Developers working on Baseline, an enterprise smart contract and tokenization platform developed by Microsoft, Ernst & Young, and ConsenSys, are working to solve several flaws identified with Apple and Google’s proposal for coronavirus tracking initiatives.

Google and Apple propose a contact tracing solution that would add cross-platform APIs that allow health authorities to monitor users. Both brands have discussed rolling out related software updates next month.

The plan suggests using a phone’s Bluetooth Low Energy to detect other devices within 30 feet of each other. This would allow infected individuals to be identified through proximity detection. For people who come in contact with a confirmed viral carrier, direct notification could help prompt access to testing facilities.

A second phase of this initiative is proposed for later in the year as well. In this update, tech firms would build their own contact tracing platforms into the operating system of devices — removing the need for health authorities to conduct monitoring.

Security flaws identified in Apple/Google proposal

John Wolpert, Group executive at ConsenSys, identifies two significant opportunities for a malicious actor to exploit Google and Apple’s proposal: 

“You could put someone’s Bluetooth key into your list nefariously and cause mayhem; you could find a way to set your state to ‘infectious’ and cause mayhem… or set yourself to ‘safe’ when you aren’t.”

To solve these issues, Wolpert suggests a system in which the “Bluetooth key and other attributes [are] traded via Bluetooth with devices nearby, but then baselined so that we have a proof that all parties indeed confirmed they were near each other… no more repudiation risk.”

Similarly, he suggests verifying test results against blockchain-based cryptographic proofs, with individuals caught attempting broadcast status information contrary to the baseline proof receiving punishment.

Baseline to decentralize contact tracing

Wolpert also emphasizes fundamental centralization issues with the plan, despite assurances of anonymous identification, stating: “the scheme still means the ‘anonymous’ ids get pooled with entity… govt or other.” 

He asserts that Baseline can be used to deliver a contact monitoring system with greater privacy and security than the plan articulated by Google and Facebook. Walport proposes:

“If you test positive, your hash […] gets associated with a new value: “infectious”, Anyone with one of your hashes in their list will be listening for that hash popping on the Mainnet […], so when you test positive and the positive result is dropped [—] anyone who has you in their list gets an alert that they were exposed and to ‘hit this button to report the contact to the CDC.” 

Wolpert argues that the system prevents the collection of “a group of ‘anonymous’ IDs […] that would permit, say, a government with some friends that are really good at AI to generate ‘interesting’ classifiers on populations.” 

Instead, “the positive test result is ‘dead dropped’ on the Mainnet for the exposed parties to pick up as unobservable listeners and then opt-in,” he asserts.