Easy deanonymization of infected individuals

[inaitana]

I think the scenario description of how tech-savvy people can identify infected individuals is too convoluted, and the actual operation can be much easier and effective. It is assumed the malicious user should keep a detailed log of people he meets, possibly register multiple accounts, modify the app, but nothing of this is actually necessary.

A malicious user just needs to implement a georeferenced EphID tracing app, and then go all around all the houses at a time when people are most probably home (9-12 in the evening). With proper evaluation of RSSI values he can easily get a good estimate of where each EphID lives.

In a small community, a single user could effectively identify all infected individuals families.

Furthermore, it would be extremly easy to build a collaborative database of georeferenced EphIDs observations, and even easier to build a database of infected individuals EphIDs (as these are basically public).

I don't get how the coarse time-framing inside the app and the random EphID usage order can mitigate this in any way, as the document seems to suggest.

[burdges]

See #24

[FroehlichMarcel]

To mitigate the risk of revealing location data of home address, people should deactivate bluetooth for the app while at home. I do not see a safe mechanism to automate this.

[inaitana]

@FroehlichMarcel Don't we all meet people while at home? Friends, relatives, visitors, neighbors, baby sitters, cleaning ladies, mailmen... In the moderate social distancing scenario we are going to live in for the next months, most close contacts might happen inside or near homes (and the same reasoning applies to workplaces). Sacrificing them might mean losing a lot of possible contacts.

Interestingly enough, this would also be where a gps-based tracing would most likely fail.

[FroehlichMarcel]

@inaitana Right. Still the assumption basic is that I use it because I want to trace, not because I have to. So when I deactivate BT (to avoid skimming of my broadcasted IDs) then I do it because there is nothing to be tracked (e.g. over night). If the app provided a prominent switch and status, it could be helpful.

[inaitana]

Yes of course the user could disable it at will (possibly inside limits mandated by public policies), but still I guess a very large chunk of users would end up broadcasting their IDs from their homes in late evenings, or from their workplaces during working hours.

[danielbeeke]

Would it be possible to control the sending strength of the Bluetooth and lower it when at home?

Detecting that the user is at home could maybe be done with checking if connected with the home WiFi (the user could confirm that in the app) or GPS (user selected home on a map).

Negative results of this are: The app has information about the user's home / geolocation.

To prevent the app holding pinpointed geolocated data, the app could download the housing data from the current city, region, province/state (download a level higher to add a little bit of anonymity) via OpenStreetMaps or something like that and then check if the user is inside a house.

A very complex way to mitigate the app knowing the user is in his home but still knowing it is in a home, all with the end result to lower the broadcast signal strength so malicious other can not record EphIDs while the user is at home.

[FroehlichMarcel]

@danielbeeke Geodata is a no-no in this app. WLAN probably hard to avoid. I am more concerned that the data can be linked by commercial data aggregators than by people walking down the street. Google and some more likely know your WLAN.

[nixpulvis]

Don't we all meet people while at home? Friends, relatives, visitors, neighbors, baby sitters, cleaning ladies, mailmen...

This is not my understanding of the term "social distancing" at all. Nobody should be coming over. Mailmen leaving packages out front, is a small, but necessary risk. Of course it's a spectrum of response, and as we make it past the various peaks, we should be considering how to gradually relax this.

More to your underlying point though... I agree that most contacts will be somewhat localized. Making the ability to remove yourself from isolation and probe specific locales seems worrisome to me.

[s-chtl]

Hi All, thank you for this discussion. I believe our new "Security and Privacy Analysis" document might answer some of your questions. We hope this help.