How a contact tracing app could work while keeping everyone's data anonymous, only infected people would need to share their data if they choose to:
- A peer-to-peer network.
- Each client holds N connections to some other clients.
- When a client changes the location by a significant distance, it sends its coordinates + time + ID to ONE of their current connected clients.
- The IDs used just once and generated from a seed. Each client knows its seed but keeps it secret.
- After the location is sent, the client kills the connection to the receiver client. And connects to a new one.
- When a client receives a location data, it sends it to one of its current connected clients.
- Each message gets retransmitted some N number of times.
- Some clients act as "servers" by recording all data they see and make it public somehow so that regular apps are lightweight.
- When a person finds out that they are infected, they may choose to make their seed public. Optionally they may publish only some of their IDs keeping some of IDs private. Also, they may attach descriptions to locations telling where exactly they were for example.
- The method of publishing can be part of the p2p protocol, it's not important how it's implemented.
So my app knows all of my locations and all locations of infected people (who have chosen to share) and can tell me if I had a contact and might need testing.
It won't work as is. If I want to spy, I would just launch millions of clients so that 99% of network is me, and would trace all real people by IPs. It needs to be costly to run a client in order for it to work (proof-of-work or something).
Maybe there're other problems as well.