Ever since its introduction earlier this year, BlueTrace has intrigued me. As it gains national awareness for the purpose of contact tracing, I thought I should find out more and write on it.

BlueTrace supports Singapore in conducting nationwide contact tracing amidst the COVID-19 pandemic, through the TraceTogether mobile application. More information on BlueTrace can be found at bluetrace.io.

Overview

Developed by Singapore’s Government Technology Agency (GovTech), BlueTrace enables Singapore’s Ministry of Health (MOH) to conduct nationwide contact-tracing in a efficient and privacy-preserving manner. This is done through 4 key principles:

  • Collecting only necessary personal identifiers
    BlueTrace only requires a mobile number from participants so that the health authority may contact him/her if he/she was exposed to a close contact with a COVID-19 positive person
  • Storing encounter information locally
    TraceTogether, which uses BlueTrace, stores each person’s encounter history with other devices locally. Only when necessary for contact tracing, the health authority will request the user to upload his/her encounter history securely.
  • Frequent Rotation of Identifiers
    The identifier values used to identify users are randomly changed every 15 minutes, preventing malicious adversaries from tracking users based on their identifiers.
  • Revocable Consent
    Most importantly, users can choose not to use this application any time, and if consent is revoked all data is destroyed. But with effect from 2021, residents must use TraceTogether if they want to go anywhere outside their homes. (More on this later.)

How it works

Imagine going to a mask party, where you shake hands with everyone at the party, and keep a list of people with whom you shook hands with and time the handshake took place. You keep this list for 25 days in your pocket, where nobody, except the people who shook hands with you, know that you met them, unless you told someone else. On top of that, you change masks every 15 minutes so that no one can track you.

BlueTrace similarly uses low-energy blutooth (BLE) for this exchanging of handshakes. Each enabled device, when in close proximity to another enabled device, exchanges messages based on Temporary IDs (TempID) which are regenerated every 15 minutes. Each TempID contains a random user ID, a created start time and an expiry time. TempIDs are requested from the health authority’s back-end service in batches.

TempIDs sent to device


By using TempIDs, the identity of users is not known to other users, except for the health authority that issues them. This creates privacy while ensuring that if need be, the authorities can identify who to contact for contact tracing.

Each device then exchanges messages between each other in UTF-8 encoded JSON. Messages are saved locally on-device for 25 days as part of the encounter history. Simply put, each message contains the:

  • TempID of the device (e.g. J0SFUS8ONXB=)
  • Device model (e.g. iPhone 11)
  • Organisation code of the health authority (e.g. SG_MOH)
  • Version of BlueTrace (e.g. V2)

Contact Tracing

Traditional contact tracing requires people to remember their close social interactions. With BlueTrace, contact tracers can easily access this data without risk of failing memories.

When there is a confirmed infection case, the health authority will request that the patient upload his/her encounter history to the server. There, TempIDs are matched to the UserID and Phone Number provided during registration.

Upload to Server


The health authority then decrypts the TempID for each encounter in the uploaded encounter history in order to obtain the UserID and validity period. It then verifies that the encounter timestamp for each TempID is valid and filters for close contacts based on epidemiological parameters such as distance between contacts and time in contact.

Impact and Adoption

BlueTrace raised concerns from the general public on the effectiveness of its ability to ensure privacy, as well as its impact on battery life. The BlueTrace protocol does its best to ensure privacy and security through the 4 principles listed above, and has low impact on battery life as it uses BLE.

The Singapore Government has repeatedly made known the need for a 75% adoption rate of TraceTogether for effective contact tracing, and has put into place policy measures to increase this adoption rate. This includes mandatory use of TraceTogether, with SafeEntry (Another COVID-19 related technology) at all public locations by end December 2020. To cater for residents without smartphones, the Government has also started distribution of the TraceTogether physical token. Visit token.gowhere.gov.sg for information on collecting your token.

Conclusion

BlueTrace and TraceTogether are examples of how technology can be used to improve lives of everyday people, and make government processes such as contact tracing easier and more efficient.

In future articles, I may explore a wide range of topics that may have caught my interest and is relevant to today’s evolving world.

All images taken from https://bluetrace.io. Read the White Paper to find out more.