robert. (fraudulent) server may de-anonymize infected user.

[phsmadja]

when a user sends en Exposure Status Request, she implicitly reveals to the server she did not send an Infected Declaration. Therefore, for each Infected Declaration, the server can build a list of possible senders (the EBIDs not refered in the Infected Declaration) of the request. On each Exposure Status Request, the server deletes the ESR.EBIDs from all the sender lists. When a list has one element, this element refers the EBID of an infected user.

[vincent-grenoble]

Hello @phsmadja.

Your comment shares some similarities, although raising a different topic, to Issue #39 ("Not hiding disease status"). How to manage such aspects is indeed a bit subtle, and version 1.0 of ROBERT lacks details on how to addresss them.

That being said, I don't think that in practice the server will be able to narrow down the candidate list to one as ESR happen with a low frequency, while Infected declarations will happen continuously.

And an "honest but curious" server won't do that as it requires modifying the back-end software ;-). But I don't want to re-open this question (as we already said in Issue #2 : "This topic could be discussed for hours, clearly. However, when looking at the “avis CNIL sur le projet d’application mobile StopCovid”, we have the feeling this is a reasonable assumption.").

Thank you for your feedback. Cheers.

[phsmadja]

As far as I understand properly, this issue has not been raised in #39, nor in #2. In opposite of the statement and hopefully, we can expect far more ESRs than Infected Declarations - user will probably check daily her status.