Fully Private Open Source Contact Tracing

The promise of privacy is not enough. That’s why verification of privacy being preserved through open source is a must.

OpenCovidTrace is an open-source platform integrating all popular BLE (Bluetooth Low Energy) contact tracing protocols ( DP-3T, Google & Apple, BlueTrace, etc.) with an additional set of features for iOS and Android platforms.

Our vision is to provide a trustworthy contact tracing tool with universal interoperability, that empowers people and communities to fight Coronavirus.

Our mission is to develop an open-source implementation for proprietary protocols (such as Apple & Google and BlueTrace backends) which addresses privacy concerns in terms of preservation of individual privacy, and integrates with all popular open-source protocols (such as DP-3T).

Press

Australians download COVIDSafe contact tracing app

More than a million Australians have downloaded a coronavirus contact tracing app within hours of it being released by the government.

BBC - Apr 26 2020

NY Launch Contact Tracing Program

Bloomberg Philanthropies has committed $10.5 million, along with organizational support and technical assistance, to help build and execute this new program.

The Official Website Of New York State - Apr 22 2020

App-based contact tracing may help countries get out of lockdown

On april 10th Apple and Google did something unusual: they announced plans to work together.

Their plan is to combine their assets to assist the tracking of the covid-19 pandemic.

The Economist - Apr 16 2020

Singapore develops smartphone app for efficient contact tracing

Extensive, aggressive and timely contact tracing is so far the only alternative to full lockdowns to control the spread of the SARS-CoV-2 virus causing the COVID-19 disease.

The Straits Times - Mar 20, 2020

Apple & Google Contact Tracing protocol

OpenCovidTrace has an open-source implementation of the Apple & Google Contact Tracing Cryptography protocol, but it is different in terms of Rolling Proximity Identifiers exchange.

Currently, access to background BLE advertisement on the iOS platform is limited, this is why OpenCovidTrace uses the Bluetooth connection for key exchange.
This is expected to change in the next iOS update, according the documentation

In case it won’t, and it will not be possible to be fully interoperable with the Apple & Google protocol without using their API, OpenCovidTrace will use their API in the next released version of OpenCovidTrace.

Compared to Apple & Google’s solution, OpenCovidTrace is open-source, hence, the community can verify privacy.
Also we provide GPS & QR-code based contacts and more information about bluetooth contacts, such as: time, geo-position and distance, not just ‘yes-’ or ‘no contact’.

How Apple & Google Contact protocol works in our implementation?

  1. The OpenCovidTrace app generates a 32-byte random Private key once installed on the user’s phone. That Private key will under no circumstances leave the device.

    Every 24 hours the app generates a so-called Daily Tracing Key using 16 bytes HKDF sha-256 hash of the Private key and day number.
    Those Daily Tracing Keys will be shared to the public server in case the user reports Covid-19 related symptoms. Of course at this point, the user’s privacy is kept at all times.

  2. Every 10 minutes the app generates a Rolling Proximity Identifier using the first 16 bytes of the HMAC sha-256 hash of the Daily Tracing Key and daily time interval number.
    That identifier broadcasts via the Bluetooth Low Energy Service to other devices on which the OpenCovidTrace app is used, as well as other apps that function based on the Apple & Google Contact Tracing protocol

  3. In case a user reports Covid-19 related symptoms, the app sends a message to the public server. This message will contain:

    1. The collection of the user’s Daily Tracing Keys from the past 14 days
    2. The user's location area over the past 14 days, elaborated to an area comprising all potential contact points of the user.
    But without ever showing the user’s exact location tracks along the 14 days timeline.
    That area is randomly enlarged and adjusted for longitude and latitude (thus avoiding the exact geolocation of the user in order to keep privacy) and comprises e.g. the area of the entire city the user lives in, even if he/she might not have left their neighborhood.

    For every user, the app regularly pulls new Daily Tracing Keys of the user's who reported symptoms from the public server.
    It sends a random rect (area created based on the user’s movements and potential contact places as explained above) and receives the new infected Daily Tracing Keys with the user’s coordinates and representing potential points of contact with infection.

    The app searches for the locally stored Rolling Proximity Identifiers matching the infected Daily Tracing Keys.
    If a match is found, the app sends the user notifies the user accordingly.

Original cryptography Apple & Google protocol specification can be found by this link

Apple & Google have recently updated their protocol. Version 1.1 features a change in cryptography and allows for adding encrypted additional data to the Rolling Proximity Identifiers.
This version of the protocol will be implemented shortly in OpenCovidTrace.
DP-3T

DP-3T Contact Tracing protocol

Compared to Apple & Google’s protocol, DP-3T uses a different cryptography and different Rolling Proximity Identifiers exchange method, the same as in OpenCovidTrace’s implementation of the Apple & Google protocol.

The DP-3T Contact Tracing protocol has an open-source SDK for both iOS and Android platforms, and it will be implemented in the next OpenCovidTrace release.

How will it work?

  1. OpenCovidTrace will use the same 32-byte Private key.
  2. Every 24 hours the app will generate a Daily Key using the sha-256 hash of the previous Daily key or Private key for the first key.
    Also the app will generate 24*60 EphID's (so-called Rolling Proximity Identifiers) for each minute, using AES CTR encryption of the 24*60*16 zeros-bytes data array by HMAC("broadcast key" || DailyKey) key
  3. OpenCovidTrace will use a random EphID for the BLE contact exchange in the same way as described in the Apple & Google protocol implementation above.
  4. In case a user reports Covid-19 related symptoms, the app sends the Daily keys of the last 14 days to the public server.
  5. For every user, the app continuously pulls the most recent Daily Keys of the users who reported symptoms from the public server, generates 24*60 EphID's for each Daily Key and compares it to locally stored EphID's.

The original DP-3T Contact Tracing protocol specification can be found by this link

BlueTrace Protocol

BlueTrace Contact Tracing protocol

BlueTrace is the protocol which was implemented by the government-sponsored mobile app in Singapore.

The Government of Singapore released its specification to the public, and it is one of the candidates to become a global contact-tracing standard.

However, it has various shortcomings when compared to Apple & Google and DP-3T approach, but OpenCovidTrace will add support for it for interoperability reasons in the next release.

The BlueTrace Contact Tracing protocol specification can be found by this link

How to support the community:

For developers

Feel free to join our project on Github and contribute.

We are open for dialog and any sort of suggestions and recommendations.

For health authorities and medical organizations

We are in communication with COVID-19 medical labs and authorities like the WHO.

We are welcoming public health organizations wanting to brand and distribute our white-label app in different app stores.

Both Google and Apple restricted the distribution of COVID-19 related apps via their app stores, unless such applications are filed for release by public health organizations or governmental organizations.

Any professional advice is welcome and will be helpful. please, contact us at info@opencovidtrace.org.

For government agencies and local authorities

We welcome governmental organizations and related organizations wanting to brand and distribute our white-label app in different app stores.

Both Google and Apple restricted the distribution of COVID-19 related apps via their app stores, unless such applications are filed for release by public health organizations or governmental organizations.

Any professional advice is welcome and will be helpful, please, contact us at info@opencovidtrace.org.


Our main contributor