ROBERT-proximity-tracing / documents

Protocol specification, white paper, high level documents, etc.
Other
247 stars 21 forks source link

Abuse of the word "anonymous" #26

Open bortzmeyer opened 4 years ago

bortzmeyer commented 4 years ago

It seems that the ROBERT document uses "anonymous" quite liberally. The worst is "anonymous pseudonym" (an oxymoron) in the summary document. Anonymity requires the lack of traceability. If identifiers are permanent, they cannot be called "anonymous". This sloppy use of "anonymous" is common in the paper.

ldubost commented 4 years ago

There are indeed a few places where the pseudonyms don't seem to be impossible to trace:

1/ It is mentioned they are generated by the server which "knows" they are linked to your application. Since the application comes from an IP address, there is already a trace between the pseudonyms and an IP address and then a trace between each pseudonyms available to the authority

2/ At every "exposure status request" there is again the connection metadata that is available. There is also all the other pseudonyms which could be used to create a social graph and help for identifiying users.

So unless there is a mecanism to protect the connection metadata from the authority, there is already some important information linked to the pseudonyms.

Knowing that fixed IP addresses (many of the boxes at home or at work) are already reversable to geo-location by anybody and most of the IPs are reversable to the customer by the operators, it's not clear how the anonymity is a given here

ThomasFournaise commented 4 years ago

As long as IDs are generated centrally, anonymous cannot be used. For security purpose you must store IPs that send request. By exporting the table and the logs you can then cross the information and get a link IP / IDs even if this link is not stored in the database. The whole protection is said here 'Authority is honest but curious" so you must trust government and what could go wrong....

kaythxbye commented 4 years ago

Honest but curious is not even enough, it should be changed to trusted. The authority is required to delete messages (that could be used to reconstruct social graphs), a curious authority will not delete anything. So the whole assumption in this part of the attacker model is wrong in my opinion.

bortzmeyer commented 4 years ago

So unless there is a mecanism to protect the connection metadata from the authority, there is already some important information linked to the pseudonyms.

I'm afraid you are talking about something different. I mentioned the fact that ROBERT is not anonymous. You speak about the fact that pseudonyms can be linked to external identities, which is an important problem but not the same.

bortzmeyer commented 4 years ago

Honest but curious is not even enough, it should be changed to trusted.

See ticket #13