key: cord-0541740-ts0kwnmc
authors: Jamroga, Wojciech
title: A Survey of Requirements for COVID-19 Mitigation Strategies. Part II: Elicitation of Requirements
date: 2021-01-22
journal: nan
DOI: nan
sha: 2c2d3bd0fa9311ed76b2d9f543bf6194db4c29b8
doc_id: 541740
cord_uid: ts0kwnmc

The COVID-19 pandemic has influenced virtually all aspects of our lives. Across the world, countries have applied various mitigation strategies, based on social, political, and technological instruments. We postulate that multi-agent systems can provide a common platform to study (and balance) their essential properties. We also show how to obtain a comprehensive list of the properties by"distilling"them from media snippets. Finally, we present a preliminary take on their formal specification, using ideas from multi-agent logics.

COVID-19 has influenced virtually all aspects of our lives. Across the world, countries applied wildly varying mitigation strategies for the epidemic, ranging from minimal intrusion in the hope of obtaining "herd immunity", to imposing severe lockdowns on the other extreme. It seems clear at the first glance what all those measures are trying to achieve, and what the criteria of success are. But is it really that clear? Quoting an oft-repeated phrase, with COVID-19 we fight an unprecedented threat to health and economic stability [Soltani et al., 2020] . While fighting it, we must protect privacy, equality and fairness [Morley et al., 2020] and do a coordinated assessment of usefulness, effectiveness, technological readiness, cyber security risks and threats to fundamental freedoms and human rights [Stollmeyer et al., 2020] . Taken together, this is hardly a straightforward set of goals and requirements. Thus, paraphrasing [Stollmeyer et al., 2020] , one may ask:

What problem does a COVID mitigation strategy solve exactly?

Even a quick survey of news articles, manifestos, and research papers published since the beginning of the pandemic reveals a diverse landscape of postulates and opinions. Some authors focus on medical goals, some on technological requirements; others are concerned by the economic, social, or political impact of a containment strategy. The actual stance is often related to the background of the author (in case of a researcher) or their information sources (in case of a journalist). Moreover, the authors advocating a particular aspect of the strategy most often neglect all the other aspects. We propose that the field of multi-agent systems can offer a common platform to study all the relevant properties, due to its interdisciplinary nature [Weiss, 1999 , Wooldridge, 2002 , Shoham and Leyton-Brown, 2009 ], well developed theories of heterogeneous agency [Bratman, 1987 , Cohen and Levesque, 1990 , Rao and Georgeff, 1991 , Wooldridge, 2000 , Broersen et al., 2001 , and a wealth of formal methods for specification and verification [Dastani et al., 2010 , Shoham and Leyton-Brown, 2009 , Jamroga, 2015 .

This still leaves the question of how to gather the actual goals and requirements for a COVID-19 mitigation strategy. One way to achieve it is to look at what is considered relevant by the general public, and referred to in the media. To this end, we collected a number of news quotes on the topic, ordered them thematically and with respect to the type of concern, and presented in [Jamroga et al., 2020] . Here, we take the news clips from [Jamroga et al., 2020] , and distill a comprehensive list of goals, requirements, and most relevant risk. The list is presented in Section 2. In Section 3, we make the first step towards a formalization of the properties by formulas of multi-agent logics. We conclude in Section 4.

Besides potential input to the design of anti-COVID-19 strategies, the main contribution of this paper is methodological: we demonstrate how to obtain a comprehensive and relatively unbiased specification of properties for complex MAS by searching for hints in the public space.

Specification of properties is probably the most neglected part of formal verification for MAS. The research on formal verification usually concentrates on defining the decision problem, establishing its theoretical properties, and designing algorithms that solve the problem at an abstract level Dastani et al. [2010] . Fortunately, the algorithms are more and more often implemented in the form of a publicly available model-checker [Alur et al., 2000 , Behrmann et al., 2004 , Kant et al., 2015 , Kurpiewski et al., 2019 . The tools come with examples of how to model the behavior of a system, but writing the input formulas is generally considered easy. The big question, however, is: Where do the formulas come from? In a realistic multi-agent scenario, it is not clear at all.

Mitigating COVID-19 illustrates the point well. Research on mitigation measures is typically characterized by: (a) strong focus on the native domain of the authors, and (b) focus on the details, rather than the general picture. In order to avoid "overlooking the forest for the trees," we came up with a different methodology. We looked for relevant phrases that appeared in the media, with no particular method of source selection [Jamroga et al., 2020] . Then, we extracted the properties, and whenever possible generalized statements on specific measures to the mitigation strategy in general. Finally, we sorted them thematically, and divided into 3 categories: goals, additional requirements, and potential risks and threats.

While most of the collected snippets focus on digital contact tracing, the relevance of the requirements goes clearly beyond that, and applies to all the aspects of this epidemic, as well as the ones that may happen in the future.

COVID-19 is first and foremost a threat to people's health and lives. Accordingly, we begin with requirements related to this aspect of mitigation strategies.

The goal of the mitigation strategy in general, and digital measures in particular, is to:

(i) provide an epidemic response [Soltani et al., 2020] (ii) bring the pandemic under control [Morley et al., 2020] (iii) slow the spread of the virus [Woodhams, 2020 , NCS, 2020 , Soltani et al., 2020 , Bicheno, 2020 , hel, 2020 , Ilves, 2020 (iv) prevent deaths [AFP, 2020] (v) reduce the reproduction rate of the virus, i.e., how many people are infected by someone with the virus [AFP, 2020] .

The specific goals of digital measures are to:

(i) trace the spread of the virus and identify dangerous Covid-19 clusters [Ilves, 2020] (ii) find potential new infections [Timberg, 2020] (iii) register contacts between potential carriers and those who might be infected [Ilves, 2020] (iv) deter people from breaking quarantine [Clarance, 2020] Requirements:

(1) The efforts must meet public health needs best [Soltani et al., 2020 , Ilves, 2020 .

(2) Digital measures should be a component of the epidemic response [Soltani et al., 2020] , and enhance traditional forms of contact tracing [Timberg, 2020] (3) They should be designed to help the health authorities [hel, 2020].

Requirements:

(1) The strategy should be effective [Soltani et al., 2020 , Stollmeyer et al., 2020 (2) It should make a difference [Burgess, 2020] .

(a) Inaccurate detection of carriers and infected people due to the limitations of the technology and the underlying model of human interaction [Soltani et al., 2020] (b) Specifically, this may adversely impact relaxation of lockdowns [Woodhams, 2020] (c) Misguided assurance that going out is safe [Soltani et al., 2020] .

The strategy should support rapid identification and notification of the most concerned. That is, it should allow:

(1) to identify people who might have been exposed to the virus [Zastrow, 2020] (2) to alert those people [Morley et al., 2020 , hel, 2020 , Timberg, 2020 , POL, 2020 .

(3) The identification and notification must be rapid [Zastrow, 2020 , Morley et al., 2020 .

The containment strategy should enable:

(1) monitoring the state of the pandemic, e.g., the outbreaks and the spread of the virus [POL, 2020 , Frasier, 2020 (2) monitoring the behavior of people, in particular if they are following the rules [Scott and Wanat, 2020] (3) to monitor the effectiveness of the strategy [Davies, 2020] .

There are tradeoffs between effective containment of the epidemic and other concerns, such as privacy and protection of fundamental freedoms [McCarthy, 2020 , Clarance, 2020 , POL, 2020 , Ilves, 2020 . E.g., effective monitoring is often at odds with privacy [Davies, 2020] . The strategy should

(1) strike the right balance between different concerns [Ilves, 2020] .

We will see more tradeoff-related requirements in the subsequent sections.

Most measures to contain the epidemic are predominantly social (cf. lockdown), and have strong social and economic impact.

The containment strategy should:

(1) minimize the cost to local economies and the negative impact on economic growth [Soltani et al., 2020 , AFP, 2020 (2) allow for return to normal economy and society and make resumption of economic and social activities safer [Timberg, 2020 , Taylor, 2020 .

The containment strategy (and digital measures in particular) should:

(1) ease lockdowns and home confinement [Soltani et al., 2020 , Stollmeyer et al., 2020 , Zastrow, 2020 , Taylor, 2020 (2) minimize adverse impact on social relationships and personal well-being [Soltani et al., 2020] (3) prohibit economic and social discrimination on the basis of information and technology being part of the strategy [Soltani et al., 2020] (4) protect the communities that can be harmed by the collection and exploitation of personal data [Soltani et al., 2020] .

Detailed requirements:

(1) Surveillance technologies should not become compulsory for public and social engagements, with unaffected individuals restricted from participating in social and economic activities [Soltani et al., 2020] . (b) Discrimination and creation of social divides [Soltani et al., 2020 , Mat, 2020 (c) Disinformation and information abuse [Soltani et al., 2020 , Woodhams, 2020 (d) Providing a false sense of security [Soltani et al., 2020] (e) Political manipulation, creating social unrest, and dishonest competition by false reports of coronavirus [Soltani et al., 2020] (f) Too much political influence of IT companies on the decisions of sovereign democratic countries [Ilves, 2020].

Requirements:

(1) The financial cost of the measures should be minimized [Hern, 2020] (2) Minimization of the involved human resources [Scott and Wanat, 2020, Soltani et al., 2020] (3) Timeliness [Hern, 2020] (4) Coordination between different institutions and authorities [Tahir and Lima, 2020, Eur, 2020] , including the establishment of common standards [Tahir and Lima, 2020 ].

In this section, we look at requirements that aim at the long-term robustness and resilience of the social structure.

(1) The mitigation strategy must be ethically justifiable [Morley et al., 2020] (2) The measures should be necessary, proportionate, legitimate, just, scientifically valid, and time-bound [Morley et al., 2020 , Woodhams, 2020 , Oslo, 2020 , Scott and Wanat, 2020 , Mat, 2020 (3) They should not be invasive [Clarance, 2020] and must not be done at the expense of individual civil rights [Bicheno, 2020 , Mat, 2020 (4) Means of protection should be available to anyone [Morley et al., 2020] (5) They should be voluntary , NCS, 2020 (6) The measures must comply with legal regulations [Mat, 2020 , McCarthy, 2020 , Wodinsky, 2020 (7) Implementation and impact must also be considered [Morley et al., 2020 , Woodhams, 2020 (8) Impact assessment should be conducted and made public [Mat, 2020].

(a) Serious and long-lasting harms to fundamental rights and freedoms [Morley et al., 2020] (b) Costs of not devoting resources to something else [Morley et al., 2020] (c) Measures designed and implemented without adequate scrutiny [Woodhams, 2020] (d) Measures that support extensive physical surveillance [Woodhams, 2020] (e) Mandatory use of digital measures, collecting sensitive information, sharing the data with the government [Clarance, 2020, Zastrow, 2020] (f) Censorship practices to silence critics and control the flow of information [Woodhams, 2020] .

Privacy-related issues for COVID-19 mitigation strategies have triggered heated discussion, and at some point gained much media coverage. This is understandable, since privacy and data protection is an important aspect of medical information flow, even in ordinary times. Moreover, the IT measures against COVID-19 are usually designed by computer scientists and specialists, for whom security requirements are relatively easy to identify and understand.

(1) The strategy should be designed with privacy and information security in mind [Soltani et al., 2020 , Timberg, 2020 (2) It should mitigate privacy concerns inherent in a technological approach [Soltani et al., 2020] (3) It should be anonymous under data protection laws, i.e., it cannot lead to the identification of an individual [Burgess, 2020] (4) The information about users should be protected at all times [NCS, 2020] (5) The design should include recommendations for how back-end systems should be secured, and identify vulnerabilities as well as unintended consequences [Soltani et al., 2020] .

(a) Lack of clear privacy policies [Woodhams, 2020 , Eisenberg, 2020 (b) Exploitation of personal information by authorities or third parties [Eisenberg, 2020 , Woodhams, 2020 , Garthwaite and Anderson, 2020 , in particular live or near-live tracking of users' locations and linking sensitive personal information to an individual [Garthwaite and Anderson, 2020] (c) Linking different datasets at some point in the future [Wodinsky, 2020] (d) Alerts can be too revealing [BBC, 2020] (e) It may be possible to work out who is associating with whom [McCarthy, 2020] .

Here, the key question is: What data is collected and who is it shared with? , Soltani et al., 2020 This leads to the following requirements:

(1) Clear and reasonable limits on the data collection types [Tahir and Lima, 2020 , Clarance, 2020 , NCS, 2020 , Soltani et al., 2020 , Timberg, 2020 (2) Limitations on how the data is used (3) In particular, the data is to be used strictly for disease control and not shared with law enforcement agencies [Clarance, 2020, Taylor, 2020] (4) Less state access and control over user data [Bicheno, 2020] (5) Data collection should be minimized and based on informed consent of the participants [Ilves, 2020] (6) Giving access to one's data should be voluntary (7) One should be able to delete their personal information at any time [hel, 2020 [hel, , McCarthy, 2020 (8) One should have the right to access their own data [hel, 2020 [hel, , McCarthy, 2020 (9) For digital measures, the user should be able to remove the software and disable more invasive features [hel, 2020] .

(a) Data storage that can be hacked and exploited [Davies, 2020 , Zastrow, 2020 , Woodhams, 2020 (b) Data breaches due to insider threats [Eisenberg, 2020] (c) Function creep and state surveillance [Zastrow, 2020] (d) Sharing data across agencies or selling to a third party [Eisenberg, 2020 , Woodhams, 2020 (e) Integration with commercial services [Woodhams, 2020] .

Requirements:

(1) Sunsetting: the measures should be terminated as soon as possible [Scott and Wanat, 2020 , Soltani et al., 2020 , hel, 2020 (2) Data should be eventually or even periodically destroyed [Scott and Wanat, 2020 , hel, 2020 , McCarthy, 2020 , Soltani et al., 2020 , Timberg, 2020 , in particular when it is no longer needed to help manage the spread of coronavirus [NCS, 2020] (3) Transparency of data collection (4) There should be clear policies to prevent abuse (5) Privacy must be backed up with clear lines of accountability and processes for evaluation and monitoring [Wodinsky, 2020] (6) Judicial oversight must be provided [Soltani et al., 2020] (7) Safeguards should be backed by an independent figure [Scott and Wanat, 2020] .

(a) Surveillance might continue to be used after the threat of the coronavirus recedes [Garthwaite and Anderson, 2020] (b) Data can stay with the government longer than necessary [Scott and Wanat, 2020] .

Requirements:

(1) People must get the information they need to protect themselves and others [BBC, 2020] (2) There must be protections against economic and social discrimination based on information and technology designed to fight the pandemic, in particular with respect to communities vulnerable to collection and exploitation of personal data [Soltani et al., 2020] (3) Information should be used in such a way that people who fear being judged will not put other people in danger [BBC, 2020] . 

There is a tradeoff between protecting privacy vs. collecting and processing all the information that can be useful in fighting the epidemic:

• Privacy hinders making the best possible use of the data, including analysis of the population, contact matching, modeling the network of contacts, enabling epidemiological insights such as revealing clusters and superspreaders, and providing advice to people [McCarthy, 2020 , Zastrow, 2020 , Taylor, 2020 • Privacy-preserving solutions put users in more control of their information and require no intervention from a third party [McCarthy, 2020] .

The relationship is not simply antagonistic, though:

• Privacy is instrumental in building trust. Conversely, lack of privacy undermines trust, and may hinder the epidemiological, economic, and social effects of the mitigation activities [Eisenberg, 2020] .

While it might be necessary to waive users' privacy in the short term in order to contain the epidemic, one must look for mechanisms such that

(1) exploiting the risks would require significant effort by the attackers for minimal reward [Zastrow, 2020] .

The measures must be adopted and followed by the people, in order to make them effective.

Goals:

(i) High acceptance rate for the mitigation measures [Timberg, 2020] .

(ii) Creating incentives and overcoming incentive problems for individual people to adopt the strategy [Soltani et al., 2020] Risks and threats:

(a) Lack of immediate benefits for the participants [Soltani et al., 2020] (b) Perceived privacy and security risks [Timberg, 2020] (c) Some measures can divert attention from more important measures, and make people less alert [Szymielewicz et al., 2020] (d) Creating false sense of security from the pandemic [Frasier, 2020] .

Countermeasures:

(a) Pointing out indirect benefits (e.g., opening of the schools and businesses, reviving the national economy) [Soltani et al., 2020] (b) Reliance on personal responsibility [Stollmeyer et al., 2020] .

Requirements:

(1) Enough people should download and use the app to make it effective [Timberg, 2020 , Zastrow, 2020 , Bezat, 2020 . Note: this requirement is graded rather than binary O'Neill [2020], Hinch et al. [2020] .

(a) Lack of users' trust [Burgess, 2020 , Eisenberg, 2020 , see also the connection between privacy and trust in Section 2.4.5

(b) Lack of social knowledge and empathy by the authorities [POL, 2020].

General requirements:

(1) The concrete measures and tools must be operational [McCarthy, 2020, Scott and Wanat, 2020] (2) In particular, they should be compatible with their environment of implementation [Wodinsky, 2020] (3) Design and implementation should be transparent , SDZ, 2020 .

Specific requirements for digital measures:

(1) They should be compatible with most available devices [Wodinsky, 2020] (2) Reasonable use of battery [Wodinsky, 2020] (3) Usable interface [Wodinsky, 2020] (4) Accurate measurements of how close two devices are [Zastrow, 2020] (5) Cross-border interoperability [Cyb, 2020] (6) Possibility to verify the code by the public and experts [SDZ, 2020] .

COVID-19 mitigation activities should be rigorously assessed. Moreover, their outcomes should be used to extend our knowledge about the pandemic, and better defend ourselves in the future. The main goal here is:

(i) to use the collected data in order to develop efficient infection control measures and gain insight into the effect of changes to the measures for fighting the virus [hel, 2020 [hel, , McCarthy, 2020 .

Requirements:

(1) A review and exit strategy should be defined [Morley et al., 2020] (2) Before implementing the measures, an institutional assessment is needed of their usefulness, effectiveness, technological readiness, cyber-security risks and threats to fundamental freedoms and human rights [Stollmeyer et al., 2020] (3) After the pandemic, there must be the society's assessment whether the strategy has been effective and appropriate [BBC, 2020] (4) The assessments should be conducted by an independent body at regular intervals [Morley et al., 2020] .

Here, we briefly show how the requirements presented in Section 2 can be rewritten in a more formal way. To this end, we use modal logics for distributed and multi-agent systems that have been in constant development for over 40 years [Emerson, 1990 , Fagin et al., 1995 , Wooldridge, 2000 , Broersen et al., 2001 , Alur et al., 2002 , Bulling et al., 2015 . Note that the following specifications are only semi-formal, as we do not fix the models nor give the precise semantics of the logical operators and atomic predicates. We leave that step for the future work.

The simplest kind of requirements are those that refer to achievement or maintenance of a particular state of affairs. Typically, they can be expressed by formulas of the branching-time logic CTL ⋆ [Emerson, 1990] , with path quantifiers E (there is a path), A (for all paths), and temporal operators X (in the next moment ), F (sometime from now on), G (always from now on), and U (until ). For example, goal (ii) in Section 2.1 can be tentatively rewritten as the CTL ⋆ formula AF control-pandemic, saying that, for all possible execution paths, control-pandemic must eventually hold. 1 Similarly, goal (iii) can be expressed by formula ∀n . (R0=n) → AF (R0<n). It is easy to see that the latter requirement is more precise than the former. Moreover, goal (iv) can be captured by AG (#deaths<k), for a reasonably chosen k.

The identification and monitoring aspects can be expressed by a combination of CTL ⋆ with epistemic operators K a ϕ ("a knows that ϕ"). For example, the information flow requirement (1) in Section 2.1.3 can be transcribed as exposed i → AF K a exposed i , where a is the name of the agent (or authority) supposed to identify the vulnerable people. A more faithful transcription can be obtained using the past-time operator F −1 (sometime in the past) [Laroussinie and Schnoebelen, 1995] with

saying that if exposed i held at some point in the past, then a will eventually know about it. Likewise, the information flow requirement (2) can be captured by K a exp i → AF K i exp i . Similar temporal-epistemic formulas may be used to express some privacy-related requirements in Section 2.4, e.g., ∀j = i . AG (¬K j (x = i) ∧ ¬K j (x = i)) tentatively captures the anonymity of person i wrt. the database entry represented by x, cf. requirement 2.4.1.(3).

The temporal and epistemic patterns, presented above, can be refined by replacing path quantifiers A, E with strategic operators A of the logic ATL * [Alur et al., 2002 , Bulling et al., 2015 , where A ϕ says that "the agents in A can bring about ϕ". For example, the information flow requirement 2.1.3.(2) can be rewritten as K a (F −1 exposed i ) → a F i F K i (F −1 exposed i ),

saying that if the health authority a knows that i was exposed, then a can provide i with the information sufficient to realize that. Strategic operators are also useful for the monitoring requirements in Section 2.1.4, e.g., a G (K a outbreak∨ K a ¬outbreak) can be used for requirement 2.1.4.(1). The same applies to the access control properties in Section 2.4.2, e.g., requirement (6) can be formalized by formula ∀d ∈ data(i) ∀j = i . i F access(j,d) ∧ i G ¬access(j,d).

For some requirements, this should be combined with bounds imposed on the execution time Polrola, 2006, Knapik et al., 2019] , mental complexity , and/or resources needed to accomplish the tasks [Alechina et al., 2010 , Bulling and Farwer, 2010 , Alechina et al., 2017 . For example, the notification requirement 2.1.3.(2) can be refined as:

based on the assumption that a should notify i in at most 10 time units, and i has a strategy of complexity at most 5 to infer the relevant knowledge from the notification.

To reason explicitly about the outcome of anti-COVID-19 measures, we may need model update operators (supp a : σ) saying "suppose that agent a plays strategy σ" [Bulling et al., 2008] , and similar to strategy binding in Strategy Logic [Mogavero et al., 2010] and ATL with Strategy Contexts [Brihaye et al., 2009] . Then, the effectiveness requirement (2) of Section 2.1.2 for mitigation strategy S can be written as

where ψ can be any of the properties of epidemic response, formalized in Section 3.1.

Many events have probabilistic execution, e.g., actions may fail with some (typically small) probability. Scenarios with probabilistic events can be modeled by variants of Markov decision processes, and their properties can be specified by a probabilistic variant of CTL ⋆ [Baier and Kwiatkowska, 1998] or ATL * [Chen et al., 2013] . For instance, formula a P ≥0.99 F t≤10 i compl≤5 F K i (F −1 exposed i ), refines the previous specification by demanding that the authority can successfully notify i with probability at least 99%.

The requirements presented in Section 2, and formalized above, refer to the "correctness" of a given mitigation strategy. Two meta-properties, well known in computer science, can be also useful in case of the present scenario, namely diagnosability and resilience [Ezekiel and Lomuscio, 2017] . Given a correctness requirement Φ and a responsible agent a, those can be expressed by the following templates:

The templates can be used e.g. for monitoring-type requirements.

Ideally, one would like to automatically evaluate COVID-19 strategies with respect to the requirements, and choose the best one. In the future, we plan to use model checking tools, such as MCMAS , Uppaal [Behrmann et al., 2004] , or PRISM [Kwiatkowska et al., 2002] , to formally verify our formulas over micro-level models created to simulate and predict the progress of the pandemic [Neil M. Ferguson, Daniel Laydon, Gemma Nedjati-Gilani et al., 2020 , Adamik et al., 2020 , Bock et al., 2020 , McCabe et al., 2020 . As we already pointed out, different requirements may be in partial conflict. Thus, selecting an optimal mitigation strategy may require solving a multicriterial optimization problem [Zionts, 1981 , Collette and Siarry, 2004 , Radulescu et al., 2020 , e.g., by identifying the Pareto frontier and choosing a criterion to select a point on the frontier.

In this paper, we make the first step towards a systematic analysis of strategies for effective and trustworthy mitigation of the current pandemic. The strategies may incorporate medical, social, economic, as well as technological measures.

Consequently, there is a large number of medical, social, economic, and technological requirements that must be taken into account when deciding which strategy to adopt. For computer scientists, the latter kind of requirements is most natural, which is exactly the pitfall that computer scientists must avoid. The goals (and acceptability criteria) for a mitigation strategy are much more diverse, and we must consciously choose a solution that satisfies the multiple criteria to a reasonable degree. We suggest that formal methods for MAS provide an excellent framework for that. We also propose a methodology to collect preliminary requirements while avoiding the usual bias of research papers. 

Model-checking for resource-bounded ATL with production and consumption of resources

MOCHA: Modularity in model checking

Alternating-time Temporal Logic

Model checking for a probabilistic branching time logic with fairness

Ten reasons why immunity passports are a bad idea

A tutorial on uppaal

L'application StopCovid, activée seulement par 2% de la population

Unlike France, Germany decides to do smartphone contact tracing the Apple/Google way. telecoms.com

Mitigation and herd immunity strategy for COVID-19 is likely to fail. medRxiv

Intentions, Plans, and Practical Reason

ATL with strategy contexts and bounded memory

The BOID architecture: conflicts between beliefs, obligations, intentions and desires

Expressing properties of resource-bounded systems: The logics RTL* and RTL

Reasoning about temporal properties of rational play

Logics for reasoning about strategic abilities in multi-player games

Just how anonymous is the NHS Covid-19 contact tracing app? Wired

PRISM-games: A model checker for stochastic multi-player games

Why India's Covid-19 contact tracing app is controversial

Intention is choice with commitment

Multiobjective Optimization: Principles and Case Studies

Specification and Verification of Multi-Agent Systems

UK snubs Google and Apple privacy warning for contact tracing app. telecoms.com

Privacy fears threaten New York City's coronavirus tracing efforts

Temporal and modal logic

Combining fault injection and model checking to verify fault tolerance, recoverability, and diagnosability in multiagent systems

Reasoning about Knowledge

Coronavirus antibody tests have a mathematical pitfall

Coronavirus: Alarm over 'invasive' Kuwait and Bahrain contact-tracing apps

An alternating-time temporal logic with knowledge, perfect recall and past: axiomatisation and model-checking

UK abandons contact-tracing app for Apple and Google model. The Guardian

Why are Google and Apple dictating how european democracies fight coronavirus? The Guardian

COVID-Tech: the sinister consequences of immunity passports. EDRi

Logical Methods for Specification and Verification of Multi-Agent Systems

Natural strategic ability

A survey of requirements for COVID-19 mitigation strategies. part I: newspaper clips. CoRR, abs

LTSmin: High-performance language-independent model checking

Timed ATL: forget memory, just count

Rzadowa aplikacja ma blad pozwalajacy na sprawdzenie, czy nasi znajomi podlegaja kwarantannie. Tabletowo

STV: Model checking for strategies under imperfect information

PRISM: probabilistic symbolic model checker

A hierarchy of temporal logics with past

MCMAS: An open-source model checker for the verification of multi-agent systems

Modelling ICU capacity under different epidemiological scenarios of the COVID-19 pandemic in three western European countries

UK finds itself almost alone with centralized virus contact-tracing app that probably won't work well, asks for your location, may be illegal. The Register

Reasoning about strategies

Ethical guidelines for COVID-19 tracing apps

Impact of non-pharmaceutical interventions (NPIs) to reduce COVID-19 mortality and healthcare demand

No, coronavirus apps don't need 60% adoption to be effective

A flood of coronavirus apps are tracking us. now it's time to keep track of them

Norway suspends virus-tracing app due to privacy concerns. The Guardian

Something to declare? surfacing issues with immunity certificates

Advances in Verification of Time Petri Nets and Timed Automata: A Temporal Logic Approach

Multi-objective multi-agent decision making: a utility-based analysis and survey

Modeling rational agents within a BDIarchitecture

Poland's coronavirus app offers playbook for other governments

Multiagent Systems -Algorithmic, Game-Theoretic, and Logical Foundations

Contact-tracing apps are not a solution to the COVID-19 crisis

The dutch tracing app 'soap opera' -lessons for europe

Jak polska walczy z koronawirusem i dlaczego aplikacja nas przed nim nie ochroni? Panoptykon

Google and Apple's rules for virus tracking apps sow division among states

How did the Covidsafe app go from being vital to almost irrelevant? The Guardian

Most Americans are not willing or able to use an app tracking coronavirus infections. that's a problem for Big Tech's plan to slow the pandemic

Multiagent Systems. A Modern Approach to Distributed Artificial Intelligence

The UK's contact-tracing app breaks the UK's own privacy laws (and is just plain broken). Gizmodo, 13

COVID-19 digital rights tracker. Top10VPN

Reasoning about Rational Agents

An Introduction to Multi Agent Systems

Coronavirus contact-tracing apps: can they slow the spread of COVID-19?

A multiple criteria method for choosing among discrete alternatives