AA NO-PHONE/NO-APP CONTACT TRACING HARDWARE TOKEN
T. Bensky, California Polytechnic State University, Department of Physics, San Luis Obispo,CA, 93407, [email protected]
ABSTRACT
We report the development of an open-source, hardware-based contact tracer, made fromreadily available parts, costing less than $20 USD. This work was motivated by the need fora technology-assisted contact tracer that avoids privacy issues found with those involving amobile phone. Contact tracing is done here without the use of a mobile phone or an appat all . Instead, contact tracing is implemented using Bluetooth Low Energy on an ESP32micro-controller. The ESP32 is used to both advertise and receive health information toothers in close proximity, forming a strictly peer-to-peer contact tracer. The contact tracercan be assembled by an individual and configured use within minutes.
I. INTRODUCTION
Contact tracing (CT) has long been known to help slow the spread of infectious diseases. In our modern era, mobile phones could be an ideal technology to streamline and automateCT, but this has not proven to be the case. The app landscape in this regard is greatlyfragmented, and has shown an ongoing litany of privacy and security issues. It is also be-coming clear that CT, either with or without available apps is not being maximally effectivein slowing the current pandemic. In this work, we discuss a different approach.Here we demonstrate a hardware device, capable of contact tracing, that does not use amobile phone or an app at all. Instead, it uses a low-cost ESP32 micro-controller, popularwith the “maker” community. In use, it is to be maintained and carried by an individual asthey go about their needs in public, presumably around other people. There is precedencefor such a “hardware tracing token.” The ESP32 (hereafter the “token”), used as a contact tracer here is programmed to ex-change (send and receive) health information with those in close proximity (i.e.“encounters”)who are also carrying the token. Bluetooth Low Energy (BLE) is used for this exchange.Setting health information is strictly between the user and the token via configuration soft-1 a r X i v : . [ c s . C Y ] A ug are, which is open-source, and may be easily scrutinized for privacy and security claims.The software is used locally on the user’s computer, free of any network, server or centralizeddatabase access. The same goes for receiving health information from encounters.All data in this CT system is wholly contained within the user/token ecosystem andis secured by hardware restriction, also known as hardware DRM. In this case, hardwarerestrictions are that WiFi on the token is disabled, the device stores encounters only as longas it is powered, has no outside access points (i.e. network, keyboard, etc.), only stores ananonymized identification to a given user, and deals with health issues that are only a listof user-selected symptoms, which are not tied to any formal health records.In the following sections, the construction and operation of the token is presented, followedby a discussion of “self-motivated” CT this system requires, then some conclusions. Alldetails and resources for this project can be found at https://github.com/tbensky/npct . II. CONSTRUCTION AND PREPARATION FOR USEA. Construction
Constructing this device has a “maker” theme and can be done within minutes by an in-dividual wishing to participate in CT. It consists of three parts, all readily available (some ofwhich the individual may already have). The first is the token (the ESP32 micro-controller),which has an average price of around $8 USD and can be purchased from a variety of sources. The second is a battery to power the token. This is most conveniently a “USB battery”typically used to provide extra mobile-phone power (i.e. a battery power-pack that can beused to charge a mobile phone). Lastly, one needs a cable to connect the battery to thetoken. The token has a micro-USB connector on it and batteries will typically have a USB-A“output” connector on them, thus a micro-USB to USB-A cable is needed. Many times,this cable is included in the battery purchase. Construction of the contact tracer consistsof simply connecting the battery to the token.The token comes as a bare circuitboard that should be enclosed for protection. Any non-metallic (handmade) case will do (plastic, cardboard, leather, canvas, cloth, etc.). Custom-fit 3D-printable designs are available. The fully assembled CT (minus a case) is shown inFig. 1. 2
IG. 1. Fully completed CT token described here. The battery form may differ and the ESP32(the circuitboard) should be enclosed in a protective and non-metallic case. See Ref. 11.
B. Flash token with contact tracer software
The token needs to have firmware “flashed” onto it, so it may function as a contact tracer.This only needs to be done once and works as follows.First, download the CT firmware, which is a file called npct.bin. This is a pre-compiledbinary that runs internally on the token. Flashing is the process of putting this file onto thetoken. To do so, download flashing software, available for both Windows and macOS, whichwill perform the one-time flashing. We recommend
DoayeeESP32DFU.app.zip for macOSor
DoayeeESP32DFU.exe for Windows. When run, the software will look like that shownin Fig. 2.Clicking the button indicated by the red arrow will allow one to navigate to the npct.bin file previously downloaded. Select this file, then click the large “flash” button. Then, watchthe large text box at the bottom for a message resembling "Connecting........ ...."
When this is seen, press and hold the “boot” button on the ESP32, which is shown inFig. 3.If successful, writing percentages will begin to appear at which time the boot button maybe released. If nothing seems to happen or an error arises, try different serial port selections(top left dropdown in the flashing software of Fig. 2).When this flash process completes, the npct.bin file can be deleted, as can the Win-dows/macOS flashing software. 3
IG. 2. Flashing software that “flashes” contact tracing software onto the token.FIG. 3. Press this button to enable flashing of the contact tracing software.
C. Preparation for individual use in contact tracing
At this point, the token is ready for everyday-use as a contact tracer. This means thetoken should go with the individual as they go out in public (placed in a pocket, bag, etc.)First however, the device must be configured with the current health/symptoms profile ofthe individual. This is done as follows.In the project repository, there is a folder called configapp , containing a file called4 IG. 4. The token’s health configuration app. config.html . Download this on the local computer and load it into a Chrome web-browser(version 83 or higher). Do this by using the
File → Open File... menu option. This willbring up a page in the browser that resembles that shown in Fig. 4. We note that thisChrome-app is only an implementation convenience. The Internet is not used at all. Thesuspect user may turn off the WiFi on their computer or disconnect any ethernet cable.This Chrome-app only communicates to the token via BLE.The first time this Chrome-app is loaded, the user will be granted a one-time, anonymouspublic contact tracing identification (hereafter public-ID). This will be used throughouttheir participation in this CT program. An example of such is shown here.
Your public contact tracing ID will be: 2ef94e20ba20beea
5o other account or personal information is required. It is saved locally in storage associatedwith the Chrome browser, but are only accessible by Chrome itself. A new public-ID is notgenerated in subsequent Chrome loads. Thus, the same Chrome browser should not beshared amongst others configuring the token.Next, the user ticks off self-prescribed symptoms, in this case related to COVID-19, thenclicks the “Update hardware” button. This will update the token with the user’s anonymouspublic-ID and health code, based on symptoms they are feeling. A health code is formed byenumerating symptoms as per this list.
1: "Feeling fine"2: "Sore throat"4: "Cough"8: "Runny nose or nasal congestion"16: "Shortness of breath or difficulty breathing"32: "Muscle pain"64: "Loss of smell or taste"128: "Diarrhea"256: "Fever"512: "Headache"1024: "Tested negative for Covid-19"2048: "Tested positive for Covid-19"4096: "Wearing a mask"8192: "Not wearing a mask"16384: "Symptoms are getting better"32768: "Symptoms are getting worse"
A sum of all ticked symptoms is found and converted into a 4-digit hex code. So, forexample a sore-throat and headache would sum to 514 or 0202 in hex. Thus, the completedatagram this user’s token will share via BLE would be .This completes the configuration step of the token, which as mentioned, culminates withthe user clicking the “Update hardware” button in the Chrome-app. These steps only needto be repeated as the user updates any symptoms. The need for the private verification codewill be discussed later.
III. OPERATIONAL OVERVIEW
The user will power up the token by connecting it to the battery, and take it with them asthey go out in public. Software on the token is instructed to set the BLE name of the token6sing the prefix + the public id + the health code. Referring to the above example,the BLE name of this token will be . When powered, softwarein the token will “advertise” this name using BLE, to all other tokens in proximity.For both the user (and those in proximity who are also carrying a similarly configuredtoken), software (on the token) is also programmed to “discover” BLE names, and onlylog those having the form above. Such a discovery is called an “encounter.”Encounters are held in the internal memory of a given user’s token provided power is applied.When the user returns home, they may retrieve all logged encounters using the sameChrome-app as described above, using the “Download device log” button. This will showthe public-ID and health codes of all encounters. In the interest of privacy, there is noautomatic (online) saving of the downloaded encounters, but a button is offered to allow theuser to save the encounters into a local file on their computer.With the operational theme of this CT token discussed, we now move on to how it mayhelp slow the current pandemic.
IV. DISCUSSION ON USE IN CONTACT TRACINGA. Conflicting COVID-19 issues
We see two conflicting issues perpetuating the current pandemic as they may apply toCT. Issue one is is that as a guide, 50% of people show symptoms of COVID-19 within 5days of becoming infected (the “50/5 time”). This means for contact tracing to work, someintervention would have to occur within this time period.Working with this parameter of COVID-19 however is self-defeating issue two: lengthytimes to both obtain a test and its result. In the author’s own experience (certainly a functionof locality), a test may be obtained only if one is showing symptoms, can take approximatelya week for an appointment to have the test administered, then approximately 10 days toobtain the testing result.
B. How this CT system may help
It is thought this CT system can help in the following way. Although the clinical pre-sentation of COVID-19 has a large variation, typical watch for symptoms appear to be7omewhat regular. Suppose someone decides to be vigilant about their symptoms and isdedicated to using this system. We see two benefits of its use.First, it allows them one to discretely “tell” others they encounter about their symptoms.One’s condition may start with a mild form of just one of the common symptoms (a slightcough for example). But, since the virus is still spreading as of August 2020, such a conditionis obviously not enough cause individuals en mass to change their excursion plans and remainat home. So, at least now others can know about their condition.Second, another COVID-19 guide is that an elevated risk of infection occurs when there isphysical, close, or proximate contact with one who is contagious. Suppose the downloadedlog reveals an encounter with someone in (at least) a similar health situation of showing some symptom. Obtaining this information would serve as a definitive point of reflectionfor the user considering the three elevated risk situations above.The user may now consider what they were doing when the encounter came in. Whichof the three encounter types likely occurred? Were they (and/or) any of the contacts werewearing a mask? The token’s log will also tell them the number of times each encounterhappened, which is a measure of the contact intensity. They may conclude that their own50/5 time may now be underway.Given these extraordinary times (and likely everyone’s desire to emerge from this pan-demic), the user might now consider changing their plans and lightly isolating for a coupleof days, while they see if more symptoms appear or worsen. They could consider wearinga mask, even at home, and distance within their home (if possible). They would also keepcareful track of any contacts, while having a call to their doctor or a testing station immi-nent. Normal activities may resume only when something definitive comes along clearingthem to do so.
C. Self-motivated contact tracing
This CT system admittedly relies heavily of the self-motivation and dedication from theuser. They must build, maintain, carry, and observe the resulting encounter log of the token.We acknowledge that such widespread dedication is unlikely to occur. However, the currentpandemic is showing few signs of passing and we wonder if this system might draw fromeach individual to help us all emerge from it. Experts have noted that our “behavior must8hange,” and perhaps diligence with such a token could be a part of this.We note wearable form factors of other CT tokens. The visibility of such may be acurious point for others to observe, namely they see someone who is actively participatingin contact tracing. This may pique their own interest, in a similar manner to the “I voted”stickers worn during elections in the United States. V. ONGOING WORK: ENCOUNTER SHARING
It is difficult to extend the functionality to this CT system given the insistence on privacyand security in its design (free of usual connectivity like WiFi, etc.). All functionality tothis point is all contained between the user and the token. However, if (admittedly “onemore” or “just another”) a central web-based database it brought into the plan, additionalbenefits can be gained. This work is currently underway, and is summarized here.
A. Anonymity, security and privacy
A key security and privacy design aspect of this system is the sole public-ID mentionedin Section II C. It is a sequence of characters, completely unlinked to the individual and itsuniqueness is all that is needed to participate in this peer-to-peer CT system. Internally,the public-ID is actually derived from the private verification code forming a public/privatekey, similar to that used in message encryption. . The private verification code can be usedverify that the public-ID indeed originated from the initial Chrome-app session.So, if we are satisfied with the core level of anonymity and the key-based security of thissystem, perhaps the sharing of encounters could also be a part of this CT system. This isdiscussed below. B. Encounter sharing
When a user downloads their encounter log from the token, they may choose to “share”their encounters with a central database. A given entry would resemble a line like encountered on 2020-August-01. This would allow for a growing log of encounters. There are two prominent uses ofsuch sharing. First, a user can post messages, which will be available to their encounters.Such messages could be about test results or degree of symptoms. Second, suppose someonebecomes symptomatic or even tests positive for COVID-19. Encounter sharing would providea mechanism for this person to inform recent encounters of such.Work is currently underway implementing these encounter sharing mechanisms. Theywill be integrated into the Chrome-app for ease of use. Optionality of this step will beemphasized and it will be clear how this sharing can be accomplished free of any log-ins,accounts, or divulging of any personal identifying information.
VI. CONCLUSIONS
We have demonstrated an inexpensive, anonymous, peer-to-peer hardware contact tracertoken that can be constructed by an individual from inexpensive parts. It does not usemobile a phone or app at all, and is only optional in its use of a central database. Weacknowledge the burden placed on an individual to use this system, but wonder if the desireto emerge from this pandemic might help in this regard. Using it would require a changein behavior involving diligent monitoring and sharing of both one’s health and that of thosethey encounter.Likely this contact tracing system might find its best use in (small) managed groupsof people who share a common space, where a group leader could motivate its use. Thisincludes places of work, offices and schools. This system may help such entities to opensafely and remain open. In the case of schools, this system may serve as an ongoing andactive student project on contact tracing.The author welcomes any discussions about this system. Please contact at [email protected] . REFERENCES Contact tracing is an method of physically isolating infected people (known as “cases”)and quarantining those they’ve been in contact with (known as “contacts”). It is a proven10ntervention method to slow the spread of contagious diseases. See . There are dozens of apps available, some written by individuals, companies, and evengovernment entities. There are almost daily accounts of flaws in contact tracing apps.A few samples include: https://eclecticlight.co/2020/07/25/smartphone-contact-tracing-has-failed-everywhere , , and . Traditional contact tracing is also in need of help, asdiscussed in , and . See . See , https://simmel.betrusted.io , and P. Tedeschi, S. Bakiras and R. Di Pietro, “IoTrace: A Flexible, Efficient, andPrivacy-Preserving IoT-enabled Architecture for Contact Tracing,” arXiv:2007.11928v1[cs.NI] ( https://arxiv.org/abs/2007.11928 ). See . Look for the “ESP-32S ESP32 NodeMCU Development Board” or “ESP32 DEV KIT V1.”See: amazon.com , mouser.com , digikey.com , or ebay.com . The board should cost around$8 USD. Look on https://amazon.com for any “USB battery.” Choose any form factor you wish,but focus on the battery capacity. A 5000mAh battery for example, will power the devicefor about two-days. The battery should cost around $10 USD. Only a short cable is needed (1 foot). Three-packs of such can be found on amazon.com for under $10 USD and may come with the battery itself. For 3D printed cases for the ESP32, see or . For the contact tracing firmware to flash onto the ESP32, see https://github.com/ bensky/npct/blob/master/npct/build/npct.bin . For free flashing software, see https://github.com/doayee/esptool-esp32-gui/releases . Such versions of the Chrome browser must be used, since these support Web-Bluetooth. For the Chrome-app that configures the token, see config.html in this folder https://github.com/tbensky/npct/tree/master/configapp . For a discussion on “decentralized identity management” on p. 19 of A. Narayanan,
Bitcoinand Cryptocurrency Technologies , Princeton University Press (2016). For a list of CDC-recognized symptoms, see . “COVID-19 Contact Tracing” course at . “Measuring and Maximizing Impact of COVID-19 Con-tact Tracing” course at . COVID-19 symptoms to “watch for” include . K. Roomp and N. Oliver, “ACDC-Tracing: Towards Anonymous Citizen-Driven ContactTracing,” arXiv:2004.07463v1 [cs.CY] ( https://arxiv.org/abs/2004.07463v1 ). For an appeal to change our behavior, see . For election day stickers commonly seen in the United States, see . A central database will be hosted at