Immuni is the Italian Government’s exposure notification solution, realized by the Special Commissioner for the COVID-19 emergency (Presidency of the Council of Ministers), in collaboration with the Ministry of Health and the Ministry for Technological Innovation and Digitalization. It only uses public infrastructures located within the national borders. It is exclusively managed by the public company Sogei S.p.A. The source code has been developed for the Presidency of the Council of Ministers by Bending Spoons S.p.A., and it is released under a GNU Affero General Public License version 3.
The whole world is united by a determination to stop the spread of COVID-19, the disease caused by SARS-CoV-2. The pandemic is threatening people’s health and severely damaging economies on a global scale.
Many experts agree that, in the future, new pandemics are a distinct possibility. Some may become even more dangerous to humanity than the one we are currently battling.
In this challenging context, the contribution of technological innovation can be decisive. Immuni is one of a number of tools deployed and initiatives taken by the Italian government to help slow down the spread of the disease and accelerate the return to everyday life.
This document provides a high-level description of Immuni—it is a good idea to read it first. More detailed information can be found in the following documents:
We have open-sourced Immuni’s software under the GNU Affero General Public License version 3 . Finally, penetration tests are taking place and we will share the resulting reports.
Immuni is a technological solution that centres on a smartphone app.
It helps us to fight epidemics—starting with COVID-19:
Immuni is designed to address the current crisis, but the vision behind it is for the tools that are being developed to make us all better prepared in addressing similar threats that may arise in the future.
The main principles that guide the design and development of Immuni follow:
Immuni is a technological solution that centres on a smartphone app available for Android and iOS.
It features an exposure notification system to help alert potentially SARS-CoV-2-positive users at an early stage. This system keeps track of contact between Immuni users, even when they are total strangers. When a user tests positive for SARS-CoV-2, the app uses this system to notify other at-risk users. The system is based on Bluetooth Low Energy and does not use any geolocation data whatsoever, including GPS data. So, while the app knows that the contact with an infected user took place, how long it lasted, and can estimate the distance that separated the two users, it cannot tell where the contact took place, nor the identities of those involved.
The app then recommends to at-risk users what to do. Recommendations may include self-isolation (which helps minimise the spread of the disease) and contacting their general practitioner (so that the user can receive the most appropriate care and reduce the likelihood of developing severe complications).
As stated, Immuni’s exposure notification system leverages Bluetooth Low Energy. This has some advantages compared to a solution based on location tracking:
To implement its contact tracing functionality, Immuni leverages the Apple and Google Exposure Notification framework (see Apple’s documentation and Google’s documentation ). This allows Immuni to overcome certain technical limitations, thus being more reliable than otherwise would be possible.
Below, a high-level, simplified description of the system is provided. For more details, please study the rest of the Immuni documentation.
Once installed and set up on a device ( device_A ), the app generates a temporary exposure key. This key is generated randomly and changes daily. The app also starts transmitting a Bluetooth Low Energy signal. The signal contains a rolling proximity identifier ( ID_A1, assumed fixed in this example, for simplicity). This is generated from the current temporary exposure key. When another device ( device_B ) running the app receives this signal, it records ID_A1 locally, in its memory. At the same time, device_A records device_B ’s identifier ( ID_B1, also assumed fixed in this example).
If the user of device_A later tests positive for SARS-CoV-2, following the protocol defined by the National Healthcare Service, they have the option to upload to the Immuni server the temporary exposure keys from which the Immuni app can derive the rolling proximity identifiers recently broadcast by device_A (including ID_A1 ). Periodically, device_B checks the new keys uploaded to the server against its local list of identifiers. ID_A1 will be a match. The app notifies the user of device_B that they may be at risk and provides advice on what to do next (for example, isolating themselves and calling their general practitioner).
In practice, when it comes to determining whether the user of device_B is at risk, finding that they had been in the proximity of the user of device_A is not enough. Immuni assesses this risk based on the duration of the exposure and the distance between the two devices. This is estimated from the attenuation of the Bluetooth Low Energy signal as received by device_B. The longer the exposure and the closer the contact, the higher the risk that a transmission of the virus occurred. Contact lasting only a couple of minutes and happening at several metres of distance will generally be considered to be low risk. The risk model may evolve with time as more information about SARS-CoV-2 becomes available.
It should be noted that the estimation of distance is error-prone. In fact, the attenuation of a Bluetooth Low Energy signal depends on factors such as the orientation of the two devices relative to each other and the obstacles (including human bodies) that lie in between. While leveraging this information is likely useful in increasing the accuracy of Immuni’s assessments of the risk of contagion, wrong assessments will happen with some frequency.
The rolling proximity identifier that is broadcast by the app is generated from random temporary exposure keys and does not contain any information about the device, let alone the user. Moreover, it is rolling, meaning that it changes multiple times each hour, further protecting the privacy of Immuni’s users.
To ensure that only users who actually tested positive for SARS-CoV-2 upload their keys to the server, the upload procedure can only be performed with the cooperation of an authenticated healthcare operator. The operator asks the user to provide a code generated by the app and inputs it into a back-office tool. The upload can succeed only if the code used by the app to authenticate the data corresponds to that entered in the system by the healthcare operator.
Besides the temporary exposure keys, some additional information is sent to the server and analysed to ensure the proper functioning of the system:
These data are important for the National Healthcare Service’s effective management of the system, including maximising the effectiveness of the exposure notifications and providing optimal healthcare assistance to users.
The optimisations enabled by the epidemiological and operational information may be most effective if carried out at the local level. The various Italian regions differ in healthcare policies, resources, and capabilities. Moreover, the epidemic might be at different stages in different locations. Therefore, when sending these data to the server, the app attaches the user’s province of domicile as provided by the user during the onboarding process.
The only epidemiological data Immuni collects relate to the user’s exposure to infected users. The data include:
The app may send epidemiological information to the server only upon uploading temporary exposure keys. When a healthcare operator communicates to the user their positivity to a SARS-CoV-2 test, any available epidemiological information from the previous 14 days will be uploaded too. The data upload needs to be initiated by the user and approved by the healthcare operator.
To protect the user’s privacy, the data uploaded relating to their exposure to potentially contagious users have certain limitations. For example, the duration of the exposure is measured in five-minute increments and capped at 30 minutes for the sum of all contact with an infected user on any given day. Moreover, Immuni has no way to determine that exposures occurring on different days may have involved the same infected user. The app also performs periodic dummy uploads to mitigate the risk of someone gaining sensitive information about the user through traffic analysis.
Collecting these data helps the National Healthcare Service to optimise the app’s risk model. By learning how the epidemiological information (e.g., the duration of the user's exposure) correlates with the user ultimately testing positive for SARS-CoV-2, it may be possible to improve the app's risk model and therefore increase its accuracy, thereby increasing the effectiveness of the exposure notification system. Note that the assessment of risk always happens on the user's device, while the latest model can be fetched from the server.
In addition to the above, some data on device activity and exposure notifications may be collected and uploaded. These data include:
The upload may take place after an exposure detection has been completed. The operational information is uploaded automatically.
To protect user privacy, the data are uploaded without leveraging a user identifier or device identifier, and without requiring the user to authenticate in any way (e.g., no phone number or email verification). Moreover, traffic analysis is obstructed by dummy uploads.
Thanks to these data, it is possible to estimate the level of the app’s adoption across the country, not just measured by number of downloads—a largely meaningless metric—but by devices that are actually working properly. This information is very helpful, as we know that the utility of Immuni depends heavily on its uptake within the population. Supported by these data, the National Healthcare Service can make better decisions in a number of areas critical to maximising the effectiveness of exposure notifications and providing optimal patient care. Such areas include product development, engineering, and communications.
The data would also help with optimising the allocation of resources. By notifying at-risk users, the app will increase the volume of interactions with the National Healthcare Service. Therefore, estimating the number of users that the system will notify may help the National Healthcare Service to allocate its resources accordingly and thus efficiently.
Immuni has been and continues to be designed and developed while paying a lot of attention to user privacy. It is a fundamental right that we must do everything we can to protect. We also think that outstanding privacy protection is critical to making the app acceptable to the greatest number of people, thereby maximising Immuni’s utility.
Below, we provide a list of some of the measures by which Immuni protects the user’s privacy:
These are some of the most pressing points on which we are working: