Reconciling Security and Utility in Next-Generation Epidemic Risk Mitigation Systems
Pierfrancesco Ingo, Nichole Boufford, Ming Cheng Jiang, Rowan Lindsay, Matthew Lentz, Gilles Barthe, Manuel Gomez-Rodriguez, Bernhard Schölkopf, Deepak Garg, Peter Druschel, Aastha Mehta
TL;DR
Silmarillion addresses the tension between rich epidemiological data collection and user privacy by introducing a beacon-based, privacy-preserving epidemic risk mitigation system. It combines location and environment tagged encounters with a mixnet for data uploads, differential privacy for risk dissemination, and IT-PIR with cuckoo-filter encoding to enable private risk queries. Key contributions include a full architecture with beacons, dongles, and smartphones; a privacy-preserving upload/authentication pipeline using OTP and oblivious transfer; DP-enabled risk dissemination; and a practical prototype with a low-end hardware stack and a university pilot. The work demonstrates that practical, privacy-preserving, data-rich epidemic analytics and timely risk notifications are achievable, enabling targeted interventions in crowded spaces while protecting individuals’ trajectories and health status.
Abstract
Epidemics like the recent COVID-19 require proactive contact tracing and epidemiological analysis to predict and subsequently contain infection transmissions. The proactive measures require large scale data collection, which simultaneously raise concerns regarding users' privacy. Digital contact tracing systems developed in response to COVID-19 either collected extensive data for effective analytics at the cost of users' privacy or collected minimal data for the sake of user privacy but were ineffective in predicting and mitigating the epidemic risks. We present Silmarillion--in preparation for future epidemics--a system that reconciles user's privacy with rich data collection for higher utility. In Silmarillion, user devices record Bluetooth encounters with beacons installed in strategic locations. The beacons further enrich the encounters with geo-location, location type, and environment conditions at the beacon installation site. This enriched information enables detailed scientific analysis of disease parameters as well as more accurate personalized exposure risk notification. At the same time, Silmarillion provides privacy to all participants and non-participants at the same level as that guaranteed in digital and manual contact tracing. We describe the design of Silmarillion and its communication protocols that ensure user privacy and data security. We also evaluate a prototype of Silmarillion built using low-end IoT boards, showing that the power consumption and user latencies are adequately low for a practical deployment. Finally, we briefly report on a small-scale deployment within a university building as a proof-of-concept.