Closed TomTeeJay closed 4 years ago
egandro
commented
4 years ago I can agree with this issue.
There are a few 100.000 devices only in mobile care running in a 3 shift 24/4 mode.
This men and women are visiting 20-30 people per shift and have access on a daily basis to many many people.
MalteJ
commented
4 years ago Afaik this use-case is not covered by the App. Also I currently see no way how to realize this using the Apple/Google APIs.
MalteJ
commented
4 years ago I can agree with this issue.
There are a few 100.000 devices only in mobile care running in a 3 shift 24/4 mode.
This men and women are visiting 20-30 people per shift and have access on a daily basis to many many people.
I hope most of them have a private phone with them. They should install the app on their private device and not on a shared device.
TomTeeJay
commented
4 years ago Afaik this use-case is not covered by the App. Also I currently see no way how to realize this using the Apple/Google APIs.
So you're saying the app is biased by design by not including low-income households? How can the collected data then be trusted for further science purposes?
egandro
commented
4 years ago I hope most of them have a private phone with them. They should install the app on their private device and not on a shared device.
Good point. The "Betriebsrat" might restrict the use of the Corona App on their work phone anyway.
TomTeeJay
commented
4 years ago I hope most of them have a private phone with them. They should install the app on their private device and not on a shared device.
Good point. The "Betriebsrat" might restrict the use of the Corona App on their work phone anyway.
in addition to this I know a lot of smartphones with dual sim used as private and corporate devices. How does the app respect this use-case? Is the app biased in this case too?
ddroescher
commented
4 years ago So you're saying the app is biased by design by not including low-income households?
No, he is clearly saying that it is impossible to develop a multi-user app if you rely on the device OS to supply you with the necessary tracing data. You have to take this up with Apple and Google.
Good point. The "Betriebsrat" might restrict the use of the Corona App on their work phone anyway.
Already possible through the OS, not required at application level.
panoptikum
commented
4 years ago I hope most of them have a private phone with them. They should install the app on their private device and not on a shared device.
Good point. The "Betriebsrat" might restrict the use of the Corona App on their work phone anyway.
in addition to this I know a lot of smartphones with dual sim used as private and corporate devices. How does the app respect this use-case?
From how I understand the concept, it does not interfere with this use as the phone is only used by one person.
s-martin
commented
4 years ago I hope most of them have a private phone with them. They should install the app on their private device and not on a shared device.
I agree that the use case for such an app is for personal device only.
Even if care staff doesn't bring a personal device with them, their contacts could be traced manually by checking the shift plans.
egandro
commented
4 years ago Afaik this use-case is not covered by the App. Also I currently see no way how to realize this using the Apple/Google APIs.
Well :) You should really really check documents!
There are a lot of devices e.g. Samsung Devices that have "multiple accounts" now for 2-3 years.
Carefully read the Google Docs / Talk to them how you need to treat this devices.
Edit: Every app has a "per account" storage. It "looks" like it is installed on 2-3-5 devices. So you better check this on Android.
ddroescher
commented
4 years ago in addition to this I know a lot of smartphones with dual sim used as private and corporate devices. How does the app respect this use-case? Is the app biased in this case too?
Only Bluetooth is used, GSM or SIM information has nothing to do with the tracing API.
panoptikum
commented
4 years ago How's the App dealing with multiple users on shared devices esp. when used in low-income households where devices are often shared between family-members?
How privacy and data protection is ensured between partners when one partner gets the knowledge how many other people his or her other partner meets?
How does this affect the handling of transfered TANs or even test results? When the device is used by children for e.g. homework?
This use-case is not mentioned in the documentation at all.
Do you have a reliable preferably scientific source which describes the shared use of devices? Honestly, I do not think this is the case among adults at least in Germany and/or Europe. But happy to be proven wrong.
ddroescher
commented
4 years ago There are a lot of devices e.g. Samsung Devices that have "multiple accounts" now for 2-3 years.
Yes, but they have separated application data automatically: https://source.android.com/devices/tech/admin/multi-user
It is up to Google to handle the tracing concept for multi-user devices. The application handles this automatically as it only has access to the currently logged in user.
panoptikum
commented
4 years ago I hope most of them have a private phone with them. They should install the app on their private device and not on a shared device.
I agree that the use case for such an app is for personal device only.
Even if care staff doesn't bring a personal device with them, their contacts could be traced manually by checking the shift plans.
I can only second this. The app is supposed to trace proximity between people who do not have and should not have personal information about one another. In the work environment, in particular care of elderly people, the employer knows who had contact with whom and at what time.
egandro
commented
4 years ago It is up to Google to handle the tracing concept for multi-user devices. The application handles this automatically as it only has access to the currently logged in user.
I agree.
In the end you have 20 devices on your desk and 19 are working - while ONE silly devices isn't. That's my point. And in 90% of all cases your code is bad - not the implementation of the device.
egandro
commented
4 years ago I hope most of them have a private phone with them. They should install the app on their private device and not on a shared device.
How do you deal with people having actually a 2nd device? Can you "neutralize" an ID?
ddroescher
commented
4 years ago How do you deal with people having actually a 2nd device? Can you "neutralize" an ID?
You don’t have to, the app doesn’t store or use an ID. You can have 1 or 100 devices with you and the concept still works. It has no contact with any server unless it updates its tracking settings (distance between people, frequency, etc.), downloading "infected beacons" or if you want to notify the central health server about your infection (sends out all stored beacons it gets from the OS). May be annoying to get a notification on 100 devices at the same time though.
egandro
commented
4 years ago You don’t have to, the app doesn’t store or use an ID. You can have 1 or 100 devices with you and the concept still works. It has no contact with any server unless it updates its tracking settings
If you "meet" your 2nd device, you create an event.
You collect useless data.
Why is there a central health server? Please explain in great detail in the documentation!
s-martin
commented
4 years ago You don’t have to, the app doesn’t store or use an ID. You can have 1 or 100 devices with you and the concept still works. It has no contact with any server unless it updates its tracking settings
If you "meet" your 2nd device, you create an event.
You collect useless data.
I think that's a non-issue.
ddroescher
commented
4 years ago Why is there a central health server? Please explain in great detail in the documentation!
The implemenation is based on the DP-3T specification. It is explained in this comic: https://github.com/DP-3T/documents/blob/master/public_engagement/cartoon/de/comic-de.pdf
The central server is necessary for devices to check if one of their own beacons was near an infected person.
egandro
commented
4 years ago The central server is necessary for devices to check if one of their own beacons was near an infected person.
Why?
Please DON'T fool around with "must be done in realtime" - no way! The RKI is lazy as hell and it will take "a long weekend" to update their data.
You need no central server collecting IPs.
Edit: Further discussions #13 (same issue as we have with settings.json)
TomTeeJay
commented
4 years ago Why is there a central health server? Please explain in great detail in the documentation!
The implemenation is based on the DP-3T specification. It is explained in this comic: https://github.com/DP-3T/documents/blob/master/public_engagement/cartoon/de/comic-de.pdf
The central server is necessary for devices to check if one of their own beacons was near an infected person.
I am in fully support of this single purpose. But unlike the comic this App is intended to
enable remote access to local data and contents https://github.com/corona-warn-app/cwa-documentation/issues/13 and tracing its users and usage
discriminating users by adding additional features and functions https://github.com/corona-warn-app/cwa-documentation/issues/23
and is biased in not supporting multiple users on shared devices https://github.com/corona-warn-app/cwa-documentation/issues/20
SAP and Telekom you've had one job!
bschug
commented
4 years ago How is this even an issue? If multiple people share the same device, it means they are in close physical contact with each other. I doubt they thoroughly disinfect the device every time they hand it over (if that is even possible). So they will just be treated as one. If one of them is infected, the other are likely to be as well, so for both the reporting and alerting use case, the app can safely treat them as a group.
TomTeeJay
commented
4 years ago How is this even an issue? If multiple people share the same device, it means they are in close physical contact with each other.
As I've written this issue also covers privacy of partners or between parents and childerns. What will happen if a child using the device during his homework is recieving and answering health regarding messages since there is no authentification between users?
panoptikum
commented
4 years ago How is this even an issue? If multiple people share the same device, it means they are in close physical contact with each other.
As I've written this issue also covers privacy of partners or between parents and childerns. What will happen if a child using the device during his homework is recieving and answering health regarding messages since there is no authentification between users?
This falls into the area of parental supervision. They could also read a message from the father/mother's affair. I suggest you provide evidence for the en masse use of shared device, as already requested earlier by me, before you go on suggesting that this is an issue. I, just a curious programmer, without any affiliation, do not see the problem.
egandro
commented
4 years ago How is this even an issue? If multiple people share the same device, it means they are in close
We have 2 possibilities.
1) Physically sharing a device. Person A gives person B the cell phone e.g. end of a shift. 2) Using Phones with multiple accounts e.g. Samsung Phones.
For 1) we learned - not possible to know if' its A or B.
For 2) it's a testing issue :( Android is a cry baby.
TomTeeJay
commented
4 years ago in addition to this I know a lot of smartphones with dual sim used as private and corporate devices. How does the app respect this use-case? Is the app biased in this case too?
Only Bluetooth is used, GSM or SIM information has nothing to do with the tracing API.
Well, this is untrue. Telekom uses SIM cards for device IP authentification for its wifi-hotspots in restaurants, café, airports in order to prevent portal sites for its customers.
This is called EAP and is defined in RFC 3748 https://tools.ietf.org/html/rfc3748
TomTeeJay
commented
4 years ago @panoptikum
Do you have a reliable preferably scientific source which describes the shared use of devices? Honestly, I do not think this is the case among adults at least in Germany and/or Europe. But happy to be proven wrong.
What I can say is that several MDM systems support shared devices for years. They wouldn't do without any use-case. Of course these managed devices are used within corporate enviroments but in times of homeoffice and mixed usage and on basis of my own obeservations how empoyees often share their devices esp. in low-income households I come to the conclusion that this will be a factor.
Nevertheless SAP and Telekom must convince the people that this case is supported and privacy between multiple users on shared devices is maintained.
egandro
commented
4 years ago Nevertheless SAP and Telekom must convince the people that this case is supported and privacy between multiple users on a shared devices is maintained.
We should start making a "convince list".
Edit: This should be done before the CCC guys or the GI guys do their audit. I currently see 3-4 major issues.
panoptikum
commented
4 years ago @panoptikum
Do you have a reliable preferably scientific source which describes the shared use of devices? Honestly, I do not think this is the case among adults at least in Germany and/or Europe. But happy to be proven wrong.
What I can say is that several MDM systems support shared devices for years. They wouldn't do without any use-case. Of course these managed devices are used within corporate enviroments but in times of homeoffice and mixed usage and on basis of my own obeservations how empoyees often share their devices esp. in low-income households I come to the conclusion that this will be a factor.
Nevertheless SAP and Telekom must convince the people that this case is supported and privacy between multiple users on shared devices is maintained.
I'm still not convinced that this is a real issue. You've already mentioned yourself that these managed devices are used within corporate environments where I do not see the scope of this app. Generally speaking wherever people come together that know each other such an app is unnecessary. Even if people share their devices in low-income households, let's assume this for now, people probably have the possibility to restrict access to certain apps. I do not have children, but I'm sure the app stores offer apps that serve this purpose very well. If people share the phone at home, and only at home, it is not relevant for the app. I can imagine people sharing their devices at home, but do you think that people leave their devices at home or change devices in one household? One person, the one equipped with the phone by work, has ownership for the device. In my opinion, covering this case would add unnecessary complexity.
Leseratte10
commented
4 years ago The fact that devices are shared between people is entirely in the user's hands. Android and iOS both offer functionalities to create user accounts and lock them down with different PINs / passwords.
If the user decides NOT to do that, then yeah, every other family member using this phone will be able to open the app. Same as he can read the family member's emails, SMS, messages, ... which will contain sensitive data as well. Same when a user wants to use his personal corona app on a phone that is shared between people in a company - just don't do that. Install it on your phone.
Keeping data hidden from people who the phone owner explicitly gives them access to isn't in-scope for this app. It isn't in-scope for any smartphone app.
And while Telekom uses SIM cards to authenticate people for their portals, this has absolutely nothing to do in context of this app. Only Bluetooth is used for this app.
TomTeeJay
commented
4 years ago @Leseratte10
Keeping data hidden from people who the phone owner explicitly gives them access to isn't in-scope for this app. It isn't in-scope for any smartphone app.
I am not convinced. We are talking about an health app with huge consequences for the life of false positive identified people. Any chance of reading messages by mistake or unauthorized access to test results or every possible interaction or misused interpretation of behavioural data must be ruled out from the first moment. Right now this scenario is not considered nor ruled out.
And while Telekom uses SIM cards to authenticate people for their portals, this has absolutely nothing to do in context of this app. Only Bluetooth is used for this app.
Well, this is untrue. As mentioned in Issue #13 this app is intended to side-load and update certain unspecified tresholds and dynamic contents. It will need at least priviledges for wifi- and/or mobile-networks to operate.
niklas2810
commented
4 years ago I am not convinced. We are talking about an health app with huge consequences for the life of false positive identified people. Any chance of reading messages by mistake or unauthorized access to test results or every possible interaction or misused interpretation of behavioural data must be ruled out from the first moment. Right now this scenario is not considered nor ruled out.
It is ruled out, as any person who shares the device with another person automatically is a contact (and should therefore go into self-qurantine). If users really want to share the device and use the app (which is an extreme edge case, at least to my mind) they will most probably have a similar risk of being infected, so I'd say that this is a non-issue.
It will need at least priviledges for wifi- and/or mobile-networks to operate.
Which is true, but the authentication process with the hotspot and the actual network request are two different steps, therefore @Leseratte10 is right. Furthermore, it was already pointed out that those requests do not contain sensitive information; so even if these requests would be identifieable that wouldn't be an issue.
Leseratte10
commented
4 years ago @TomTeeJay Of course the app needs internet access (to download a list of infected IDs), I didn't say that that wasn't the case. I'm just saying that internet / SIM cards isn't used for any kind of authentication.
This was in response to your comment about dual SIM - dual SIM doesn't matter, as the SIM is only used to connect to the internet.
The scenario isn't ruled out because it is impossible to do so. You can secure your phone with a PIN, face ID, or finger print. If the user doesn't do that, then app developers can't force him to do that.
TomTeeJay
commented
4 years ago Well let's wait for further documentation and hopfully some code.
In the meantime I am thinking about some really nasty scanarios. If there will be a chance e.g. by managed devices shared among employees without their knowledge and consent to prevent lockdown condition of the company. Or about landlords putting multiple devices in their houses to track and trace their tenants. Threre are lot of expected abnormal conditions. Looking forward!
kheinz57
commented
4 years ago I am not sure if that shared case is really relevant. Obviously not for the first version (keep things simple on start). But also from the infection point og view: sharing means close contact to those you are sharing it with most of the time. Since infection is also likely to share with the smartphone anyhow. Statistically it probably does not really matter very much
tkowark
commented
4 years ago As mentioned earlier in the conversation, multi-user management is not within the currently defined scope of the application. For systems that on OS level support multiple users, the OS vendors need to ensure that the keys, ids, and contact events stored in the device's secure storage are also separated between users.
If further issues regarding this topic arise from the newly published documents (architecture document) and source code (cwa-server), we kindly ask you to open a dedicated issue for them.
Thanks a lot for all your input on the discussion!
How's the App dealing with multiple users on shared devices esp. when used in low-income households where devices are often shared between family-members?
How privacy and data protection is ensured between partners when one partner gets the knowledge how many other people his or her other partner meets?
How does this affect the handling of transfered TANs or even test results? When the device is used by children for e.g. homework?
This use-case is not mentioned in the documentation at all.