Not hiding disease status

[oblazy]

Hi...

Not withstanding other concerns, about the pertinence of the threat model. It seems, Robert does not achieve Honest but Curious...

• Users are stored in the (backend) table as permanent IDs. Those ID are sent through a TLS session. Except if you planned on embedding a Tor like feature, TLS does not hide user IP adressess. So at this step, the authority has identifying (in a CNIL/GDPR sense) user information This means that the assertion "The central authority should not be able to learn information about the identities or locations of the participating users" is purely wrong...

  Even if this data is not "stored" in the database, it is still present in the server logs. Those logs need to be kept for security purposes... -> Server has personal information

• When the app sends the Proximity List in case of infection, it does not get an answer However when the App contacts the server to get a risk assessment, it gets a feedback.

In this case, any outsider can check whether the server answers or not, to know if it was a positive covid declaration... -> Outsider can detect positive covid declaration (in particular internet providers can do that on the fly with preexisting infrastructure)

(Just to clarify, it is not a packet size issue, it is purely the absence of flow.)

• The doc still mentions that an account can be deactivated: What does it entail? Server deactivate an ID? -> With the logs server learns disease status User app stop emitting? -> Network listeners can detect that no traffic is happening

[PRIVATICS-Inria]

1- About :

"Users are stored in the (backend) table as permanent IDs. Those ID are sent through a TLS session."

As you suggested, the risks of re-identification through network connection can be mitigated through the use of Mixnet or proxy. We already suggest this countermeasure for the infection declaration phase (Section 6. Footnote 11), but it can be applied to any network communication between users and the server. We will specify that in a future version of the document.

2- About:

"When the app sends the Proximity List in case of infection, it does not get an answer However when the App contacts the server to get a risk assessment, it gets a feedback."

You are correct. The traffic of the infection declaration phase can betray the infection status of a user. During this phase, the traffic passes through a Mixnet, therefore, the observer would have to be placed between the user and the Mixnet to perform this attack. This is out of scope.

3- About:

"The doc still mentions that an account can be deactivated:"

This deactivation is only for the Exposure Status Request (ESR), in the sense that the app will not be able to perform other ESRs. The objective is to prevent the identification of the person by whom we’ve been infected by querying the server multiple times.