BlueTrace
BlueTrace is an open-source application protocol that facilitates digital contact tracing of users to stem the spread of the COVID-19 pandemic. Initially developed by the Singaporean Government, BlueTrace powers the contact tracing for the TraceTogether app. Australia has already adopted the protocol, and many other countries such as New Zealand are considering BlueTrace for adoption. A core principle of the protocol is the preservation of privacy and health authority co-operation.
Overview
Preservation of user privacy was one of the core considerations around which BlueTrace was designed. To achieve this, personal information is collected only once at the point of registration and is only used to contact potentially infected patients. Additionally, users can opt-out at any time, clearing all personal information and rendering any recorded data untraceable. Contact tracing is done entirely locally on a client device using Bluetooth Low Energy, storing all encounters in a contact history log chronicling encounters for the past 21 days. Users in the contact log are identified using anonymous time-shifting "temporary IDs" issued by the health authority. This means a user's identity cannot be ascertained by anyone except the health authority with which they are registered. Additionally, since temporary IDs change on a regular basis, malicious third parties cannot track users by observing log entries over time.Once a user tests positive for infection, the health authority requests the contact log. If the user chooses to share their log, it is sent to the health authority where they match the temporary ID with contact information. Health authorities are not able to access log entries about foreign users, so those entries are sent to the appropriate foreign health authority to be processed there. Once a log has been processed, the health authority contacts the user identified by the record.
Technical specification
The protocol is focused on two areas: locally logging registered users in the vicinity of a device and the transmission of the log to the operating health authority, all while preserving privacy. To achieve this, the protocol can be divided into the areas of device to device communication, and device to reporting server communication.The DDC component operates on top of the existing Bluetooth Low Energy protocol, defining how two devices acknowledge each other's presence. The DRSC component uses HTTPS to communicate a timeline of visits to a centralized server owned by a health authority once a user has tested positive for an infection. The health authority can then, using the log, notify the users who came in contact with the infected patient.
Device to reporting server communication protocol
Each app implementing the BlueTrace protocol has a corresponding central reporting server operated by a health authority. The reporting server is responsible for handling initial registration, provisioning unique user identifiers, and collecting contact logs created by the DDC part of the protocol. When the user first launches a BlueTrace app, they will be asked for their internationally formatted phone number and are assigned a static UserID. This phone number is later used if the user has registered an encounter in an infected patient's contact log.Once registered, users are provisioned Temporary IDs uniquely identifying them to other devices. Each TempID has a lifetime of 15 minutes to prevent malicious parties from performing replay attacks or tracking users over time with static unique identifiers. TempIDs are generated from a user's UserID, the TempID start time, and the TempID expiry time, which is encrypted and turned into a Base64 encoded string by the server using a secret symmetric encryption key. To ensure devices have a constant supply of TempIDs, even in an unstable network environment, TempIDs are transmitted to devices in forward dated batches. The composition of a TempID is shown below:
Once a user has been tested positive for infection, the health authority generates a PIN authenticating the user to upload their contact log to the reporting server. As part of the log, metadata about each encounter is included; the most important of which being the timestamp and health authority identifier.
The HAI identifies to which health authority the logged contact reports. If the HAI represents a foreign health authority the log entry is transmitted to the identified authority to be processed there.
Once a health authority has filtered log entries to only include home clients, they decrypt the TempID to reveal the UserID, start time, and expiry time. The start and expiry date are compared with the encounter timestamp to ensure validity, and the UserID is matched to a phone number. The health authority can then contact the phone number to inform a user of potential contact with an infected patient.
Device to device communication protocol
The DDC part of the protocol defines how two devices communicate and log their contact. Each device is in one of two states, Central or Peripheral, on a duty cycle of around 1:4, respectively.In Peripheral mode, a device advertises its presence, and in Central mode, it scans for advertising devices. Additionally, certain devices are incapable of operating in Central mode and thus operate purely in Peripheral mode. Once two devices have discovered each other, they communicate a characteristic packet containing information about themselves. The packet is formed as a JSON file, containing the device's TempID, device model, HAI, and BlueTrace protocol version.
When operating in Central mode, the device additionally sends the strength of the signal, allowing the approximate distance between the two devices to be calculated later. Below is an example Central characteristic packet:
These characteristics are then added to a local database on the device where they are stored for 21 days and can be sent to the reporting server later. The contacted device is also added to a local blacklist for two duty cycles in order to stop two devices repeatedly contacting each other, saving power and storage.
Health authority cooperation
The cooperation between separate health authorities is a core component of the BlueTrace protocol, and it is designed such that multiple authorities can work together without revealing personal information to foreign authorities with which a user is not registered. Since each authority maintains its separate encryption key and user records, a health authority can't decrypt and see a foreign user's data.To ensure log entries are sent to the correct authority, part of the DDC handshake contains a health authority identifier, a unique string assigned to registered health authorities. Once a foreign health authority's log entry is identified, the receiving health authority transmits the log entry to the foreign authority's reporting server where it is verified, and a static PseudoID is returned.
The PseudoID is a salted cryptographic hash of the UserID, designed to allow foreign health authorities to perform statistical analysis on contact logs and communicate about a specific user without revealing unnecessary personal information. Once the PseudoID is assessed to have been in close contact with the infected patient, the foreign health authority that issued the PseudoID is informed and can follow up as necessary.
Withdrawal of consent
The ability of users to withdraw consent to the use and collection of their data at any time was an important consideration in the design of the protocol. To allow this, personally identifiable information is excluded from the DDC component of the protocol. This means the only place personal information is stored is on the reporting server, where it is associated with an anonymous static UserID. This UserID is what is used for identification in the DDC part of the protocol. If a user withdraws consent, the user record is deleted from the reporting server, meaning UserIDs obtained through contact logs can no longer be matched to a phone number.Controversy
One of the largest privacy concerns raised about protocols such as BlueTrace or PEPP-PT is the usage of centralised report processing. In a centralised report processing protocol, a user must upload their entire contact log to a health authority administered server, where the health authority is then responsible for matching the log entries to contact details, ascertaining potential contact, and ultimately warning users of potential contact.Alternatively, decentralised report processing protocols, while still having a central reporting server, delegate the responsibility to process logs to clients on the network. Protocols using this approach, such as TCN and DP-3T, have the client upload a number from which encounter tokens can be derived by individual devices. Clients then check these tokens against their local contact logs to determine if they have come in contact with an infected patient. Inherent in the fact the protocol never allows the government access to contact logs, this approach has major privacy benefits. However, this method also presents some issues, primarily the lack of human in the loop reporting, leading to a higher occurrence of false positives; and potential scale issues, as some devices might become overwhelmed with a large number of reports. Decentralised reporting protocols are also less mature than their centralised counterparts.