The COVID-19 pandemics urged governments to find effective solutions to slow down the spread of the virus. Looking for possible solutions, several countries all over the world are pushing towards the adoption of smartphone apps for contact tracing. Due to various issues, it is currently unclear if such systems, in particular when they are not largely used, can significantly help to defeat the spread of the virus.
In the past months, two main approaches for digital contact tracing have been actively discussed - the so-called centralised and decentralized ones. Both systems use Bluetooth Low Energy (BLE) technology to keep track of contacts among individuals. With this technology, if someone is positive to SARS-CoV-2, people who have been in contact with him/her can be notified of such exposure and prompted to contact health authorities. In the centralized model, it is the server in charge of matching the data of infected individuals with their contacts. In the decentralized model, the matches are computed on the smartphones. Decentralized systems can benefit from the technological help provided by Apple and Google that offer an efficient decentralized functionality called “Exposure Notifications” , on modern iOS and Android smartphones.
Google-Apple Exposure Notifications (GAEN)
We give now a simplified description of GAEN. Each smartphone using GAEN generates pseudonyms and announces them through BLE. Pseudonyms rotate, therefore after a short period of time, each smartphone replaces the already announced pseudonym with a (seemingly independent) new one. Each smartphone receives pseudonyms sent by others and stores them locally. The smartphone of an infected individual communicates the announced pseudonyms to a backend server that will then prepare a signed list of infected pseudonyms. Whenever a person is detected infected, smartphones that have been physically close to the smartphone of an infected individual can detect the potential risk of contagion by accessing the signed lists distributed by the backend server and then computing a local risk scoring.
Trust issues. GAEN is not completely open source and it is not possible to verify the source code corresponding to what is actually executed on a smartphone. Moreover, GAEN is not testable/debuggable: to make a call to the functionalities of GAEN one needs to request and obtain a special authorization from Apple/Google, and this requires an endorsement from an official national Health institution. On the other hand, a few governments have decided to release all the source code related to the smartphone apps that they have developed on top of GAEN, along with the code that is supposed to run on the backend servers.
Security and privacy issues. In the past months, several advocates of decentralized systems started passionate public debates mainly remarking the possibility that the centralized approach could allow malicious governments to abuse collected data, severely violating the privacy of the users of the system. However decentralized systems like GAEN also suffer from serious privacy issues and this was originally shown by Vaudenay in the so-called Paparazzi attack . This attack enables anyone (not just the government) to trace the recent locations of infected users. To mount such an attack the adversary must install over the territory that she would like to monitor many BLE sniffers. Such devices can be cheap, small and just passive (i.e., they do not talk to the smartphones) and thus almost undetectable. This is seemingly doable at large scale by a government and in a limited way also by third parties. Notice that third parties do not have the same possibility of spying individuals in a properly designed centralized system. The Paparazzi attack has been practically implemented and simulated by Seiskari  against a generic decentralized system, even before GAEN was released. The name of the attack comes from the fact that it can be used by an attacker to disseminate to journalists’ private movements of infected people. It is easy to imagine scenarios in which the attacker is a malicious entity interested in performing surveillance of infected citizens. One might think that surveillance of infected citizens could be useful for a government to defeat the virus, however this is directly in contrast with the criticism against centralized systems.
Security issues mainly relate to the possibility that an adversary could pollute the system generating false positive alerts. There are several ways to produce such attacks, most notably the so-called Replay attacks [3,7]. Here, an adversary, who collects a pseudonym at location X where the probability to meet an infected person is high (for instance a hospital), can then broadcast at a later time (up to two hours in GAEN) those pseudonyms to users at a different location Y (for instance a stadium), and users at location Y will be notified a risk even though they have been never in contact with infected people. Recently Gennaro et al.  have shown how to use Replay attacks to compromise results of elections. Another interesting attack raising false positives in decentralized systems is the Terrorist attack proposed by Vaudenay in . Here a terrorist similarly to a Replay attack manages to spread the “infected” pseudonyms towards his targets paying through a smart contract an infected user that is happy to cash money uploading fake data to the backend server of the system.
A more detailed description of all such issues affecting contact tracing systems based on GAEN with a specific focus on SwissCovid, the system used in Switzerland, can be found in .
What about using Blockchain Technology?
Blockchain technology is a revolutionary ingredient to design systems that are transparent, and hard to abuse. They can be a natural building block for designing automatic digital contact tracing systems, showing to citizens that the system simply behaves as specified in the code of smart contracts, operating on data that are publicly available. There is a natural tension with privacy requirements, but this is one of the complications that animates research in PRIViLEDGE. The research group at University of Salerno (UNISA) has recently investigated the use of blockchain technology in contact tracing systems looking at two opposite directions.
The Bad: Terrorist Attacks against GAEN, Immuni and SwissCovid. The first direction consists of exploring the concrete realization of the Terrorist attack against GAEN contact tracing systems. In  the research group has shown that a generic smart contract with two collateral deposits can be used to build a worry-free market where infected individuals can monetize their rights to upload TEKs, and terrorists can see their TEKs published without ever getting infected or being in close proximity with infected individuals. The generic smart contract can be concretely instantiated to work in Italy polluting the contact tracing system Immuni, and in Switzerland polluting the contact tracing system SwissCovid. Moreover in  the research group has shown additional vulnerabilities of SwissCovid allowing for smart contracts with just one collateral deposit.
The Good: Pronto-B2 and Pronto-C2 Systems. The second direction consists of designing fully decentralized systems that can be realized using blockchain technology decentralizing the backend server. The result is a more transparent and publicly verifiable contact tracing system. In  the research group has presented two systems. The former, Pronto-C2, through the use of public-key cryptography enjoys strong privacy properties (e.g., privacy is preserved against Paparazzi attacks) and security properties (e.g., resilience to Replay attacks). The latter, Pronto-B2, only relying on symmetric-key cryptography, is secure against replay attacks and there is some degree of privacy preserved with respect to Paparazzi attacks. In particular, the users in Pronto-B2 cannot be traced for the periods of time in which they have been alone. Both Pronto-B2 and Pronto-C2 are based on a paradigm shift consisting in infected individuals making anonymous calls, using a blockchain as a communication channel, to individuals that were recently in their close proximity. The transparency offered by a fully decentralized solution makes more citizens willing to participate, having more chances to defeat the virus.
Unfortunately, Pronto-B2, Pronto-C2 and several other automatic contact tracing systems with better protection against Replay and Paparazzi attacks than systems using GAEN, cannot be implemented efficiently on iOS and Android. This is because Apple and Google have provided a restricted API in GAEN which allows to use BLE efficiently only to apps using their decentralized protocol. Several countries  have asked Apple and Google to be more responsible in this global fight against the pandemic providing some flexibility in terms of technical choices. Indeed, some flexibility would help both for efficacy to contain the spread of the virus and to reassure citizens obtaining therefore a larger adoption. This attempt has been unsuccessful so far.
Photo by Pixabay.
 Gennaro Avitabile, Daniele Friolo, Ivan Visconti. TEnK-U: Terrorist Attacks for Fake Exposure Notifications in Contact Tracing Systems. Cryptology ePrint Archive, Report 2020/1150, 2020.
 Gennaro Avitabile, Vincenzo Botta, Vincenzo Iovino and Ivan Visconti. Towards Defeating Mass Surveillance and SARS-CoV-2: The Pronto-C2 Fully Decentralized Automatic Contact Tracing System. Cryptology ePrint Archive, Report 2020/493, 2020.
 Serge Vaudenay. Analysis of DP3T. Cryptology ePrint Archive, Report 2020/399, 2020.
 Otto Seiskari. Contact Tracing BLE sniffer PoC, 2020.
 Apple and Google. Apple and Google’s exposure notification system, 2020.
 Rosario Gennaro, Adam Krellenstein, James Krellenstein. Exposure Notification System May Allow for Large-Scale Voter Suppression, 2020.
 Krzysztof Pietrzak. Delayed authentication: Preventing replay and relay attacks in private contact tracing. Cryptology ePrint Archive, Report 2020/418, 2020.
 “Tracing Apps for a European way out of the crisis", 2020.
 Serge Vaudenay. The Dark Side of SwissCovid, 2020.