Apple/Google contact tracing

The approach to contact tracing taken by the Apple/Google project

Approach:

• Smartphones broadcast “Rolling Proximity Identifiers” via Bluetooth Low Energy (BLE) every 200-270ms.
• Smartphones record these “Rolling Proximity Identifiers” that they detect in their environment, including when the signal was detected (but not where) and RSSI.
• These “Rolling Proximity Identifiers” are cryptographically secure and change every 10 minutes.
• The “Rolling Proximity Identifier” functionality is built into the smartphone operating system; Public Health Systems develop Apps for their regions based on this functionality.
• When an App User has been tested positive for the virus (“Affected User”), their App uploads “Diagnosis Keys” and dates of possible infectiousness to a central server operated by the Public Health System.
• App Instances of other users (potentially “Exposed User”) frequently download all Diagnosis Keys from the central server. Due to the way the keys are cryptographically related to each other, potentially-recorded “Rolling Proximity Identifiers” advertised by the infected person’s App Instance can be reconstructed.
• If a match occurs, the App User may have been exposed to an infected other App User.

Specification:

• Contact Tracing – Framework Documentation (API)
• Contact Tracing – Bluetooth Specification
• Contact Tracing – Cryptography Specification
• Android Contact Tracing API

Known cryptographic vulnerabilities

None.

Announcements:

• Apple announcement
• Google announcement

Commentary / analysis:

• Wired: How Apple and Google Are Enabling Covid-19 Contact-Tracing

• Mark Gurman, Bloomberg: Apple, Google Covid-19 Contact Tracing to Require Verification

• Russell Brandom, VERGE: Answering the 12 biggest questions about Apple and Google’s new coronavirus tracking project

Views from independent security researchers:

• Phillip Hallam-Baker video: Bonus edition of COVID Cryptography looking at the Apple/Google tracing application

• Sergio Caltagirone on Twitter: This is terrible. Let me tell you why.

• Moxie Marlinspike on Twitter: First look at Apple/Google contact tracing framework

• Shoshana Zuboff on Twitter: Apple/Google promise “Opt-in” “Anonymity” “Only COVID” “Disable later”… All bait and switch without law to make it so. Who decides, democracy or corporations?

• Andrew Crocker, Kurt Opsahl, and Bennett Cyphers for EFF: The Challenge of Proximity Apps For COVID-19 Contact Tracing