Closed ryanbnl closed 4 years ago
(wrong window, sorry)
I think there might be some confusion: when a user sends a report, they send data that can be used to recompute the list of TCNs they broadcast, not the TCNs they observed. This means that the server cannot create a connectivity graph. The backend server is supposed to not retain IP logs; this is less than ideal but no other alternative is practical.
Aha, I had indeed misunderstood the protocol. The alternatives I can think of for hiding the IP make the process considerably more inflexible and thus unpractical.
Thanks for replying.
According to the specification, when an infection is reported it includes the list of IDs which have been encountered by the device within the infectious time (whatever that is configured to be).
What is to stop a connectivity graph being created between infected persons?
What is to stop the organization hosting the backend collecting IP address and other information from the API calls thus connecting IP address to the device IDs?
What is to stop said - presumably centralized party - combining said information from all reported infections along with other datasets in their data warehouses to create a connection graph of probably people (with date/time information but obviously without directly having the location information)?