search

ROBERT-proximity-tracing / documents

Protocol specification, white paper, high level documents, etc.
Other
247 stars 21 forks source link

details of the upload authorization procedure #48

Open arnadu opened 4 years ago

arnadu commented 4 years ago

hi

Thank you for all this good work. May I suggest the addition of details on the protocol to authorize a user to upload their data upon being confirmed positive ? Three types of privacy threats come to mind that are related to this part of the protocol.

One one hand, it will be very important to prevent people from falsely reporting that they have become positive and thus causing anxiety, embarrassment and other inconvenience to possibly a large part of the user base. A trusted authority (some sort of 'notary' actor will be needed, along with accountability and surveillance that this authority is not being abused.

It is also possible that this verification step could create a link between some of the data records that were meant to stay separated. The 'notary' (the person who authorize the user to release the information after verifying the test results) will have to know the identity of the person making the report, and will probably need to record the time and location of authorization (for accountability purposes). There is also a technical need to inform the user's mobile device to release the contact tracing information; this is possibly going to be based on an authorization code generated for the ID of the user, hence creating another link.

This mechanism will also a possible vector for attacking the mobile app.

thanks - Arnaud

PRIVATICS-Inria commented 4 years ago

Hello. We agree this is key for the service, and clearly we need this upload to be validate by the healt authority. We already partially answered this topic in Section 6.1:

In this document, we do not detail the interactions between AppC and the health authority. In particular, we do not present the security/authorization procedure that verifies that only authorized and positively-tested users are allowed to upload their LocalProximityList (10).

(10) One solution under study is to consider that the user obtains an authorization token from the hospital or the medical office when it is diagnosed COVID-positive. The User can then use this authorization token to validate its LocalProximityList upload.