Title
: WeTrack - a privacy focused mobile COVID-19 tracing App
Description
: Find out if you were in contact with someone that was tested positive.
WeTrack uses Bluetooth LE to keep track of people you were close to. It automatically collects the ids of other users while it shares its own id to them.
When a user is tested positive or shows symptoms he/she can report the status change, and then a silent notification is broadcasted to all the users, that then can locally compare the newly reported case with their database of collected user ids. If the reported id is found in the database, the user that he/she might be at risk – the app will inform the user.
We think, the application of low-range BTE communications determines a highly suitable coincidence between the COVID-19 “social distancing” requirements and the communications technology: Since only those individuals in a range of a few meters (if staying that close together for approximately 10 to 15 minutes) potentially are subject to contagious infection, if the WeTrack application is enabled and configured, their mobile devices can exchange health data in a fully privacy-protecting manner, such that the infection status information can be exchanged fully anonymous and in a secured (encrypted) manner, so they can take immediate precautions.
How the system Works is best explained with an example. For this example we have User A with Device A, User B with Device B and User C with Device C.
1. Every device that installs the WeTrack app generates an asymmetric key pair using elliptic curve cryptography. For this examples sake PK_A stands for public key of Device A and SK_A stands for secret key of Device A. So in this step we generated PK_A, PK_B, PK_C and respectively SK_A, SK_B, SK_C.
2. Every device starts broadcasting to its surrounding through Bluetooth (BT) and Bluetooth Low Energy (BTE), their PK_* this is also their unique identifier.
3. When now 2 devices (i.e. A and B) meet in close contact, Device A knows PK_B and Device B knows PK_A. Both devices store from the contact besides the PK_* also: a timestamp, the geolocation where the encounter happened.
4. When User A is now infected and wants to report it, the Device will go through the list of close Contacts and encrypt a message with the public key of every contact. In our case, it will be encrypted once with PK_B because this was our only contact. All those messages will be sent to the central backend that will relay them to all devices. The messages will contain the data that User A chose to share, so either only the fact that an infection happened, or additionally when or even where it happened. Important: Only the reporting user decides if he/she wants to share this information.
5. Device B and Device C receive from the backend a notification telling them that new reports have happened. Device B will then try to decrypt every message with SK_B and will eventually find out that a message was directed at him/her. Device C will do the same, however because no message was encrypted with PB_C, no message can be decrypted.
No personal and identifiable data will be shared with anyone.
For more information please visit http://wetrack.bponi.com where we answered many common questions, limitations, future research and implications.
We working on this project...