Page 112 - ITU Journal, Future and evolving technologies - Volume 1 (2020), Issue 1, Inaugural issue

P. 112

ITU Journal on Future and Evolving Technologies, Volume 1 (2020), Issue 1

based contact tracing can be automatically switched off A similar approached has been proposed and adopted
for better energy savings. Similarly, if the density of in ROBERT [3].
WiFi AP is less, then Bluetooth and acoustic based so- Moreover, privacy concerns might arise from using the
lutions could be activated. They can help each other in cell tower information for locating users because the
a crowded and occluded (e.g., by walls and other types identifier of a user’s phone needs to be accessed. In order
of obstacles) environment for accurate and reliable con- to mitigate these, we can also link such identifiers with
tact tracing. Note that Bluetooth gives relative loca- pseudonyms. Similar approaches can also be applied
tion information whereas WiFi gives absolute location in WiFi positioning. Therefore, the entry of data for
information. There might be a mismatch in the loca- upload involves self pseudonym, encounter pseudonym,
tions as identified by WiFi data modality in conjunction timestamp, Bluetooth proximity, ultrasound proximity.
with Bluetooth data. In order to resolve this issue, we
can model the location of the user using probabilistic After processing each upload data entry, the output of
techniques, and then use filtering techniques in order to this improved data collection procedure is data entries
derive a more accurate location. Readers interested in that involve pseudonyms of two encounters, the times-
more details about these techniques can refer to Kalman tamp, the adjusted proximity, and the infection risk. In
filtering and related topics in [17, 13]. particular, the adjusted proximity is the weighted av-
erage from combining proximity measured from differ-
Integrated Contact Tracing with Cellular Net- ent sources (i.e., Bluetooth, ultrasound, WiFi, and cell
work. The location of a smartphone can also be iden- tower), and the infection risk can be obtained by using
tified from its communication with nearby cell towers. environment detecting heuristics. For example, when
Since a phone has to connect with cell towers in order to there is no proximity measurement from ultrasound and
send and receive data through cellular network, it con- the WiFi proximity indicates encounters are in different
stantly searches nearby cell towers and initiates connec- rooms, the infection risk can be adjusted to a low level.
tions during movements. In each established connection, Besides the above privacy-preserving data collection
a cell tower not only knows which phone is trying (each methods, we can also apply tools from the field of differ-
phone has a unique identifier) to connect at which time, ential privacy [8]. These utilize different kinds of data
but can also calculate the distance from itself to such a processing and noise injection methods, thereby making
phone (e.g., using the time elapsed between a ping com- it difficult for any party to determine whether or not a
mand, and the corresponding reply). As such, having particular individual is in the original data records and
access to the locations of cell towers, as well as the dis- providing privacy protection to the users. Such a guar-
tance of a phone from each of the involved towers, we antee on the privacy would encourage more users to join
can use a “triangulation” technique to pinpoint the lo- the system.
cation of a phone. However, in practice, such techniques
often can only locate a smartphone in an area instead 3. DATA INTEGRATION AND SUS-
of an exact position.Moreover, using this technique for
location tracking could raise privacy concerns, in that, CEPTIBILITY GRAPH
it requires access to the identifier of each phone that Here, the goal will be to create a “susceptibility graph”
may disclose user identify as well. Therefore, when only that describes compactly the different ways in which
having the corresponding permissions, cellular network disease is likely to spread. We begin by introducing
can be used for contact tracing, and meanwhile the user this graph, and then also describe how to construct this
identity must also need to be protected. graph by integrating the data from multiple sources.
How to collect the encounter records. Even though The graph would be time-variant.
there are distributed models for contact tracing which
allow each user to individually control whether or not 3.1 Graph Structure
to disclose its own encounter records, we advocate a A basic version of the graph would contain the following
centralized model in which each individual user’s con- components, and the designer is free to make reasonable
tact is collected by a central agency, and then stored modifications on it.
at a central backend. This is bound to raise pri-
vacy concerns, and hence we need to introduce privacy- • Nodes. Each node represents an individual that
preserving mechanisms.To this end, we will generate could be potentially infected. Individuals that are
pseudonyms for each user periodically and the linkage isolated will be removed from the graph. Also, we
between a pseudonym and the real user is only resolved can remove individuals who have recovered from
at the trust authority. The authority is only allowed the virus from the graph. However, since recovered
to link pseudonyms to real users when the pseudonyms individuals lose their antibodies for most viruses
belong to ( ) infected individuals that are confirmed by (including COVID-19), re-infections are possible af-
healthcare authorities or ( ) individuals who have close ter a period of time, so they would have to be re-
contact with infected ones. As such, the privacy of indi- introduced into the graph after some time. We use
viduals who have no risk of infection will be preserved. to denote the set of nodes (individuals).

92 © International Telecommunication Union, 2020

107 108 109 110 111 112 113 114 115 116 117