miguel-negrao
commented
4 years ago Would it be possible to create a technical solution where the HA is required to generate the auth token, but the generation takes place inside the patient's phone, only one auth token can be generated and the HA would not know which auth token was generated ?
It seems that a big part of the security comes from the fact that the HA knows which auth token is for which natural person while the backend knows which token is linked to which SK, but nobody knows both. This seems to be putting a lot of trust in the fact that these two systems will stay separate. Either through leaks, or by design, it does not seem unlikely that these systems might (partially) be in hands of a single party.
Even if the systems are separate, this is highly dependent on the implementation. Tokens might at least be likable to specific health providers, as they are the ones that activate the token. Furthermore
You could think of simple BT sniffers in certain places (simply a phone with the app) that then allow the tracking of two weeks of location data as soon as someone registers their SK.