Anonymous geolocation for hotspot-identification

[johannes-link]

Problem and motivation

The missing corona-hotspot/cluster-identification is a big criticism of CWA. This is a proposal for exposing hotspots by geolocation and still protecting privacy and anonymity. It will help RKI and the public to detect hotspot-areas without tracking or analyzing all motion data of users at a central server.

Feature description

For a better understanding of this proposal see Figure 1 of Corona-Warn-App Solution Architecture:

To achieve the goal of exposing hotspots, the local storing of received keys via BLE from other clients has to be extended by the actual geolocation of the contact-point. If a user is tested positive for COVID-19, the device still just uploads the keys (+TAN) to Corona-Warn-App Server (without geolocation). Other clients will download these keys from Corona-Warn-App Server and check them for contacts. If there is a match, they will upload the key of the positive contact in combination with geolocation to a new API of Corona-Warn-App Server (this API has to be implemented). The geolocation-upload-process should only be triggered when the client had multiple contacts at the contact-datetime. With this approach it is not possible to deanonymize single users.

Example workflow

User A and User B are working with some colleagues in an office. In this situation User A sends Key A via BLE to User B and to the other colleagues. User B extends Key A by his current geolocation and saves the object to local storage. One day later User A has a positive corona-test. User A uploads all his keys to Corona-Warn-App Server. User B downloads these keys from Corona-Warn-App Server. He registers the contact with Key A. Now the device of User B checks if there were three or more other people around at this datetime. If yes, User B uploads the geolocation of the contact-point to Corona-Warn-App Server. Positive effect: User A, User B and their colleagues are still anonymous, and the public is able to identify their office-complex as corona-contact-point.

Is this something you're interested in working on

Yes

[Ein-Tim]

Related Issues:

• 355

• 279

• 240

• 213

---

Limitations to this proposal:

1. Apps using the Exposure Notification Framework/System from Apple/Google are not allowed to access the user's position. See for example Apples Exposure Notification Addendum, point 3.3.
2. The scanning and receiving of Bluetooth Beacons is done by the above mentioned ENF/ENS. This API only hands over positive encounters to the app, not non positive ones. So for your example, the device of user B couldn't check wether there were three or more people around, unless the other people which were around are tested positive.

--> Such a feature would have to be implemented on OS level.

[johannes-link]

Thanks for your fast reply @Ein-Tim. So we have to find an other way.

[Ein-Tim]

@j-l1nk

Yes, sadly, but besides of the limitation I think that your proposal is a good one. So please leave it open.

Have nice easter days. 🙂

[johannes-link]

Thank you @Ein-Tim 😊 I hope you enjoy easter days too.

[ghost]

Hello, that's really a great idea! I hope you guys enjoy your easter days 😊

[johannes-link]

Hello @Ein-Tim, I read some more documentation about Exposure Notification Framework/System in the developer-pages of Apple/Google and in the related issues here in GitHub. With this knowledge I have a new idea for implementing this feature.

Description

CWA could enrich the places in contact diary by semantic information. For this feature CWA could use existing open-source APIs/Databases like Open Street Map. People would store places as semantic objects with identifiers and geolocation-information instead of storing simple strings. Additionally, the visiting-duration could be replaced by an interval (from-to).

When a user is tested positive for Covid-19 his CWA could upload keys and semantic places from contact diary to Corona-Warn-App server. RKI could use this information for hotspot-identification. Also, RKI could add information about visited places of positive tested not-CWA-users to public database. CWAs of other users could download the exposed semantic places and check if the user has a matching place/interval in his contact diary.

Note: Only public places like parks, universities, offices, etc. should be available as semantic places. This makes it impossible to deanonymize single users by sharing the addresses of private houses or flats.

Maybe it's also possible to connect the new QR-Codes to semantic places.

[Ein-Tim]

Hi @j-l1nk

This new proposal definitely agrees more with the "rules" of the ENF / ENS. Still I see a high chance that something like this could be rejected by Apple / Google, but that would be something that has to be seen. A very closely related issue to your new proposal is #408.

One of the nice community managers will soon pick up on this issue and mirror it into the internal ticket system (JIRA). He will give you all further details.

Have a nice Sunday!

[Velligis128]

@j-l1nk @Ein-Tim

CWA could enrich the places in contact diary by semantic information. For this feature CWA could use existing open-source APIs/Databases like Open Street Map. People would store places as semantic objects with identifiers and geolocation-information instead of storing simple strings. Additionally, the visiting-duration could be replaced by an interval (from-to).

Not sure, if the RKI really needs the GPS-Location for the statistic analysis, where most of the infections happens but if not a classification + postal coade as suggested in my issue #408 is sufficient. This would although adress the problem with private locations - the location would not be known but it would at least be known that ist was in a private area. Or you could combine it and send the GPS-locations only for public places like you suggested and send a classification for everything else. Would be nice to get a feedback on that from one of the scientists.

But I really like the idea of using the places data out of the diary function.

[johannes-link]

I absolutely agree with your comment @Velligis128. GPS-Information are not required to find a solution for this issue or your #408.

I like the idea to combine both proposals and extend places in contact diary (only) by categories and postal codes. It's less accurate than semantic places but has no risk to breach anonymity and still provides enough information to identify hotspots.

What do you think? @Ein-Tim @Velligis128

[Velligis128]

@j-l1nk: I think I would prefere the integration of a map-API, as this enhances the UX for the user and enables the app for a automatic identification of postal code and a proposal for the classification. To do this by hand would be a pain in the ...

In the end, using the diary will always be a workaround where I am not sure if it is really helping out. Most of my colleagues and friends are using the app, but I don't know anyone using the diary. I am not sure, if we will get enough data for a valid research. But this issue can't be solved without Google / Apple and it looks like there is no intrest in talking to them.

[Ein-Tim]

I think even with the proposed solution with the contact diary, CWA would risk to get blocked from the Stores, see https://www.bbc.com/news/technology-56713017.

[Velligis128]

@Ein-Tim Thanks for the share.

A litte bit annoying....

What this underlines is that governments around the world have been forced to frame part of their response to the global pandemic according to rules set down by giant unelected corporations.

This is maybe the most important fact :(

[heinezen]

Hello everyone, sorry for not going for this issue sooner

@j-l1nk As already said, see the other issues @Ein-Tim for similar proposals and the current event registration proposal for an alternative approach.

Additionally - because you approach would require a significant change in the permissions used by the app - I would like you to answer these questions about the proposal that would need to be considered:

User A uploads all his keys to Corona-Warn-App Server. User B downloads these keys from Corona-Warn-App Server. He registers the contact with Key A. Now the device of User B checks if there were three or more other people around at this datetime. If yes, User B uploads the geolocation of the contact-point to Corona-Warn-App Server.

• How do you ensure that both user A and B opt-in to sharing their location data?
• How would the CWA prevent a malicious user B from uploading falsified location data?

If there is a match, they will upload the key of the positive contact in combination with geolocation to a new API of Corona-Warn-App Server (this API has to be implemented).

• Wouldn't this effectively expose user A (the postively tested user) to the key server if user A has enough contacts? Suppose the key server keeps track of the keyset of user A, then all the location data associated with these keys (sent by contacts B, C, ...) could be assembled into a movement profile of A

and the public is able to identify their office-complex as corona-contact-point.

• How does your approach deal with the delay in reporting? Keep in mind that the hotspot identification would not be in real time, i.e. a person gets infected at a place, they start to get symptoms, get tested, receive their test result and then upload their result into the app. This process can take a few days.

---

Corona-Warn-App Open Source Team

[johannes-link]

Hello @heinezen,

the biggest problems for the first proposal are the ENS/ENF-restrictions. With these limitations we can't implement hotspot-identification based on geolocation-API.

We proposed a new solution which is very similar to Event Registration. As I can see, the new Protobuf-message also has a categorization of locations as suggested by @Velligis128. I think "TraceLocation" contains enough information for hotspot-identification without compromising anonymity. Therefore, our proposals should get completed by CWA-Update this month. Event Registration seems to be a very good solution.

[Ein-Tim]

@j-l1nk

But, sorry for repeating me here, if the plan would be to let users opt-in to upload their history of check-ins, that's exactly what the NHS Covid-19 app has been blocked from the Stores. See https://www.bbc.com/news/technology-56713017.

If we're just talking without taking the restrictions into account, excuse me. 🙂

[DanAmt]

Possibly going slightly OT: What about voluntary consent to location tracking ? I know this is a political minefield. Maybe a sidecar app ? The "Datenspende App" comes to mind which could serve as a vessel for voluntarily disclosed data.