The novel coronavirus SARS-CoV-2 and its rapid spread have established a pandemic of global proportions over the course of the first months of 2020. High fatality rates detected in the first affected regions are expected to be even higher in countries with an older population, low-income, or lack of suitable healthcare facilities . In the absence of a viable vaccine, so far, the spreading of the disease due to the SARS-CoV-2 virus has been countered in many countries with countermeasures that attempt to suppress epidemic growth, thus avoiding to overwhelm the healthcare system with an unmanageable number of patients. The reduction of contagion is achieved through a set of increasingly severe measures that limit personal freedom and entail strong socio-economic drawbacks, going well beyond mass gathering prohibition and case isolation. Social distancing rules, including school and university closure, household quarantine, internal and cross-border mobility constraints, and selective closure of non-essential productive and commercial activities, have brought many countries to complete lockdown .
All these approaches require quick adoption and strict enforcement, in order to effectively curb virus spread in the short term. As observed in the 1918 pandemic, there is a strong correlation between excess mortality and earliness of containment measures. Containment interventions that are introduced too late or lifted too early were shown to have very limited effect .
In the long term, governments are required to trade off the adoption of dramatic full lockdown measures with more lax interventions. For instance, progressively adopting temporary small-scale contagion suppression actions that aim at keeping the virus’ reproduction number, , at a level that does not exceed the healthcare system’s capacity. Adaptive adoption of these kinds of containment policies at a regional level is expected to be effective even if enforced for shorter periods of time .
The triggering of circumscribed quarantine measures can be directed through the widespread adoption of technological tools that allow tracing contacts and interactions with known cases of contagion . Mobile apps running on personal smartphones are especially attractive as solutions because they enable immediate deployment on existing hardware and a quick response . Several approaches of this kind have been proposed over the course of the last weeks, giving raise to a growing debate around privacy implications and potential risks of mass surveillance and stigmatization [6, 7], that have prompted authorities to provide recommendations and guidelines , and big players to develop ad hoc cross-platform protocols .
In this paper, we suggest that these contact tracing tools should be designed to support end-user empowerment, as opposed to mass surveillance, granting citizens more data, awareness, and control, as envisioned by Nanni et al. . In Section 2, we outline the basic requirements and the founding principles on which they should be based. In Section 3, we present a location/contact tracing solution, composed of a mobile app and a distributed query system, designed to meet these critical requirements. The proposed system allows individuals to keep track of movements and contacts on their own private devices and to use local traces to select relevant notifications and alerts from health authorities, thus completely eschewing, by design, any risk of surveillance.
2 Requirements and Design Principles
Taking end-user empowerment as the founding principle, in this section we outline requirements and design principles that address both regulatory and technical issues. Compliance with national and international regulation is essential to protect natural persons and their fundamental rights and freedoms, while technical requirements are mainly meant to reconcile dependability needs with the features of general-purpose personal devices, characterized by software fragmentation, hardware diversity, variety of non-exclusive usage modes, lack of calibration, limited resources, and untrained users.
a. Collective intelligence.
Systems based on the voluntary participation of individuals, performing a collective effort in their pursuit of a common goal, leverage a form of collective intelligence, which is the only alternative to mass surveillance and enforcement. ICT solutions should support and encourage such collaborative behaviors.
b. Social responsibility.
Individual participation in a collective effort towards a common goal is an act of social responsibility. The technology adopted must make the social value of end-user’s behavior clearly perceptible.
c. Awareness and control.
Technology is not infallible and systems may not always behave as expected. Mobile apps should not induce end-users to simply rely on them. Rather, they should empower end-users by granting them control and awareness of the data gathering process and by allowing them to browse their data and possibly add spontaneous notes.
d. Privacy and anonymity by design.
Protection of sensitive data, such as locations or health-related information, cannot rely exclusively on trust or security promises. The system must be designed to keep user data private at all times, ideally storing them exclusively on the user’s device, and to make identification impossible a posteriori.
e. Technology agnosticism.
Contact tracing is a challenging task. In spite of the many approaches that have been proposed, no single technology has proven to offer the ultimate solution. For instance, location services have limited accuracy, especially indoor, while Bluetooth proximity does not reveal the exposure to indirect contagion (through infected surfaces). The solution of choice should exploit all available technologies and be open to any improvement or integration.
The effectiveness of containment measures based on the voluntary adoption of a mobile app strongly depends on the percentage of the population, making proper use of that app. Although this is always true, each solution has to be evaluated in different scenarios, including those well below the nominal critical mass of the target technology. Two types of performance indicators have to be used, to measure the support that app can provide both to end-users tested/diagnosed positive to COVID-19, willing to cooperate with health authorities, and to all other individuals possibly infected by them, who should take timely countermeasures.
Interoperability must be pursued as much as possible, in order to reduce the critical mass requirements of each single system and to fully exploit their potential. To this purpose, open standard protocols should be preferred to closed ad hoc ones, cooperation among institutions must be technically supported, and integration with synergistic healthcare systems must be enabled.
h. Openness of source code.
Open-source access to all system components is the key to speed up development, ensure continuous improvement, and guarantee coherence between specification and implementation. Transparency is essential both for end-users and for health authorities possibly adopting the solution.
i. Openness of statistical data.
Statistical data can provide valuable information to evaluate the effectiveness of epidemic containment, to monitor contagion, and to drive timely decisions. All statistical information that can be provided by end-users on a voluntary basis, without jeopardizing their privacy and anonymity, is worth being gathered and made available as an open dataset. Open data enables study and research without providing questionable competitive advantages to any player.
j. Avoidance of false alarms.
The ultimate goal of contact tracing systems is to reach susceptible or asymptomatic individuals who are considered to be the target of specific measures (e.g., quarantining or testing) according to the containment policies adopted. The solution adopted must minimize unneeded alarms that can overwhelm the healthcare system and spread panic.
k. Avoidance of surveillance and stigmatization.
The fear of being watched and stigmatized may hinder the acceptance of contact tracing technologies. Ideal solutions should prevent mass surveillance and stigmatization by design, by keeping end-user traces in their own devices and by making it impossible for end-users to identify the source of contagion.
The higher is the adoption rate, the more effective the solution is. Hence, scalability is a key requirement. Since the target devices, i.e., smartphones, have their own storage, computation, sensing, and communication resources, scalability can be inherently achieved by exploiting local resources as much as possible without triggering any network effect.
3 Digital Ariadne
Digital Ariadne or ‘diAry’ is a privacy-preserving open-source tool, developed by DIGIT srl and the University of Urbino, that allows users to trace their movements and contacts, while also allowing governments or healthcare agencies to rapidly direct their epidemic containment efforts, in a way that aligns with the principles outlined above.
The system is composed of: a mobile application, that is voluntarily installed by users on their smartphones, keeping track of their locations through the device’s GPS sensor and interactions with other users through Bluetooth radio beacons, a privacy-aware reward system, which incentivizes app usage while collecting anonymous usage information to feed an open data set, and a distributed query system that allows recognized public authorities to selectively and anonymously notify users about possible contagion sources. The mobile app works in background, with careful usage of battery and storage and without impairing the functioning of the personal devices. Nonetheless, it provides a rich user interface to make end-users fully responsible and aware of their own contribution to epidemic containment.
Source code of the mobile applications and the back-end service, both currently in active development, is available on GitHub111Source code: https://github.com/digit-srl/diAry-apps and https://github.com/digit-srl/diAry-backend..
3.1 Mobile app
The Digital Ariadne mobile application is developed using the Flutter framework for Apple iOS and Google Android. A combination of movement detection with the built-in accelerometers, activity recognition, data from GPS sensors, and Bluetooth Low Energy (BLE) transmission is used to adaptively track the user’s movements and interactions without negatively impacting battery and storage capacity of the device. Traces are collected autonomously by a background service launched by the application, but end-users can decide at any time to interact with the app to browse stored data, to force sampling, to mark known locations or the add notes.
Tracking status is displayed on the main app screen, as shown in Figure 1. Three concentric circles, representing the 24 hours of the current day, show the detected movements, the amount of time spent in known locations, and the notes added by the end-user.
This information is stored for a maximum duration of 30 days on the device. The app approximately requires 1 MB of data to store information about a day of full tracking (this requirement may slightly increase in case of frequent movement).
3.1.1 Location tracking
The app, once activated by the user, starts tracking the device’s location and records detected positions and movements. Location tracking is adaptive, based on the user’s activity and speed, in order to provide sufficient precision in the case of movement and low battery consumption otherwise.
The user may voluntarily mark known locations through the app interface, thus allowing to specify places such as home, workplace, school, or any other locations. Access to and departure from these locations are detected through geofencing and allow the user to have a quick overview of his or her movements throughout the day.
Also, the user may decide to add notes to a specific location and time of the day, in order to remember specific events or situations that may be relevant for contact tracing purposes. User movements, known locations, and notes are shown on an interactive map like in Figure 2.
3.1.2 Interaction tracking
The diAry app makes use of the Temporary Contact Numbers (TCN) contact tracing protocol in order to broadcast randomly-generated and anonymous identifiers, which are updated every few minutes . All installations of the app keep a fully-local log of every identifier that has been broadcast and every identifiers that was received from other devices making use of the same TCN protocol. This data, which expires together with location data after 30 days, never leaves the phone and is not linked to private user information.
3.2 Statistical open data set
The Digital Ariadne system makes use of a server-side component that is used to collect daily usage statistics in an anonymous fashion. Users are never required to identify themselves and no user-identifying information is transmitted at any point. Communication between mobile applications and the back-end makes use of secure connections using widely-adopted standards (HTTPS with optional certificate pinning).
An anonymous installation ID is generated upon the first launch of the mobile application. This ID is a randomly generated UUID and is used only to distinguish individual installations for statistical data collection and aggregation. Installation IDs are not linked to private user information or device characteristics.
Daily statistics include, for each installation:
The total number of minutes of active tracking by the mobile app,
The centroid of the tracked locations, approximated to a precision of ca. 0.02 latitude and longitude degrees, that is approximately 2–3 km, in order to avoid identification,
The lenght of the diagonal of the bounding box containing all tracked locations,
The count of known locations visited during the day,
The count of notes added by the user,
The count of GPS samples recorded and, possibly, discarded due to insufficient accuracy,
The amount of minutes tracked at home.
Collected information, made available as open data set, gives an indication of how the mobile app is used, allowing researchers and policy makers to gauge the effectiveness of measures adopted at regional or national level.
3.3 Distributed queries for call to actions
While personal data never leaves the user’s device and collected statistical data cannot be used to identify users, Digital Ariadne is designed to give designated territorial or national authorities access to the system through a dashboard allowing them to publish epidemic-related “call to actions”.
Call to actions can be seen as geographical and temporal distributed queries that operate with the following process: (a) an authority creates a new call to action based on a sequence of geolocated and timestamped points and/or a set of temporary contact numbers, (b) the call to action is stored by the back-end service until it expires, (c) the mobile app automatically downloads relevant call to actions, (d) the mobile app matches call to actions to private location and contact data, in order to verify whether the user has been exposed to possible sources of contagion, (e) if there is a match, the user is privately notified and can access information associated to the call to action. Matching users may also directly choose to interact with the public authority, optionally disclosing part of their traces.
Thus, a call to action is composed of a series of geographical regions (geo-polygons), associated time intervals, and a series of temporary contact numbers (TCNs). The match is performed by checking whether the user has been within the indicated region in a given time period, or if any TCN is found among local records. Sensitivity of the match can be fine-tuned by the health authority, by indicating a maximum distance from the region and a minimum time interval of match (i.e., exposure) in order to alert the user, with the intent of reducing panic and avoiding unnecessary alarms.
3.3.1 Creating call to actions in the case of contagion
When diAry users are positively diagnosed, they may grant to healthcare or government authorities partial access to their local traces, inlcuding geolocations, timestamps, and the list of temporary contact numbers generated by the diAry app.
This information can be used to generate anonymous calls to action made accessible to all the instances of the app in the interested area. Call to actions are processed locally to each installation and displayed to end-users if and only if their traces match filtering criteria. This mechanism enables anonymous tracking of past interactions of diagnosed individuals, alerting potentially infected diAry users and prompting them for self-isolation and further testing.
3.4 User incentives
To further raise awareness and promote adoption and usage of the application, diAry integrates with the ‘Worth One Minute’ platform. The platform has adopted diAry as an instrument for the common good and rewards users with anonymous vouchers (called WOMs) for their collaborative behaviour . These vouchers are intended to provide: (a) a simple gamified experience that allows users to earn points and thus obtain positive feedback of their voluntary contribution to epidemic containment; (b) a tangible currency-like reward that can be adopted as a voucher system at a local and national scale to promote microeconomic growth in a post-lockdown scenario; (c) a perception of the social value of individual actions and behaviours.
In this paper, we have argued citizen empowerment to be the foundation on which novel epidemic control technologies must be built as a viable alternative to mass surveillance. General design principles driving the development of such technologies have been outlined and applied to the design of Digital Ariadne, an open-source privacy-preserving instrument that combines location and contact tracing capabilities to collect local traces that can be cross-matched with authoritative alerts and calls to action without leaving the end-user’s device.
Just like Ariadne’s thread, the data stored on personal smartphones offers a trusted trace to find a way out of the maze of COVID-19.
We invite any kind of feedback on this whitepaper, including comments on the design principles and technical contributions to the open-source diAry project.
The authors wish to thank the more than 1000 beta testers that signed up for testing and the more than 250 users that have provided valuable feedback in the last three weeks.
-  Hongdou Li, Shuang Wang, Fan Zhong, Wuyin Bao, Yipeng Li, Lei Liu, Hongyan Wang, and Yungang He. Age-dependent risks of Incidence and Mortality of COVID-19 in Hubei Province and Other Parts of China. medRxiv, page 2020.02.25.20027672, March 2020. Publisher: Cold Spring Harbor Laboratory Press.
-  N. Ferguson, D. Laydon, G. Nedjati Gilani, N. Imai, K. Ainslie, M. Baguelin, S. Bhatia, A. Boonyasiri, Z. Cucunuba Perez, G. Cuomo-Dannenburg, A. Dighe, I. Dorigatti, H. Fu, K. Gaythorpe, W. Green, A. Hamlet, W. Hinsley, L. Okell, S. Van Elsland, H. Thompson, R. Verity, E. Volz, H. Wang, Y. Wang, P. Walker, C. Walters, P. Winskill, C. Whittaker, C. Donnelly, S. Riley, and A. Ghani. Report 9: Impact of non-pharmaceutical interventions (NPIs) to reduce COVID19 mortality and healthcare demand. Report, March 2020.
-  Martin C. J. Bootsma and Neil M. Ferguson. The effect of public health measures on the 1918 influenza pandemic in U.S. cities. Proceedings of the National Academy of Sciences, 104(18):7588, May 2007.
-  Luca Ferretti, Chris Wymant, Michelle Kendall, Lele Zhao, Anel Nurtay, Lucie Abeler-Dörner, Michael Parker, David Bonsall, and Christophe Fraser. Quantifying SARS-CoV-2 transmission suggests epidemic control with digital contact tracing. Science, March 2020.
-  Joel Hellewell, Sam Abbott, Amy Gimma, Nikos I. Bosse, Christopher I. Jarvis, Timothy W. Russell, James D. Munday, Adam J. Kucharski, W. John Edmunds, Fiona Sun, Stefan Flasche, Billy J. Quilty, Nicholas Davies, Yang Liu, Samuel Clifford, Petra Klepac, Mark Jit, Charlie Diamond, Hamish Gibbs, Kevin van Zandvoort, Sebastian Funk, and Rosalind M. Eggo. Feasibility of controlling COVID-19 outbreaks by isolation of cases and contacts. The Lancet Global Health, 8(4):e488–e496, April 2020. Publisher: Elsevier.
-  Johannes Abeler, Sam Altmann, Luke Milsom, Séverine Toussaert, and Hannah Zillessen. Support for app-based contact tracing of COVID-19. Technical report, Department of Economics, University of Oxford, April 2020.
-  Hyunghoon Cho, Daphne Ippolito, and Yun William Yu. Contact Tracing Mobile Apps for COVID-19: Privacy Considerations and Related Trade-offs. arXiv:2003.11511 [cs], March 2020. arXiv: 2003.11511.
-  European Commission. Commission Recommendation on a common Union toolbox for the use of technology and data to combat and exit from the COVID-19 crisis, in particular concerning mobile applications and the use of anonymised mobility data. Technical Report C(2020)2296, European Commission, Brussels, 2020.
-  Apple and Google partner on COVID-19 contact tracing technology, April 2020. Library Catalog: blog.google.
-  Mirco Nanni, Gennady Andrienko, Chiara Boldrini, Francesco Bonchi, Ciro Cattuto, Francesca Chiaromonte, Giovanni Comandé, Marco Conti, Mark Coté, Frank Dignum, Virginia Dignum, Josep Domingo-Ferrer, Fosca Giannotti, Riccardo Guidotti, Dirk Helbing, Janos Kertesz, Sune Lehmann, Bruno Lepri, Paul Lukowicz, Anna Monreale, Katharina Morik, Nuria Oliver, Andrea Passarella, Andrea Passerini, Dino Pedreschi, Alex Pentland, Francesca Pratesi, Salvatore Rinzivillo, Salvatore Ruggieri, Arno Siebes, Roberto Trasarti, Jeroen van den Hoven, and Alessandro Vespignani. Give more data, awareness and control to individual citizens, and they will help COVID-19 containment. arXiv:2004.05222 [cs], April 2020. arXiv: 2004.05222.
-  TCN Coalition. A Global Coalition for Privacy-First Digital Contact Tracing Protocols to Fight COVID-19, 2020.
-  Lorenz Cuno Klopfenstein, Saverio Delpriori, Alessandro Aldini, and Alessandro Bogliolo. "Worth one minute": An anonymous rewarding platform for crowd-sensing systems. Journal of Communications and Networks, 21(5):509–520, October 2019.