Open ReichertL opened 4 years ago
I agree, it is essentially the same protocol as BlueTrace. I would say with respect to anonymization of the users, hence user (same as user's phone number)<->networkid maps and networkid<->messages maps:
It is more fair, imho, when no specific transport protocol is recommended, feasible and enforced on the client app, to explicitly mention that from the trusted entity point of view the phone number is known and correctly managed (used only for the purpose and deleted) as well as other sources of identification such as networkid - the source IP for instance-. This is equivalent, and without probabilistic obfuscation of the network id it is false to say that user's are anonymized to the trusted entity simply by the ROBERT protocol. This is a problem not in the scope of the ROBERT protocol, it is a problem of the tansport protocol.
Of course, the phone number is a direct identification of the user, hence it causes a more important issue in case of leak of the trusted entities information and it should not be transmitted as it is not necessary.
My points if that can be useful are:
+1
This is a problem not in the scope of the ROBERT protocol, it is a problem of the transport protocol.
It can be considered as being part of the scope of the ROBERT protocol. I am thinking to "Untraceable electronic mail, return addresses, and digital pseudonyms" from David Chaum:
A technique based on public key cryptography is presented that allows an electronic mail system to hide who a participant communicates with as well as the content of the communication - **in spite of an unsecured underlying telecommunication system
This article is the genesis of all existing mixnet and onion routing solutions, the most well known being Tor.
This aspect is discussed in issue #6.
This is a problem not in the scope of the ROBERT protocol, it is a problem of the transport protocol.
It can be considered as being part of the scope of the ROBERT protocol.
Yes Indeed. Sorry the ambiguous assertion. It can be included in the Robert scope, but I assumed it was not in the "initial intended" scope of Robert which does not currrently specifies everything down to the transport layer. The networkid exposure to the trusted entity should be explained more clearly and optionally solved. In Robert protocol or another part of the whole solution.
This is indeed discussed more lengthtly in #6 (which mixes several discussions in addition to the sole networkid issue).
How does the described protocol differ from the BlueTrace/TraceTogether Whitepaper ( https://bluetrace.io/static/bluetrace_whitepaper-938063656596c104632def383eb33b3c.pdf ) which was released some time ago?
Parts that are the same in BlueTrace and ROBERT:
The only difference I can spot so far, is that no BlueTrace/TraceTogether requires people to provide a phone number. But this is not essential to their design.
ROBERT also does not explain how an infected user can upload the PoximityList to the server without leaking its identiy in form of it's permanent identifier or in form of a verification token. BlueTrace uses authorization codes to determine if an upload legitimate. This helps the health authority to deanonymize other users.