Paper 2020/493
Towards Defeating Mass Surveillance and SARS-CoV-2: The Pronto-C2 Fully Decentralized Automatic Contact Tracing System
Abstract
Mass surveillance can be more easily achieved leveraging fear and desire of the population to feel protected while affected by devastating events. Indeed, in such scenarios, governments can adopt exceptional measures that limit civil rights, usually receiving large support from citizens.
The COVID-19 pandemic is currently affecting daily life of many citizens in the world. People are forced to stay home for several weeks, unemployment rates quickly increase, uncertainty and sadness generate an impelling desire to join any government effort in order to stop as soon as possible the spread of the virus.
Following recommendations of epidemiologists, governments are proposing the use of smartphone applications to allow automatic contact tracing of citizens.Such systems can be an effective way to defeat the spread of the SARS-CoV-2 virus since they allow to gain time in identifying potentially new infected persons that should therefore be in quarantine. This raises the natural question of whether this form of automatic contact tracing can be a subtle weapon for governments to violate privacy inside new and more sophisticated mass surveillance programs.
In order to preserve privacy and at the same time to contribute to the containment of the pandemic, several research
partnerships are proposing privacy-preserving contact tracing systems where pseudonyms are updated periodically to avoid linkability attacks. A core component of such systems is Bluetooth low energy (BLE, for short) a technology that allows two smartphones to detect that they are in close proximity. Among such systems there are some proposals like DP-3T, MIT-PACT, UW-PACT and the Apple&Google exposure notification system that through a decentralized approach claim to guarantee better privacy properties compared to other centralized approaches (e.g., PEPP-PT-NTK, PEPP-PT-ROBERT).
On the other hand, advocates of centralized approaches claim that centralization gives to epidemiologists more useful data, therefore allowing to take more effective actions to defeat the virus.
Motivated by Snowden's revelations about previous attempts of governments to realize mass surveillance programs, in this paper we first analyze mass surveillance attacks that leverage weaknesses of automatic contact tracing systems. We focus in particular on the DP-3T system (still our analysis is significant also for MIT-PACT and Apple&Google systems).
Based on recent literature and new findings, we discuss how a government can exploit the use of the DP-3T system to successfully mount privacy attacks as part of a mass surveillance program.
Interestingly, we show that privacy issues in the DP-3T system are not inherent in BLE-based contact tracing systems.
Indeed, we propose two systems named and
Note: The main results of this work appeared in the paper "Privacy and Integrity Threats in Contact Tracing Systems and Their Mitigations" published in "IEEE Internet Computing Journal", volume 27, number 2, pages 13-19, ISSN: 10897801, DOI: 10.1109/MIC.2022.3213870, while a preliminary version appeared in the proceedings of the "Workshop on Secure IT Technologies against COVID-19", ISBN: 1-891562-72-X. DOI: 10.14722/coronadef.2021.23013.
Metadata
- Available format(s)
-
PDF
- Category
- Cryptographic protocols
- Publication info
- Published elsewhere. IEEE Internet Computing Journal
- DOI
- 10.1109/MIC.2022.3213870
- Keywords
- privacyblockchaintracingBLEanonymity
- Contact author(s)
- botta vin @ gmail com
- History
- 2023-05-01: last of 10 revisions
- 2020-04-28: received
- See all versions
- Short URL
- https://ia.cr/2020/493
- License
-
CC BY
BibTeX
@misc{cryptoeprint:2020/493, author = {Gennaro Avitabile and Vincenzo Botta and Vincenzo Iovino and Ivan Visconti}, title = {Towards Defeating Mass Surveillance and {SARS}-{CoV}-2: The Pronto-C2 Fully Decentralized Automatic Contact Tracing System}, howpublished = {Cryptology {ePrint} Archive, Paper 2020/493}, year = {2020}, doi = {10.1109/MIC.2022.3213870}, url = {https://eprint.iacr.org/2020/493} }