the risk”, then those special measuresshould be applied at the level of the authority not the users (where they canmore easily be circumvented and less easily monitored). It could also be arguedthat reidentification by either the authority or other users automatically raisesthe risk of reidentification by the adversary.Question 3. Protocol 1 does indeed give the right answer on this question,but only at the cost of giving too much information to non-infected users. Againthe difference between protocol 2 and protocol 3 is not clear. It is a reasonablesupposition that the identities of the infected group are more sensitive thanthose of the non-infected. The former are (presumably) less numerous, but theyare more vulnerable to potential stigmatisation/vigilantism. If that assumptionis right, it would form a strong objection to protocol 1. What this suggests isthat a more nuanced distinction needs to be drawn between the type of threatposed by the authority and that posed by other users.Question 4. Protocol 1 obviously fails this test in its existing form, but thatcan be prevented by letting the authority know the trajectories of non-infectedusers (protocol 1a again). Protocol 3 seems to be definitely worse than protocol2 on this question, however it is tweaked. This reinforces the suspicion thatprotocol 3 is not preferable to protocol 2 in any respect. Given the presumablygreater practical difficulty of deploying protocol 3, this would seem to be a verysolid grounds for rejection of protocol 3 in general.Question 5. This seems to be the crucial question for the overall objectiveof the game as outlined at the start. It is not obvious how the protocols can be3structured to enable either users or the authority to gain only and exclusivelyspecific contact information without either supporting it with more general per-sonal information or creating a situation in which wider personal informationcan be triangulated from the contact information. This highlights exactly whatany privacy-secure contact tracing must achieve: the Holy Grail is pure contactinformation, uncontaminated by any noncontact personal information.Question 6. This seems to raise again the question whether concentratinginformation with users or with the authority constitutes the greater security risk.Most recent major hacks have focused on concentrations of data, suggesting themore disaggregation the better. Hacks from large numbers of dispersed usershave been less effective, so far as can be known.Question 7. It is not clear what additional protections could be made avail-able. One possibility would be some kind of time limitation of the informationor preventions on its further disclosure. Presumably this would in practice bea question about encryption rather than game design. The other obvious wayto develop such protections would be through legal/regulatory constraints, butthey would also clearly fall outside the scope of the intrinsic app-modelling gameunder consideration.Question 8. As in many other areas of data protection, the may be a trade-off between the transparency of the system and its privacy-protection and/orsecurity. It may not be possible simultaneously to optimise all three parameters.On the other hand, a possible way of at least partially squaring this circle isthat some form of blockchain might be deployed here.***This (perhaps modified) game design approach seems to offer a good basisfor a design intended to optimise the protection of the relevant moral assets.Non-infected users have an interest in learning about vulnerability-increasingcontacts, but have no right to any other information about infected users. In-fected users have a duty to maximise knowledge about their contacts, but theright not to have any further information about them disclosed. (As we haveseen, the right of the infected might outweigh that of the non-infected on thegrounds of the risk of vigilantism, whereas it might also be thought to be out-weighed because of the possible culpability of infection given the level of publicknowledge. This is clearly a value, not a pure design, issue.) The authority hasthe right (and possibly duty) to be as informed as possible about the pattern ofspread of the epidemic, but it should be prevented from acquiring (and indeedretaining) any more than the essential information about the users under itsjurisdiction. The adversary has no rights in this context and is simply a threatto be minimised.The most significant improvement to the approach proposed, in our opinion,would be to replace protocol 1 with our protocol 1a. We are agnostic as to thegeneral preference for trajectory/identifier approaches, but we suspect that withthe latter protocol 3 on balance creates a greater privacy risk than protocol 2.***4Background reading1. Ada Lovelace Institute (2020). Exit through the App Store? Ada LovelaceInstitute publications.2. De Montjoye YA, Hidalgo CA, Verleysen M, Blondel VD. Unique in thecrowd: The privacy bounds of human mobility. Scientific reports. 2013 Mar25;3:1376.3. Ferretti, L., Wymant, C., Kendall, M., Zhao, L., Nurtay, A., Bonsall,D.G. and Fraser, C., 2020. Quantifying dynamics of SARS-CoV-2 transmissionsuggests that epidemic control and avoidance is feasible through instantaneousdigital contact tracing. medRxiv.4. Google-Apple (2020). Contact Tracing: Cryptography Specification,April 20205. Privacy International (2020), ‘Bluetooth tracking and COVID-19: A techprimer’, Privacy International, March 316. PEPP-PT (2020). Pan-European Privacy Protecting Proximity Tracing:Context and Mission, PEPP-PT manifesto7. Radaelli, L., Sapiezynski, P., Houssiau, F., Shmueli, E. and de Mon-tjoye, Y.A., 2018. Quantifying surveillance in the networked age: Node-basedintrusions and group privacy. arXiv preprint arXiv:1803.09007.8. Raskar, R., Schunemann, I., Barbar, R., Vilcans, K., Gray, J., Vepakomma,P., Kapa, S., Nuzzo, A., Gupta, R., Berke, A. and Greenwood, D., 2020.Apps gone rogue: Maintaining personal privacy in an epidemic. arXiv preprintarXiv:2003.08567.9. M. Scott, L. Cerulus and L. Kayali (2020), ‘Commission tells carriers tohand over mobile data in coronavirus fight’, Politico, March 2310. Sharad, K. and Danezis, G., 2014, November. An automated socialgraph de-anonymization technique. In Proceedings of the 13th Workshop onPrivacy in the Electronic Society (pp. 47-58).11. M. Sweney and A. Hern (2020), ‘Phone location data could be used tohelp UK coronavirus effort’, The Guardian, March 1912. Troncoso, C. et al (2020). Decentralized Privacy-Preserving ProximityTracing, Github DP-3T documents, 12 April 20205

COVID-19 contact tracing: 8 privacy questions explored - a reply to de Montjoye et al

https://eprints.bbk.ac.uk/31739/1/31739.pdf

COVID-19 contact tracing: 8 privacy questions explored - a reply to de Montjoye et al

Abstract

Similar works

Full text

Available Versions

Birkbeck Institutional Research Online