search

ROBERT-proximity-tracing / documents

Protocol specification, white paper, high level documents, etc.
Other
247 stars 21 forks source link

Social/contact/proximity graph - why are they needed? Are they all same? #15

Open ArchanaaSK opened 4 years ago

ArchanaaSK commented 4 years ago

A few questions related to social graphs:

  1. Specification mentions how can a social/proximity graph be constructed or avoided. It does not mention the use of such graphs.

  2. Consider using one type of graph naming- contact graph, social graph, proximity graph is interchangeably used within and across document/s.

  3. Contradicting statements are made w.r.t to ability of central authority in constructing these graphs:

Specification:

The authority running the system, in turn, is "honest-but-curious". Specifically, it will not deploy spying devices or will not modify the protocols and the messages. However, it might use collected information for other purposes such as to re-identify users or to infer their contact graphs.

Given any two random identifiers of IDTable that are flagged as \exposed", the server Srv can not tell whether they appeared in the same or in different LocalProximityList lists (the proximity links between identifiers are not kept and, therefore, no proximity graph can be built)

A LocalProximityList contains the EBIDs of the devices that the infected user has encountered in the last CT days. This information together with the timing information associated with each HELLO message could be used to build the de-identified social/proximity graph of the infected user. The aggregation of many such social/proximity graphs may lead, under some conditions, to the de-anonymization of its nodes, which results in the social graphs of the users.

Summary:

The authority does not learn the real identities of any user, whether diagnosed with COVID-19 (i.e., tested positive), such as Alice above, or exposed, such as Bernard and Charles. Also, the authority cannot infer the “proximity graph” of Alice, Bernard or Charles.

PRIVATICS-Inria commented 4 years ago

Thank you for your feedback.

1 How inferred personal information could be exploited is out of the scope of this document.

2 Thank you for this remark. The different notions are a bit different, though we will try to fix that in a future version of the document.

3, specification and summary: This is our overall conclusion. We will clarify this in future versions.