Release notes for v3.0.0 - wrong reason for no certificate light for 2G

[rhunger]

Release notes for v3.0.0 (https://github.com/admin-ch/CovidCertificate-App-Android/releases/tag/v3.0.0-3000001-verifier) claims

In order to be able to guarantee data protection, the verification of a certificate light is not possible when 2G is applied.

Reason "to guarantee data protection" for not allowing a certificate light in 2G mode seams wrong.

Currently, in a 2G situation the certificate full is needed. This reveals much more information than necessary to check for 2G. Consequence: currently no data protection at all is available in a 2G situation.

Please clarify this in the release note.

[goebelUB]

Thanks for your question, I absolutely agree that this phrasing is confusing and could have been clearer.

When saying "to guarantee data protection" the question is: which data to you want to protect? There are two main sets of critical data: 1) the type of certificate (test, vaccination, recovery) and 2) the medical details.

The current certificate light protects both.

As you correctly stated in #367 one approach would be to have a completely separate cert-light-2G. That's possible, but takes longer to implement than the 2G/3G mode switch (which itself was already a rush in 2 weeks).

Other approaches, like adding a flag is2G to the existing cert light would be quicker to implement, but would not guarantee data protection in 3G contexts anymore (since it would leak to the 3G-verifier whether you are tested).

As a sidenote, you may also want to consider the following questions (Stichwort Risikofolgenabschätzung):

• What is the social impact of restaurant staff knowing that you got Moderna vs Pfizer?
• What is the impact of your employer knowing whether your are vaccinated or tested?

To get back to the "guarantee data protection" part: in order to guarantee data protection in 3G I don't see how you can adapt the existing cert light to work in 2G while having the same properties. In other words, this sentence in the release notes is about stating that the focus currently lies on not weakening the data protection in 3G.

I hope that explains the reasoning behind that sentence. Personally I absolutely agree that a second cert-light-2G would be nice, we can track this in #367.

[rhunger]

Thank you for the fast and very detailed answer and also sharing the thoughts and trade-offs considered in the design. Appreciated! I hope for and look forward to a second cert-light-2G.