create an optional privacy-optimizing accountability/law enforcement add-on module

[ralfhauser]

Switzerland has implemented relatively liberal rules, but even there, last weekend Zürich city police was patrolling very visibly/frequently along the lake to remind everybody to keep social distance. For example, in France, the regime appears a lot more strict - see

• self declared "attestations de sortie" https://www.aide-sociale.fr/wp-content/uploads/2020/03/attestation-sortie-coronavirus-873.pdf or https://www.gouvernement.fr/info-coronavirus , https://www.aide-sociale.fr/coronavirus-attestation-sortie/
• fines if not properly filled out, etc. https://www.legifrance.gouv.fr/eli/decret/2020/3/28/2020-357/jo/texte https://www.francetvinfo.fr/sante/maladie/coronavirus/coronavirus-l-amende-pour-non-respect-du-confinement-passe-a-200-euros-et-a-450-euros-en-cas-de-majoration_3890269.html

[ralfhauser]

More strict regimes might be reluctant to replace the above with purely voluntary apps.

Therefore, an add-on module should be designed that a) gives evidence that you had the app running with your bluetooth on since you left home b) in an easy way verifiable by a police officer c) maintains the "graceful dismantling" properties as per https://github.com/DP-3T/documents/blob/master/DP3T%20White%20Paper.pdf

[ralfhauser]

Brainstorming 1) locally on your app, create a https://en.wikipedia.org/wiki/Merkle_tree on your 'local storage of observed EphIDs (with coarse time indication)' and some indication on the time-range your bluetooth was 'on' (possibly salted with your currently active, own EphID) 2) provide some QR-code representation you could show to police officers convincing them about 1) for the relevant period 3) if your SIM-chip is capable of signing (e.g. https://www.mobileid.ch/) optionally sign 1)

For the mentioned "voluntary provision of (anonymized) data to epidemological research centers", it may be useful to share some of the merkle hashes externally (https://github.com/DP-3T/documents/issues/83 ?)

[noci2012]

3. if your SIM-chip is capable of signing (e.g. https://www.mobileid.ch/) optionally sign 1)

How can this still be anonymous? privacy friendly?

[tbuytaer]

• If you have to prove it's switched on, or need to have it installed to be able to leave your house, It wouldn't be voluntary anymore.
• If you need to prove your app was observing EphIDs, it means you might get in trouble for not encountering enough people when going outside.

[ralfhauser]

1. if your SIM-chip is capable of signing (e.g. https://www.mobileid.ch/) optionally sign 1)

How can this still be anonymous? privacy friendly?

@noci2012 If the asymmetric signature stays local and gets flushed after 8-14 days, yes

[ralfhauser]

* If you have to prove it's switched on, or need to have it installed to be able to leave your house, It wouldn't be voluntary anymore.

* If you need to prove your app was observing EphIDs, it means you might **get in trouble for not encountering enough people** when going outside.

@tbuytaer I am fully in favour of it trying to get the thing working by purely "voluntary" approaches. (and luckily in CH, the gov't teams working on this really want to do this decentral and voluntarily). But randomly asking non-IT people I am in contact , my doubts grow that we will reach the necessary 60% . Recent headlines that caused the leading sicentists to restate the importance of privacy https://drive.google.com/file/d/1OQg2dxPu-x-RZzETlpV3lFa259Nrpk1J/view fuel their doubts...

If the choice in September 2020 will be a) 2nd lockdown or b) an enhanced, decentral tracing app that allows you to provide evidence you use it

I would prefer b) and therefore, I suggest to start thinking on how to build in "accountability" without a centralized approach

[ralfhauser]

In my recollection of a discussions with @phaupt it appears that the current mobileID approach has the following characteristics

pro's: i) an asymmetric key pair is used on the SIM card ii) It uses ETSI-Standards that pre-date smart-phones ("SIM Toolkit (STK) Application Development" e.g. out of 2009 SIMAlliance - Interoperability Stepping Stones Release 7, chapt 10.5.2) ==> so the fundamental functions are probably also available on most SIMs from other telcos than those already supporting mobileID

con's: iii) unclear whether those signatures can be triggered locally from the phone (currently they are triggered through the network with binary "pduSMS") iv) the triggering app is on the SIM-card and protected such that the SIM has to be replaced to have another (i.e. local) triggering (so the multi-million SIMs equipped with mobileID in circulation in CH might not be of much use :( )

[fynngodau]

I think it is dangerous to imply that the existing restrictions will be lifted sooner only if people install a tracing application on their devices. This can lead to social pressure which could make the use of the applicarion essentially non-voluntary.

There shouldn't be any benefits to installing such an application, either; so it mustn't be provable that it has been running for a certain time.