The Core of Contact Tracing App Design: Who Owns Your Identity?

Living By Numbers

The Core of Contact Tracing App Design: Who Owns Your Identity?

Living By Numbers

There’s a song I love called “Living By Numbers”, and it has been going round in my head over the time of this COVID-19 contact tracing debate:

So you’re living by numbers
And numbers you answer to
You can count all the numbers
You bet that someone’s counting you

They don’t want your name
Just your number

And so there is great debate on the design of the contact tracing app, and where the UK has gone for a centralised approach to knowing you … and where they give you your number and the required encryption keys, whilst in the Google/Apple approach you generate your own identifier. The difference in approaches may be subtle, but there’s a fundamental issue that is at the foundation of this … who owns your identity?

The current UK contact tracing method comes from the Grace (the government employee) definining your number and then you stick with that. With this Grace generates a unique ID for you (BobID), and gives you her public key and a signing key:

Bob then generates a daily key pair, and from Grace’s public key and Bob’s daily private key, he create a symmetric key to encrypt his identity. This is then send to Grace (perhaps via Alice), with a signature created using the unique signing key that Grace sent, and also where he adds his daily public key (BobPub). Grace then takes Bob’s daily public key and her own private key and can generate the same symmetric key (using an ECDH method, that we would use in key handshakes). With this she can then decrypt the message (and reveal Bob’s ID).

All of the control is with Grace … she creates Bob’s ID, and creates all of the keys that will be used to decrypt the message. She thus also defines the secrurity of the whole system, and can share keys with others who might want to spy on Bob, or she could be breached, and where someone could easy match Bob and his identity. Also Grace is a target of Eve, who wants to snoopy on Bob.

In the Google/Apple approach, Bob is in complete control of his identity, and when Grace can see him or not. Initially Bob creates his own unique ID, that Grace never gets to see. He then creates a hash of this, along with the current day (Grace can never reverse this back to his unique ID). This generates his Daily Tracing Key. If he is proven to be positive for COVID-19, he will send this to Grace each day. Without this daily key, Grace will not be able to trace him. Grace, thus, can only match Bob for one day, and with his consent. He then creates a rolling ID every 10 minutes, and where the maximum time he can be traced by Eve for, is 10 minutes (whereas with the UK system, Eve can track his daily public key for one day):

When Bob switches his feed off for his daily tracing key, Grace cannot link him anymore.

The debate for ID is just beginning. So are we just an ID to our governments and that they allocate, or do we truly own our identity … we must decide … centralise or decentralised?