Privacy sensible outbreak app
Since the outbreak people way smarter than I am have been thinking about an app that can be used to track whether or not you have come into contact with an infected patient. This post is built upon two already proposed solutions; PEPP-PT and DP-3T.
Users
At the start when the user first opens the app there should be a generation of the first public-private key pair. This will live on the phone, together with a generated UUID. This first pair will be registered with the UUID. No other information will be held. At a moment in time the key pair can rollover by providing the current private key and the new one.
Connectivity
The user will have a WiFi AP broadcast that you cannot connect to. The BSSID will be the same for all apps for this WiFi AP, and the SSID will be a randomly generated one based on a nonce and the private key of the user. This SSID has to have enough entropy to not clash easily.
When someone comes across seeing the BSSID that is the same for this app, there will be a call to an endpoint to log that this AP was seen by this user. The user of the AP will send to an endpoint what it's current AP is.
There will be a list of generated APs of users and a list of seen APs by users.
The same can be done for Bluetooth but then it will be a sighting of the specific MAC address.
No information can be gleamed from the packets. You can spoof the AP but it will not do anything as it cannot be linked to a known user. If you copy the SSID from a current active user it would also not work as it is already registered.
Data flow
The flow of data would be through SSE with the backend and POST only calls. There will be no retrieval of information. The backend will send it out over SSE. So users update only who they saw. When someone has been flagged as infected it will lookup all the APs / Bluetooth MACs they saw. Then a message will be sent through SSE pushing to those users the fact they could have come into contact with someone.
The longer during an interval you see the MAC Addresses and SSIDs it will get a heavier weighing.
Flagging an infected
To flag an infected a medical personnel has to send it in using a form of NFC to sign it with both keys. The one from the medical personnel and one from the infected patient. Then it will only be legit. No call can be spoofed as it needs both UUIDs and then both keys to legitimately sign off on a patient being infected.
No location is being tracked. No identifiable information is held. No information can be recorded and used in a meaningful way. Only targeting and following an individual around for a long time will be a way to determine who they are on the grid and you still cannot get any data from it.