Closed vonwenckstern closed 4 years ago
Carsten should probably notify Nils directly (as well as all other people he met with) about the fact that he has Corona, I think the idea behind this app is more to get notification from people that would normally never notify you (e.g. person sitting next to you on the train).
This is one of the risks which is inherent to the decentralized protocol. Let me try to explain in more detail: If you're able to isolate and attribute one phone (i.e. you know that your phone only had contact with one other phone and you know who this other phone belongs to) you will always be able to attribute the infection if this person later on tests positive and decides to uploads their result. The solution you're suggesting unfortunately will not work. An attacker can always download the keys of those who test positive (and decide to share this), and manually compare them with keys they observed outside of the app (e.g. by running a separate Bluetooth device with software to record the RPIs).
Also: the phone doesn't know how many people it has been in contact with. It only sees and records RPIs (which change every 10 - 15 min) and only once a contact confirms they’re infected and chooses to upload their TEKs (i.e. their daily keys) the phone could find out that some of the RPIs it recorded are from one phone, but unless all the RPIs it recorded are from persons who reported as positive, it doesn’t know how many non-infected persons it was in contact with (which is one of the properties that make the protocol privacy preserving). Additionally: even if the phone could find out how many other people it was in contact with (which it can’t), the responsible course of action would probably still be to notify everyone as soon as possible even if they didn’t have further contacts yet. After all: they might be infected with a dangerous disease and in addition to the risk for their own life they might soon go out to a large gathering and become the cause of the next superspreading event. That alone should be enough justify the impact on privacy in this case. It is also what manual contact tracers will do: they will contact Nils as soon as possible and Nils will immediately know that Carsten must have tested positive even if the contact tracers don’t tell him the name.
Btw: the case you’re describing is very similar to the comic on the frontpage of https://tracing-risks.com/. It’s one among multiple possible “attack vectors” which have been discussed. Cf. my comment here: https://github.com/corona-warn-app/cwa-documentation/issues/273#issuecomment-645322925
Kudos and a big thanks to @daimpi for explaining everything is such a great detail!
@vonwenckstern Unfortunately, I need to close this issue as a consequence. Thank you very much for your contribution.
Mit freundlichen Grüßen/Best regards, SW Corona Warn-App Open Source Team
@daimpi Thank you very much for this information including the drawbracks of this approach.
I appreciate it that you are so open :).
For all people who cannot read so good English, I translated your information via Google translate to German: tracing-risks.en.de.pdf
With the large number of random tests and that the persons are not directly informed why they are tested, the attack sceneario with the job interview would not work anymore.
Back to the use case of this ticket: It would mean, if Carsten is tested positive, the government would also go to Nils; but now, Nils and tests him. However, since the government does not tell Nils why he is tested (random or because of Carsten), Nils cannot make his 100% conclusion anymore.
@EvgenyKusmenko: FYI
Glad you found this helpful :).
Disclaimer: I’m also not an infosec expert and I’m not associated with this project in any form, I’m just an interested user.
Regarding your suggestion: i see where you’re coming from. But if only the government would be allowed to see the TEKs of people who tested positive how would it figure out which people they were in contact with? With the current system probably the best that could be done would be to upload all the RPIs a positive user has seen. But those RPIs don’t identify users. In order to do this the government would further have to query all the TEKs (or just manage them centrally in the first place) and have a mapping of TEKs to real names/addresses (after all it has to know where to go to make the tests). At this point we’ve arrived at a fully centralized system which poses a multitude of new problems:
(Probably there are even more problems with this approach, those were just the first few that came to my mind.) Maybe there are also some less problematic ways to realize a centralized system, but point 3 alone is probably already enough reason to abandon this idea (afaik France is using a centralized system without GAEN, but I don’t really know much about their implementation).
Use Case:
Carsten meets on day1: Anna and 10 further people
Carsten meets on day2: Nils alone
Carsten meets on day3 also 20 different people
Carsten gets positive tested due to Corona and shares this information with the App as he thinks it is anomyous and he met more then 30 people
Anna gets a notification that one of the people she met has Coronona
Nils get the notification that one of the people he met in the last 14 days has Corona
Question:
Possible Solution: