Open ArchanaaSK opened 4 years ago
Section 7 of specification mentions the following:
If _ESRREPLYA;i is set to "1": AppA keeps broadcasting HELLO messages but stops sending ESR REQUEST requests to the server.
It is clear that HELLO message broadcasting is still happening and exposure status request is denied for 'at risk' users. It is not clear if HELLO messages collection and infected user declaration is still enabled.
Thanks for your question. Deactivating accounts means that the app cannot perform Exposure Status Request - ESR (at least temporarily) but the other functionalities of the app can remain active. This restriction will prevent a malicious user to learn by whom it was exposed through repeated ESR.
Note that this mechanism does not totally prevent the risk since a malicious user may re-install the application and perform a new ESR. This risk is mitigated, if not removed, by the proof-of-work mechanism we propose. However the CNIL opinion (last paragraph of p. 10) may require us to be more strict on this aspect though.
Specification states that users accounts that receive 'at risk of exposure' message will be deactivate.
Scenario 1. Does deactivating also disable the app from sending EPIDs collected in the future (After receiving 'at risk message')? An app user 'at risk' may continue to meet people (i.e. receive HELLO messages from other users) either knowingly or unknowingly when they are at risk. How are these HELLO messages collected? It is not clear how 'at risk' user interacts with other users.
Scenario 2. Does deactivating at risk accounts delete their data? For example, if an 'at risk' user A is diagnosed to be infected, is there provision for user A (whose account is deactivated) to send its LocalProximityList to Srv? Assuming that the list has valid IDs (within the advised 14 day period).
What does deactivation of an account imply? Does the 'at risk' user app lose functionality in all its stages - proximity discovery, declaration of contact pseudonyms of a user diagnosed with covid-19, exposure status request.
Based on the above two scenarios, I fell phase 1 and 2 of the protocol should still be active in 'at risk' users for accurate proximity tracing using ROBERT.