FrenchKit - Contact Tracing & Exposure Notification

Transcript

1. Mathieu Hausherr (@mhausherr) Contact Tracing Exposure Notification API & StopCovid

2. Test - Trace - Isolate

3. French brigades Nous constituerons des brigades chargées de remonter la

   liste des cas contacts, de les appeler, de les inviter à se faire tester en leur indiquant à quel endroit ils doivent se rendre, puis à vérifier que ces tests ont bien eu lieu et que leurs résultats donnent lieu à l’application correcte de la doctrine nationale. https://www.gouvernement.fr/partage/11519-declaration-du-premier-ministre-sur-la-strategie-nationale-du-plan-de-deconfinement-a-l-assemblee

4. Tracking I meet Antoine D. I meet Bertrand E. I

   meet Christophe F.

5. GPS Naive solution Not privacy safe Google owns part of

   this data https://policies.google.com/privacy

6. Tracing We don’t need to know where, neither the name

   of your contact. We need only contact details. We just remember: I meet A.D. last Monday morning, less than a meter during one hour.

7. Bluetooth Tracing

8. Basic principle Phone generates different ids (ephemeral) every 30 minute

   and broadcasts this id by BLE Other phones save for each phone in the nearby the ephemeral ids plus some meta datas (date, duration, …) https://github.com/DP-3T/documents

9. Architecture Which data gets out of your phone? Health authority

   Covid+ Potential contact

10. Centralized architecture Health authority as a referent Health authority Covid+

    Potential contact Anonymized contacts Am I at risk ?

11. Centralized architecture Health authority as a referent Health authority Covid+

    Potential contact Anonymized contacts Am I at risk ? Potential Risk: log contact graph

12. Decentralized architecture Divide and rule Health authority Covid+ Potential contact

    Anonymized « I’m sick » Anonymized health datas (i.e. all anonymized « I’m sick »)

13. Decentralized architecture Divide and rule Health authority Covid+ Potential contact

    Anonymized « I’m sick » Anonymized health datas (i.e. all anonymized « I’m sick ») Potential Risk: intercept medical datas

14. Manual processing - French Brigade What we actually do Health

    authority Covid+ Potential contact Medical datas Contacts Positions? Medical datas Contacts Positions?

15. Manual processing - French Brigade What we actually do Health

    authority Covid+ Potential contact Medical datas Contacts Positions? Medical datas Contacts Positions? Risk Risk Risk Risk Risk

16. How it works? Which data gets out of your phone?

    Centralized Decentralized Brigade Positions No No Sometimes Contacts Anonymized on server No Yes Medical datas No Anonymized on server Yes

17. Apple & Google

18. Historical announcement Apple & Google logo on the same document

    Common API iOS 13.5+ / Android 5+ https://www.apple.com/covid19/contacttracing

19. What? No apps = nothing is imposed Configurable by states

    according to 4 criteria = Apple & Google are not doctor Decentralized system is mandatory https://developer.apple.com/documentation/exposurenotification/enexposureconfiguration

20. https://covid19-static.cdn-apple.com/applications/covid19/current/static/contact-tracing/pdf/ExposureNotification-FrameworkDocumentationv1.2.pdf

21. Before notification struct ExposureKey { let keyData: Data let rollingStartNumber:

    ENIntervalNumber let transmissionRiskLevel: ENRiskLevel } After notification struct Exposure { let date: Date let duration: TimeInterval let totalRiskScore: ENRiskScore let transmissionRiskLevel: ENRiskLevel let attenuationValue: ENAttenuation } https://developer.apple.com/documentation/exposurenotification/building_an_app_to_notify_users_of_covid-19_exposure

22. Who? States Health focused NGOs Company deeply credentialed in health

    issue Medical or educational institutions https://developer.apple.com/news/?id=03142020a

23. iOS 13.7 / iOS 14 End of apps / directly

    in iOS system Answer to complexity of app strong adhesion to the system https://developer.apple.com/documentation/exposurenotification/supporting_exposure_notifications_express

24. Sovereignty

25. Can we build an app without this API?

26. iOS Background mode Apps can scan but cannot broadcast Workaround:

    Android apps act as iBeacons and wake up the iOS apps https://blog.human-friendly.com/ios-bluetooth-low-energy-in-the-background

27. Android Background mode BLE can only be called from a

    Foreground service Foreground services need a Notification to start PRIORITY_LOW or more https://developer.android.com/guide/components/services

28. France

29. Team INRIA Inserm / Santé Publique France / Anssi Capgemini

    / Dassault System / Lunabee Studio / Orange / Withings http://videos.senat.fr/video.1751258_5f67d6eebeeab.audition-de-m-xavier-bertrand-ancien-ministre-des-solidarites-et-de-la-sante

30. Stats 2,5M downloads 1M uninstall/ 300k re-install 5100 tested case

    declared 307 contact cases found 268 notifications sent http://videos.senat.fr/video.1751258_5f67d6eebeeab.audition-de-m-xavier-bertrand-ancien-ministre-des-solidarites-et-de-la-sante

31. The future Un autre élément, plus structurel, est le caractère

    « taiseux » de l'application. Elle ne dit pas grand-chose, et au fond, vous ne savez pas si elle fonctionne quand elle est dans votre poche. « … » nous envisageons de revenir dessus afin de permettre que l'utilisateur soit plus en contrôle de ce que fait son application. http://videos.senat.fr/video.1751258_5f67d6eebeeab.audition-de-m-xavier-bertrand-ancien-ministre-des-solidarites-et-de-la-sante

32. Cost Private companies worked for free during lockdown Since the

    launch (June, 2nd) hosting + dev ~100k€ / month https://minefe.infos.st/lecteur_video/keypub/e63f66b6867114c05e91/id/fba989a550fba140563ec02b91ff3e/type/pr/lang/fr

33. Germany

34. Stats 18,3M downloads 3613 hotline call ? notifications sent 68,8

    M€ / 15M€ for dev https://www.spiegel.de/international/germany/lots-of-work-but-little-utility-germans-disappointed-by-coronavirus-tracking-app-a-7c30191e- b225-4c37-917d-41dc2a6078a1 2,5M downloads 5100 tested case declared 268 notifications sent < 380k€ for dev

35. Singapore UK

36. Open source

37. DP-3T ROBERT StopCovid Exposure Notification

38. Debates

39. We, the developers Debate aboute privacy, open- source, costs, CNIL

    conclusions Global distrust « don’t use this app » Technically app is at least ok First time we discuss about apps in senate

40. Jean Castex position Wrong message for population Already traced in

    a non- anonymous way by French secret services (I hope) https://www.france.tv/france-2/vous-avez-la-parole/1952579-emission-du-jeudi-24-septembre-2020.html

41. Conclusion Do I use StopCovid? Yes Should you use StopCovid?

    Yes Is it the best technical solution? Yes and No

42. Tomorrow improvements? UWB Build over BLE Rely on U1 chips

    Precise relative position https://developer.apple.com/documentation/nearbyinteraction
43. None