Coronavirus: Research team testing decentralized contact tracing

Encryption system for a secure contact tracing app

The basic principle of contact tracing is to notify contacts of infected individuals with the help of an app. Mobile phones on which the app is installed exchange constantly changing, randomly generated TCNs (temporary contact numbers) using Bluetooth technology.

These TCNs are collected locally on the devices and stored there for a limited period of around two weeks. In case of a medically confirmed diagnosis of a Covid-19 infection, the individual's contacts are anonymously notified using the contact tracing app.

The notification mechanism takes either the centralized or decentralized approach. In the centralized approach, the app uploads to a central server the TCNs of every contact person received by the infected individual's device. The server then uses the TCNs to dispatch messages with the app in order to notify the corresponding contact persons of a potential infection.

The risk of the centralized approach: All of the data are stored at a single location. As a result, there is a high risk of abuse because it becomes possible to de-anonymize and disclose personal contacts as soon as the data on the server can be accessed.

In a decentralized approach, the infected individuals release only the TCNs transmitted by their own device to a server. These TCNs are downloaded from the server by all devices where the app is installed. The check to determine whether any of these "infected" TCNs were previously received now takes place locally on the individual devices. Consequently, the only party with knowledge of possible contact with an infected individual is the contact person himself – and not the central server.

ContacTUM has been working to build on this decentralized approach and make it more secure. The cross-checking of TCNs of infected individuals against those collected on mobile phones takes place without having to load the infected individuals' TCNs onto the phones. This is possible with an encryption process known as private set intersection cardinality, which does not require information to be exchanged in plain text.

Under the ContacTUM concept, contact persons can thus be warned without their mobile phones being able to recognize the "infected" TCNs among the TCNs stored there.

"As a result, the risk scenario in which an attacker could combine the received TCNs with other information such as the date, time and location where the TCN was transmitted – which would endanger the anonymity of an infected person – is minimized to a large extent," says physicist Kilian Holzapfel.

"It's important to us to ensure that data protection standards are met by design, in other words in the programming," says Prof. Elisa Resconi. That is why Prof. Dirk Heckmann of the TUM School of Governance and Prof. Christian Djeffal of the Munich Center for Technology in Society have been involved in the project from the beginning, contributing their expertise in data protection and IT security.

To develop an app prototype based on this principle, ContacTUM is working closely with ITO, an open source consortium of around 30 international developers who are open and transparent in all of their activities.

A prototype of the app is being tested with the Android operating system. The code is publicly available. "But it will still probably be a few weeks before an absolutely secure and technically flawless app is ready for use," says Kilian Holzapfel.

To ensure that future contact tracing apps worldwide are based on the same decentralized approach to guarantee international compatibility, ContacTUM has submitted a successful qualification request for its decentralized standard to Bluetooth SIG with the express support of leading international IT firms.

In addition, ContacTUM is a member of the TCN Coalition, which was co-founded by ITO. Alongside DP-3T, TCN is one of the major collaborative groups working on a decentralized contact tracing app.

Parallel to the app design work, a team within ContacTUM, led by the physicist Prof. Stefan Schönert and the mathematician Prof. Johannes Müller, has created simulations to identify the conditions under which the app can make a real difference in slowing the spread of covid-19. Based on initial computations, the scientists believe that, for this to be achieved, at least 60 percent of the population would have to install and use the contact tracing app. Their results also showed that the contacts of an infected person's contacts would have to be notified without delay as well to break the infection chain.