...
Sharing location data is always a choice on the part of a diagnosed user, with clear explanations provided about the purposes for which the data wll will be used.
Location data can only be shared with authenticated Health Authorities that have been approved by Path Check.
Location data is encrypted in transit, and at rest in the Health Authority’s database.
Prior to storage in the Health Authority databases, a Contact Tracer will review all provided data with the diagnosed user, and redact any information that either of them believes could reveal their identity.
The patient can also request that any other data point recorded is removed, for any reason they may have.
Data is only committed to the Health Authority database once the diagnosed user has given final consent regarding the set of data points stored.
Location data is stored as a set of places & times, with no data relating it back to any individual user, or correlating it to other location data points from the same user.
In order for For other Safe Paths users to be able to receive exposure notifications, without sharing their own location data, this data needs to be made accessible to other Safe Paths users. We do so in a manner that allows the Safe Paths app to detect matches on specific locations and times, while making it difficult (though not impossible) for anyone to actually view the set of locations and times that represent these “points of concern”. For details on how we do this, see below.
...
Keeping uninfected users' data on their phones
Redaction and anonymizaton anonymization of data before storing or publishing.
...
The approach that we take is approximately that outlined in section 5 of this paper as an “Intermediary Implemetation” Implementation” https://arxiv.org/pdf/2003.14412v2.pdf, though with some variations in the detail.
...
This results in a match area of around 1660 sqm at the equator, 1200 sqm at 45 degrees north, so qpproximately approximately the same area as a 2om radius circle, but with a slightly less predictable shape.
...
Since the space of locations and timestamps for a given Health Authority is realtively relatively small, it has low entropy, and the overall level of protection we can provide against brute force attacks is limited.
...
The main purpose of this article is to present our approach to data privacy. However some of the points raised here may raised broader concenrs concerns around effiacacy efficacy of location-based exposure notifications.
...
Why not just use Bluetooth for Exposure Notifications?
It is true that BuetoothBluetooth-based Exposure Notifications promise greater accuracy than location-based exposure notifications, and avoid some of the privacy concerns that we have described on this page.
...
Using FHE, we have a design that would require every single comparison of data points its data set against a given point of concern to require consultation with a key server, in order to determine whether there was in fact a match.
...