BlueTrace
BlueTrace is an open-source application protocol that facilitates digital contact tracing of users to stem the spread of the COVID-19 pandemic.[2] Initially developed by the Singaporean Government, BlueTrace powers the contact tracing for the TraceTogether app.[3][4] Australia and the United Arab Emirates have already adopted the protocol in their gov apps,[5][6][7] and other countries were considering BlueTrace for adoption.[8][9] A principle of the protocol is the preservation of privacy and health authority co-operation.[10]
Developed by
Overview[edit]
Preservation of user privacy was one of the core considerations around which BlueTrace was designed. To achieve this, personal information is collected only once at the point of registration and is only used to contact potentially infected patients. Additionally, users can opt-out at any time, clearing all personal information and rendering any recorded data untraceable. Contact tracing is done entirely locally on a client device using Bluetooth Low Energy, storing all encounters in a contact history log chronicling encounters for the past 21 days. Users in the contact log are identified using anonymous time-shifting "temporary IDs" issued by the health authority. This means a user's identity cannot be ascertained by anyone except the health authority with which they are registered. Additionally, since temporary IDs change on a regular basis, malicious third parties cannot track users by observing log entries over time.
Once a user tests positive for infection, the health authority requests the contact log. If the user chooses to share their log, it is sent to the health authority where they match the temporary ID with contact information. Health authorities are not able to access log entries about foreign users, so those entries are sent to the appropriate foreign health authority to be processed there. Once a log has been processed, the health authority contacts the user identified by the record.
Withdrawal of consent[edit]
The ability of users to withdraw consent to the use and collection of their data at any time was an important consideration in the design of the protocol.[10]: section. 3, point. 4 To allow this, personally identifiable information is excluded from the DDC component of the protocol. This means the only place personal information is stored is on the reporting server, where it is associated with an anonymous static UserID. This UserID (encrypted in a TempID) is what is used for identification in the DDC part of the protocol. If a user withdraws consent, the user record is deleted from the reporting server, meaning UserIDs obtained through contact logs can no longer be matched to a phone number.
Controversy[edit]
One of the largest privacy concerns raised about protocols such as BlueTrace or PEPP-PT is the usage of centralised report processing.[12][13][14][15][16][17] In a centralised report processing protocol, a user must upload their entire contact log to a health authority administered server, where the health authority is then responsible for matching the log entries to contact details, ascertaining potential contact, and ultimately warning users of potential contact.[18]
Alternatively, decentralised report processing protocols, while still having a central reporting server, delegate the responsibility to process logs to clients on the network. Protocols using this approach, such as TCN and DP-3T, have the client upload a number from which encounter tokens can be derived by individual devices. Clients then check these tokens against their local contact logs to determine if they have come in contact with an infected patient.[19] Inherent in the fact the protocol never allows the government access to contact logs, this approach has major privacy benefits. However, this method also presents some issues, primarily the lack of human in the loop reporting, leading to a higher occurrence of false positives;[18] and potential scale issues, as some devices might become overwhelmed with a large number of reports. Decentralised reporting protocols are also less mature than their centralised counterparts.[20][21][22]