How blockchain can resolve the data privacy threats posed by contact tracing

By Angel Pateiro, CTO and Co-founder of Finboot & Yasmine Benjelloun Content creator at Finboot

Two of the world’s largest tech giants, Apple and Google, recently announced that they are collaborating on a COVID-19 tracking system to enable contact tracing - a measure that could pave the way for an exit strategy for those countries enforcing stringent lockdown measures. This new feature will be added to all Apple and Android mobile operating systems, to later enable government run apps to track physical proximity between phones (although the NHS has said it will use a different model).

Contact tracing aims to identify and alert people who have come into contact with a person infected with coronavirus via a smartphone app, and other health authorities are working on similar initiatives of their own.

As stated by TechCrunch, “The opt-in system uses Bluetooth to transmit a randomized and anonymous identifier to nearby devices. A user can then choose to upload their anonymized data, which is then broadcast to other devices. If a match is found (…) a user will be told that they may have been exposed to a person — whose identity is not shared — with the virus.”                                                                                                                                                  

The concerns

Tracking technologies have huge potential in times like this and can become powerful tools to efficiently identify infection hotspots and understand virus spreading patterns. However, with mass data collection comes privacy and security concerns.

Apple and Google have both stated that this tracking technology will not collect location data from users, and will only collect data from people who have had a positive COVID-19 diagnosis. They have also asserted that the technology has an expiration date and it is only intended to be used when there is major threat to public health.

However, having this technology uploaded directly onto our phones’ operating systems when we carry out the next “software update” already means that both companies will be collecting our data. Not downloading the app doesn’t mean that the tracking system won’t be uploaded onto our phone or additional information about us collected: if not where we are, then who we have been in proximity with. Given how much personal information there already is in the world, how difficult is it to know everything (or almost) about a person?

The list of potential threats extends far beyond data exploitation concerns (by Google, Apple or any other parties involved): for instance, how can we ensure that the identity of users with COVID-19 will not be revealed? How do we know that advertisers will not get access to that information? How can we ensure that acting for the common good will not come at the cost of people’s individual rights? Making the system opt-in grants people control over their participation, but how do we make sure that only the relevant data is shared?

The blockchain solution

We believe blockchain technology could potentially address these privacy and transparency issues.  As a complementary tool to the tracking system, blockchain can further protect users’ rights and identities through the use of encryptions and anonymous identifiers.

Blockchain’s strongest benefit is arguably its transparency and immutability. When data is introduced into the blockchain platform, it is organised in blocks. Attached to each block of information is a hash value for that block and for the previous one, ensuring retroactive “linkage” between them. This is how data becomes stable and cannot be changed, deleted or tampered with.

Using a blockchain-based app, users can opt for data to be shared from the devices they specify. This process creates a digital identity which can join a digital distributed ledger (blockchain) that records who has downloaded the data sharing app. Each device would submit its unique Bluetooth identifier and the other participants on this ledger would be able to validate that a device has opted to share and receive anonymous information. This forms the basis of consent to be a participant in this data sharing and subsequent ‘tracking’ via the app.

The ledger, or blockchain, has the additional benefit of registering the time and date (a timestamp) of participation and a user has complete visibility of which devices have opted in to the network. Blockchain is immutable and cryptographically secure, creating a record that acts as ‘a single source of truth’ of who opted in, searchable in a matter of seconds.

Finally, this blockchain ledger will enable health authorities to keep a medical record of the owner of one specific device and facilitate the tracking of medical information associated with an anonymous device identifier. This way, everyone participating on the system could see if they have been near another person that owns a device that has been recorded on the network as infected (without that person being identified).