All source code of the new coronavirus infection tracking application 'Immuni' created by the Italian government is being released on GitHub, with detailed explanation document

The API for the new coronavirus infectious disease (COVID-19) contact tracking system developed by Apple and Google was

officially implemented in iOS 13.5, and the development environment of applications using the contact tracking API of Apple and Google is steadily increasing Is in place. The Italian government has also developed an application ' Immuni ' that uses the APIs of Apple and Google, and has published the entire source code of this application on GitHub along with an explanation document.

GitHub-immuni-app/immuni-documentation: Repo for Immuni's documentation.

Immuni is a rich contact notification system implemented by the government in collaboration with the Ministry of Health and the Ministry of Technology and Digitalization to respond to emergencies caused by a new coronavirus infection. Immuni uses only domestic public infrastructure and is managed by Sogei, a public company founded by the Italian Industrial Revitalization Corporation . The source code was developed by Bending Spoons and the license is released under the GNU Affero General Public License version 3.

·table of contents
◆ Summary
◆ Vision and goals
◆ Six principles
◆ About the app
◆ Points to deal with

◆ Summary
Immuni is a technical solution centered on iOS and Android smartphone applications. By notifying users who may be infected with the virus as soon as possible, they can be self-isolated or medically protected to avoid spreading to others, even if they are asymptomatic. You can seek advice and try to prevent the spread of new coronavirus infections.

Immuni's design and development is based on six main principles of 'practicality', 'accessibility', 'accuracy', 'privacy', 'scalability', and 'transparency', and Bluetooth Low Energy (BLE) is the technical foundation. That. When two users are in close proximity for a period of time, they record a device-generated identifier, the 'Rolling proximity identifier (RPI),' within the device. The RPI is generated from the 'Temporary exposure key' multiple times per hour, and the Temporary exposure key is randomly generated every day. If the user tests positive for the new coronavirus, the user uploads the device's Temporary exposure key to the server through verification by a healthcare professional. Other users' apps regularly download the server's Temporary exposure key to derive the infected user's recent RPI. And, it is explained that it is a mechanism to check with the RPI stored in the device and notify the user when it corresponds to a rich contact person.

Apple and Google integrate ``new corona virus tracking system'' into iOS and Android-GIGAZINE

Immuni does not use any location information including GPS data. As a result, it is not possible to determine where the contact with the potentially infected user took place or the identity of the parties involved. In order to implement the contact tracking function, Immuni utilizes Apple's and Google's contact tracking framework and has high reliability. In addition to the Temporary exposure key, Immuni sends analytical data including epidemiological and operational information to the server to encourage effective support for users of national medical services. Immuni is being developed while paying close attention to user privacy, and many measures are taken to protect privacy. For example, we do not collect any personal information that reveals your identity, such as your name, age, address, email address or phone number.

◆ Vision and goals
It is intended to inform suspected infection users as soon as possible, even if they are asymptomatic, and encourage self-isolation. With this, people can quickly regain their daily lives and at the same time minimize the spread of viruses. Early notification can also seek medical advice and reduce the risk of serious health problems. Immuni was designed to address the crisis of the new coronavirus infection, but the vision behind it is to be prepared to deal with other infectious threats that may arise in the future. It is being done.

◆ Six principles
1. Practicality: It is important for Immuni to notify as early as possible to as many people as possible at risk of infectious diseases in order to achieve the vision and goals of the project. thing. This is explained as the most important principle.
2. Accessibility: To ensure fairness and widespread use, it must be accessible to all who want to use Immuni. This principle seems to influence decision making in all aspects, including user experience, design, localization and technology.
3. Accuracy: Immuni aims to inform only those users at high risk of virus infection. This is because an extra psychological burden is imposed by being notified that the infection may have occurred. Also, if the false positive rate is too high, users lose trust in the app and stop using it. Furthermore, it is explained that the higher the accuracy of the app, the more effectively the national medical service will be able to treat users and the higher risk people will be given priority.
4. Privacy: Your privacy must be protected. Obtaining and maintaining user trust is very important, and if not done, it will be less likely to be widely used.
5. Scalability: In order to achieve nationwide use of Immuni, the system needs to be technically expanded so that it can manage operational problems that could burden national health services. ..
6. Transparency: Everyone should have access to all of Immuni and the documents that explain the rationale behind the most important design decisions. Also, by making the app open source, users can be sure that the app works as documented, and the community can help improve the app.

◆ About the app
Available languages are Italian, German and English. If the language settings of the smartphone are not included in these languages, English will be used. Also, if the iOS or Google Play service does not support the contact tracking API, it will be notified along with the update method, and the notification will disappear when the update is completed.

When opening the application, firstly a screen explaining the usefulness of the application and the mechanism of operation is displayed. It is possible to know the benefits for individuals and communities, and how BLE exchanges identifiers. With BLE, high accuracy, low power consumption, and tracking without location information are possible.

You can also learn about the privacy protection mechanism through the explanation. It is said that items of personal information such as location information and contact information that the application does not collect or process will be listed. It also describes how to protect your privacy and what data we collect and share and what it is for.

Then move to the screen for selecting the area of residence. It is explained that the residential area is used to provide guidance according to the area, and it is also stated on the application.

Regarding the permission of the application, user's permission is required to use the contact tracking API. It also informs the user if Bluetooth is disabled and has a brief explanation on how to enable it. You also need push notification permissions.

On the home screen, a card will notify you if the app is working properly. If there is a problem in the operation of the application, such as the user revoking the permission for the application that was just set, it can be known from the notification that it is not operating normally.

Immuni will give you general advice on how to protect yourself from new coronavirus infections. If there is a suspicion of heavy contact, it will be notified and you can receive advice on what to do. It is explained that the content of the advice depends on the nature of the heavy contact and the area where the user resides, and will encourage national medical services to be contacted when necessary.

On the setting screen, you can check the privacy notice and terms of use. You can also check the version of the app that is useful for troubleshooting, and change your residence area from the settings screen.

If the new coronavirus test is positive, upload the data as directed by your healthcare professional. If you move to 'Upload data' on the setting screen, a random 10-digit character string will be displayed on the app. The user transmits the character string to the medical staff, and the medical staff inputs the character string from the web screen. At the request of the healthcare professional, the user confirms the data upload and why, and uploads the data.

To implement the contact tracking feature, Immuni utilizes Apple and Google's contact tracking framework. As a result, Immuni is able to overcome technical limitations and achieves high reliability. For details, please refer to

Apple's documentation or Google's documentation .

In addition to the Temporary exposure key, epidemiological and operational information is also sent to the server. These data are important not only for enhancing the effectiveness of rich contact notification and providing optimal medical support to users, but also for the national medical service to effectively manage the system. Health policies, resources, capabilities and extent of infectious disease vary from region to region. Therefore, it is considered that the optimization obtained from epidemiological information and operational information is most effective when carried out at the regional level. These data will be sent together with your location provided by you.

The epidemiological data that Immuni collects includes 'the date the contact occurred,' 'the duration of the contact,' 'information about the attenuation of the signal from the device used to estimate the distance between the two users who were contacted,' 'symptoms 'Estimated information about the infectivity of the infected person when the contact occurs, based on the date of occurrence'. It is stated that the app may send epidemiological information to the server only if you upload the Temporary exposure key. If the healthcare worker is positive for the new coronavirus test, it will be approved by the healthcare worker and the user will upload the epidemiological information available for the past 14 days by the application.

In order to protect the privacy of users, there are certain restrictions on the uploaded data. For example, the time of contact is measured in units of 5 minutes and the total of all recording times is limited to 30 minutes. Moreover, Immuni does not have a way to associate contacts with an infected person, such as repeated contacts from the same infected person. Also, in order to analyze the communication and reduce the risk of intercepting user's confidential information, it is said that it regularly executes dummy uploads.

Collecting these data will allow National Health Services to optimize the app's risk model. It is possible to improve the risk model of the application and improve its accuracy by knowing how the epidemiological information correlates with the user's positive reaction with the new coronavirus finally. .. It should be noted that while risk assessment is always done on the user's device, the latest models can be retrieved from the server.

◆ Points to deal with
In order to minimize the information obtained by analyzing the communication by the attacker, the dummy upload is being improved. We are also looking for the possibility to collect necessary operational information while maximizing the privacy of the user by collecting the information without requiring the user to authenticate and without using the user's identifier or device identifier. However, there are barriers that make it harder for attackers to prevent data corruption from fake uploads. Promising solutions to overcome such barriers have already been devised, and documentation and development are in progress.

In Japan, Code for Japan was developing an application that uses the contact notification API of Apple and Google, but it is reported that the Ministry of Health, Labor and Welfare will postpone adoption of the application and proceed with its own development. In response to the postponement of adoption by the Ministry of Health, Labor and Welfare, Code for Japan has released the source code of the tracking application that it was developing on GitHub.

Mamoriai Japan · GitHub

in Software, Posted by darkhorse_log