Open YvesMoreau opened 4 years ago
Hi @YvesMoreau, thanks for the input. We were aware of it; I think it would be good if on our side we consolidate these privacy attack in one place (we now have at least 5 threads on it). Working on it. Thanks !
You can have a look at our risks document that might also answer some of your concerns.
Your discussion about the risk scenarios for non specialists is great, thanks for that. However my humble opinion is that we always see detailed discussions about a given risk without any balance of what it implies to mitigate this risk. I am not a security expert and I think it is really hard to build our own opinion between all the raised risks without this.
For instance take one of the first scenarios => "my grandfather goes only to the grocery during the outbreak so if he receives an alert he knows the grocer his hill", so performing deanonymisation. If we balance this scenario with or without the app and see what is going on, I think we can have a deeper discussion. Let's say it's is my 80 years old grandfather, here is just a couple of possible issues.
With the app:
Without the app:
These scenarios highlight the fact that of course "technical means" cannot protect against everything but similarly "non-technical means" can be used to divulge information. And these scenarios and consequences can be different for me if I am 40 years old, with less risks with regard to the disease, and I probably miss a lot of possible issues (for instance I assume a responsible grocer not someone that doesn't care and continue business as usual even if hill). I am not saying it is easy but I am saying that most discussions are biased in a specific direction only, which is making it hard to be sure of what to think as a non specialist. Any discussion should also balance which option provide more or less individual initiatives with respect to the disease beyond technical aspects.
Moreover, as each technique (centralized or not) has issue we should ask who is more likely to have the power to massively hack the system and which one will result in massive leakage in each case ? Indeed it appears to me that 99.99% of the time my neighbors don't have the technical skill to do so while for instance a central authority has it. Moreover, hacking in a decentralized way could leak a couple of users while hacking a central server could leak thousands of users. Of course both issues are bad but they don't have the same scale.
This is my 2 cents.
@YvesMoreau I actually wrote a counter-analysis of the risks (also in french) based on the Google-Apple solution that also applies to DP-3T: https://link.medium.com/Zm9AlJPb25 (btw, in there I also propose 2 risk mitigating app-level features: snoozing and geofencing-based activation and deactivation of contact tracing).
The risk analysis is very thorough but I still feel that concrete examples highlighting the main risks and mitigating measures would be more understandable for the layman.
Critical discussion of proposed protocol with 15 risk scenarios:
https://risques-tracage.fr/docs/risques-tracage.pdf