Due to the COVID-19 pandemic, focus on contact tracing has been in the forefront of a lot of discussions about not only healthcare but also privacy. Our goal was to use the principles of blockchain and asymmetric encryption to build a user-first contact tracing solution that guarantees the privacy of all those involved.
What it does
loc-chain consists of a mobile app that employs Google's passive, Nearby Connections API to determine when an "encounter" between two people has occurred.
In this case, their clients generate a combined secret that represents the interaction, and that secret (along with any relevant location/time information) is pushed onto the blockchain.
Then, when it becomes necessary to determine whether a user has been exposed, the mobile app uses a list of infected client IDs to "test" each of the encounter transactions in the blockchain. If it is able to "unlock" any of the secrets using its own client ID, that means the user was exposed.
The "blockchain" nature of the project significantly lowers the bar for entry for collaboration between regional health systems. For example, the University of Kansas server for loc-chain can federate its blockchain with the Douglas County one, which increases likelihood that a particular user will have accurate data. This, in turn, has the ability to improve health outcomes as a result of early-warning diagnoses.
How we built it
loc-chain heavily leverages Firebase's real-time aspects. The front-end, written in Flutter, makes use of the Nearby Connections API to passively exchange information between clients.
This information is encrypted and signed by the clients, before being sent to the back-end via Firebase's real-time database. The back-end, written in Node.js, listens for these real-time events and pushes them onto the blockchain as different types of transactions.
The back-end also supports "peering" with other servers to reach a consensus allowing them to build a single, collaborative blockchain of private health events.
Challenges we ran into
- Limited libraries for passive nearby connections message passing to record interactions
- Ensuring proper synchronization in Firebase real-time database using unidirectional data flow
- Custom blockchain algorithm and client verification to ensure data integrity while preventing identifiable tokens from being stored
- Forking and merging of blockchains in the consensus algorithm
Accomplishments that we're proud of
Because the client-side is responsible for hashing and signing the location info, and that location info is a collaborative effort between two clients, even if an external party were to obtain the entire blockchain, it is impossible for them to trace a single individual through the chain.
However, because of the federation possibilities and the fact that, as a result of aforementioned anonymity, we are able to store the location and time data in a clear format, which allows aggregate analysis on contact events.
With regard to the front-end, the ecosystem of passive "nearby interactions" APIs is in a very early state, which meant that there were a lot of kinks and optimizations we had to resolve manually in order to get it to work reliably.
Thanks to high-level libraries for interacting with Firebase real-time database, we were able to streamline the back-end to be able to handle many concurrent transactions coming in at the same time.
What we learned
We had never written a blockchain before! On the front-end, we had to explore various different options for client-local, but reliable nearby interactions.
We also devised our own algorithm for asymmetric, collaborative tokens that can be verified by clients, but are anonymous at-large.
Likewise, we had to learn a lot about how a blockchain actually works under the hood from structure (transactions/blocks/proof-of-work), to different proof-of-work algorithms, to consensus algorithms and peering.
What's next for loc-chain
While most of the infrastructure is in place, we would like to continue to streamline and improve the peering features, aggregate data analysis possibilities, as well as the individual clients' UI and UX.