COVID-19: Our privacy-preserving proposition

Yesterday we presented a critical vulnerability in the next-to-being-adopted contact-tracing class of design proposed by DP3T, Apple & Google. In this design, the list of infected users' identifiers is publicly broadcasted. This data, in conjunction with a network of rogue Bluetooth trackers, can allow re-identification of infected users, at scale.

The only way of mitigating this vulnerability is to keep the list of infected users' identifiers private.

Apple and Google will rely on mobile phone's secure hardware (TPM) to securely store each user's traced-contacts and compute infection risks. Mobile phones TPMs, based on ARM processors, cannot be remotely verified: it is impossible for the authority to provably distinguish valid mobile phones from rogue ones.

Instead of broadcasting the list of infected users' identifiers, to compute infection risk on mobile phones, we propose to use TPMs on the cloud. In this modified design, this list of infected users' identifiers is never disclosed to anyone. Even authorities can't access it. Infection risk is computed on TPMs on the cloud, using encrypted data provided by mobile phones TPMs.

This is possible because Secretarium technology relies on another type of TPMs, based on Intel processors, which are remotely attestable.

Our primary focus is to build a service compatible with Apple & Google design, and get it running. We are also adding functionalities to our service to support this alternative design.