How to trace a virus without surrendering our privacy

Decentralized technologies could achieve the goal without relying on trust in a centralized authority.

COVID-19 is dominating policy discussions here in Washington and abroad. Cryptocurrency policy is—rightly—not top-of-mind for folks in government at the moment. There is one area of our collective response to COVID-19, however, where the cryptocurrency community may be able to help inform policymaking: contract tracing and proof-of-immunity credentialing.

“Contact tracing” describes a technology (usually smartphones with purpose-built apps) that can track individuals and obtain a verifiable record of persons with whom they’ve recently been in close physical contact. These solutions vary as far as how invasive they are about a persons privacy:

  1. State-run full GPS tracking and location data sharing that’s mandatory for everyone, in use in China and South Korea,
  2. A centralized lists of phones (identified by phone numbers) that have been near other phones, generally by using Bluetooth to note when two phones are near each other, in use in Singapore, or
  3. Decentralized and anonymized contract tracing described below.

Regardless of how that tracing is done, once a record is established for several persons within a potentially infected community, it can be used to limit the spread of the disease. If a tracked individual tests positive for COVID-19, the tracing technology can help authorities determine who else may be infected by analyzing their recent contacts; those contacts can be alerted and tested as well or simply be asked to self-quarantine. If this is done rigorously, as it has in Singapore, then perhaps it can substantially slow the spread of the disease by isolating persons who’ve been exposed from the larger population thus preventing further spread.

Proof-of-immunity fits into a larger topic of digital identity systems. The idea here is that some fraction of the population should eventually be able to stop self-quarantining either because they can prove that they are in a region that has not had any infection and have not left that region and/or because they can prove that they’ve already had COVID-19 and have developed antibodies that prevent them from being re-infected or contagious going forward. If these persons could somehow prove to others—again probably using some app on their phones—that they are non-carriers or immune, then they could more safely return to work in an effort to get the economy functioning closer to normal again, and/or (perhaps most importantly) an immune individual could perform vital caregiving services for persons who are sick.

Both of these potential technology-based responses to COVID-19 have real promise to reduce the spread of the disease and minimize the economic fallout. Both of these technology-based responses, however, create very real risks to our privacy and freedom if they are implemented haphazardly or unscrupulously by central authorities such as governments or corporations. Therefore, if we want these technology solutions to be employed here in the U.S., and we wish to preserve what makes our country great (an open society with strong protections for civil liberties), then we should want these tools implemented in a way that maximizes individual autonomy and privacy and minimizes central control over a database of personal information.

In mainland China mobile payments and chat (identity) apps are already in widespread use. These apps are provided, more often than not, by one of two massive corporations, WeChat by Tencent and Alipay by Alibaba Group. Both companies have openly admitted to sharing user data from their apps with China’s single party government. That government has admitted to using this data to rank citizens, surveil dissidents, and limit the freedom of persons perceived as threats to the regime. These are also the apps that are being used in China to implement contact tracing and immunity passporting.

Open societies should be able to develop and implement similar tools that do not create such glaring liabilities for personal freedom and privacy. Several teams in the cryptocurrency and adjacent cryptography communities are working on it.

The technical details of current proposals vary and we’ll have some links below with specifics, but the common intuition driving these teams is simple: At the core of existing tools for contact tracing and digital identity are centralized servers, usually in the full control of corporations or governments who could abuse the private information recorded therein. Bitcoin has proven that a peer-to-peer network can work together to record important data (who has sent or received valuable coins) without the need to trust a central server. New technologies like Zcash, Monero, and Bitcoin’s Confidential Transactions have proved that these decentralized databases can even be privacy protecting for individual users. Now it may be time to use these decentralized databases to record information essential to fighting the pandemic.

With regard to contact tracing here’s a technical analysis of two decentralized tracing protocols from Henry de Valence at the Zcash Foundation. In brief, if a citizen installs the app on her phone, it will begin to ping nearby phones using Bluetooth. If another citizen has the app and gets the ping, both phones will note a randomly generated number to “remember” the other phone. So “contact-tracing” is not about personal contacts in your phone book (people with names, phone numbers, etc.), it’s just a list of randomly generated numbers that can identify phones to which you’ve recently been near. Then, if any user tests positive, they can alert other app users based on those random number identifiers without a need to know the names or real world phone numbers of anyone they’re notifying. In an earlier post, de Valence gave a brief description of how a decentralized version of contact tracing apps would allow citizens to opt-in to contact tracing voluntarily:

This system can be used to implement decentralized contact tracing, by allowing users who test positive to anonymously broadcast a message to inform their past contacts of their test. Users who receive a message can make an informed judgement based on its contents. Separating the messaging problem from the contact tracing problem and allowing users (or user-agents) to make decisions of their own is significantly more flexible. For instance, a user could publish a photo of a test result with their name redacted, or reveal their identity by linking to a social media post, or post a link to some institutional verification mechanism, if one existed.

Allowing citizens to make their own decisions preserves the autonomy and individual choice inherent in open societies, and building a list of physical contacts on one’s own phone that does not include personal identifying information preserves privacy and removes the danger of having a centralized database of location information for all citizens.

As for proof-of-immunity, a decentralized identity scheme could be built from the technological fundamentals that power all of today’s cryptocurrencies. As we wrote in a 2015 report,

One way to look at Bitcoin is as a system that allows an otherwise anonymous individual to prove that they have a certain amount of funds without revealing any other personal details about themselves. The same technology could be leveraged to prove all sorts of attributes.

Bitcoin is simpler than a generalized identity tool because the attribute that needs to be proved is natively digital: it's the number of bitcoins associated with a given public address on the blockchain. It’s much more complicated to use these technologies to prove physical attributes, such as the fact that a health authority has tested you and found that you have antibodies and are immune. The technology needs to not only prove that you are the rightful holder of an immunity credential, but also that the authority that granted you the credential is genuine. These are hard problems but they may not prove insurmountable. Members of the Decentralized Identity Foundation including Microsoft Research have made substantial progress towards Decentralized Identifiers, or DIDs for short. This work could be the backbone of a future immunity passporting tool that is also opt-in and user-sovereign.

It's our duty as a community of technologists to be vigilant against the imposition of tracing and identity technologies that could, long term, jeopardize our autonomy and privacy. That approach is seemingly well underway in China, but should not be on the table here in the U.S. We have the technology to reap the benefits of credentialing and contact tracing and also protect individual privacy and autonomy. As policymakers explore their options, they should keep that in mind.