Can blockchain make COVID-19 tracking apps secure?

In 2011, two Cambridge scientists Eiko Yoneki* and Jon Crowcroft, created an influenza tracking device called FluPhone. It used Bluetooth and wireless signals and relied on users' willingness to voluntarily report symptoms.

As COVID-19 spreads rapidly around the world, researchers, tech giants and healthcare officials are turning to cell phone technology, once again.

The most recent and newsworthy include Apple and Google's new APIs that will enable compatibility between iOS and Android via official healthcare apps, such as Germany's smartwatch app, the WHO's “WAZE for COVID"" and the UK's “COVID Tracking App."

This is to name only a few.

Far beyond the point of questioning how they work, or whether they'll plant unnecessary seeds of worry in the minds of the public, one important question remains:

What can tracking app designers and health officials do to ensure data security for users?

The solution could lie within blockchain technology.

Lisa Trujillo, HERE's Lead Product Security Engineer and Co-Author of DIN SPEC 4997: Privacy by Blockchain Design comments:

Advantages in the use of blockchain come from the nature of the network structure and how network participants achieve consensus regarding the accuracy of the data... This can enable things like greater data privacy management and prevent fraudulent access to data.

Because new data blocks are stored linearly and chronologically (in other words, blocks are always added to the “end" of the chain), it is very unlikely that anyone trying to tamper with info would go through the painstakingly lengthy time required to hack into each and every unit, making blockchain an ideal data protection tool.

To get a better sense of the evolution of tracking apps, I reached out to Eiko Yoneki, co-founder of FluPhone.

You tell me your symptoms — I'll tell you mine

FluPhone started as a study at the University of Cambridge in 2011, “...We asked volunteers to install a small piece of software (called FluPhone) on their mobile phones and to carry their phones with them during their normal day-to-day activities," explains Yoneki.

It was the first mass attempt at public data collection of its kind.

The project was aimed at giving Yoneki's research group a better understanding of how often people congregate in small groups and with that information, “...work out how far apart people actually are, and how fast diseases could spread within communities," she adds.

Using Bluetooth connected technology Yoneki and team could rate the speed of a viral infection, “The software will automatically detect and record how many Bluetooth devices are around you, how often you encounter these devices, and then send this information back. This provided us with an approximation of how many people you would meet at any one time and would hopefully enable us to see how social encounters and travel can directly spread infections."

The project requested users to divulge private information, just like COVID-19 versions. Yoneki states: “We also asked participants to inform us of any influenza-like symptoms... so that we could match the spread of flu to the underlying social network of encounters made."

So, if I had lunch with a friend and then came down with a fever, I could enter the symptom in the app and it would notify my lunch partner.

Even at this early stage, Yoneki reported much effort and research to guarantee user privacy and trust, ensuring that “a clear description of their data processing procedure was provided before the registration process." This included questions regarding consent to data collection, access and use by the scientific team, age and participation regulations.

“…We did not ask for your full name or address… and all analyses were performed on an anonymized dataset in which e-mail addresses and mobile phone identifiers had been removed. The data was only used for the purpose of research into how influenza and other close-contact infections can spread within the UK." They even consulted an external group of data privacy experts.

Certainly, Yoneki and co-creators were sensitive about the nature of the data being collected.

But they also benefited from the perks of then-developing technology; “FluPhone did not record the physical location information and did not use GPS information. In 2011, common mobile phones did not have GPS."

But now, they do.

“[Blockchain] is the only technology that guarantees trust across parties who don't necessarily trust each other," stated HERE's CTO Giovanni Lanfranchi, during CES 2020.

In 2011, only 1% of the Cambridge community volunteered to use FluPhone but during the COVID-19 crisis, many governments are looking into how to provide their citizens with mobile applications, which balance individual privacy while at the same time attempting to mitigate the crisis.

Government officials should feel obliged to take responsible action towards protecting people's privacy. Standard data-grab procedures involving obligatory seizures and probing due to “exceptional circumstances" isn't going to fly.

Especially when there are ready alternatives.

For example, blockchain's decentralized system should keep sensitive data on users' phones and be used for transparently managing consent, rather than being yet another place for data storage.

Several other contact tracing concepts from  MIT, Cambridge University, King's College London and a range of European technical universities also prefer decentralized approaches.

So, you see, privacy is still very much an option.

Contact HERE to find out how you can better protect your datasets.

*Eiko Yoneki was interviewed on April 6th, 2020.