corona-warn-app / cwa-wishlist

Central repository to collect community feature requests and improvements. The CWA development ends on May 31, 2023. You still can warn other users until April 30, 2023. More information:
https://coronawarn.app/en/faq/#ramp_down
Apache License 2.0
105 stars 14 forks source link

Location and exact date of a low risks (green) contact #206

Open kristijorgji opened 4 years ago

kristijorgji commented 4 years ago

Feature description

Every time two devices exchange ids for the first time, store the location and start datetime of this event.

Keep this in your servers, and if one of these contacts is later confirmed positive instead of showing other people messages like "you have low risk and met 2 infected people"

would be more effective to show also show the location + exact time of start of contact so people can self asset the risk and act responsible

Problem and motivation

The problem is that many people I know me included are deleting the app because knowing that I was near 3 infected people, and seeing low risk notification is making me more stressful because I cannot see the location and exact date of the encounter and this information is useless. What is the point of knowing that you were near positive contacts, and see there "low risk, nothing to do". You can just not show that was near 3 positive people then.

The screen in app is this one: 122114475_1086715385099869_711951589517145213_n

For example if I could see location and time and see that ok " Sunday 18 October 11 AM someone positive was nearby, then I can reason like example: was out in park, so nothing to worry maybe someone passed by that was diagnosed positive later" And on the other hand, if I was in a closed space at that time, can act more carefully to avoid getting other people sick and try to stay more separate for some days and so on.

Also in the park simple example, people can self asses the risk and not be stressed with abstract information like "low risk but you were 3 positive people" that is very abstract to process and reason So as you can see can avoid unecesary stress and provide more specific information about my risk level.

So to summarise:

  1. Allows possibility of better risk calculation by the individual themselves
  2. Less stress and more useful information by knowing more details
  3. Avoid further infections. Example if you go to a place where is someone tested positive repeatedly more chance to get sick, but if know at least the location can be more careful

Is this something you're interested in working on

Yes I am interested to work in this and would like for someone to explain later the data structure and if location and start time of the handshake is stored and where.

I can contribute in the Android project as have more experience, but also in Swift I can get by try to add the feature in the IOS app. Meanwhile am looking at the java backend to find out if such information is stored and how

Privacy concerns

I have thought this in detail and have the plan how to still maintain full privacy. In general the requested feature does not disclose any identity information so is totally safe, but there can be one case where the identity is disclosed indirectly, at that case is:

You see the location and time of one encounter with someone tested positive, but only 1 person was at that time and location (ex you were at friend house). So we can find out the identity ourselves based on location, time

But this can be easily avoided, for cases where our device exchanged id with only another device and this device came out positive then still show the previous screen without location and time.

For all other times, where there is more then 1 person (ids exchanged devices) then show also location and time.


Internal Tracking ID: EXPOSUREAPP-3669

Ein-Tim commented 4 years ago

My opinion:

There are two problems with this proposal:

  1. The exact time of an exposure is not exposed to CWA by ENF and, the greater problem:
  2. Neither CWA nor ENF are using your Location Data to trace your contacts. I'm not sure if the most people would support an extension from ENF with GPS Data, I personally would deinstall the App if it would request my Location.

Related Issue: A Related Issue to your proposal is #178

daimpi commented 4 years ago

@kristijorgji as @Ein-Tim already stated above: your current proposal is not feasible within the ENF and CWA framework. If you have an Android device you can get this functionality by using corona-warn-companion in RaMBLE mode though.

Similar requests:

kristijorgji commented 4 years ago

My opinion:

There are two problems with this proposal:

  1. The exact time of an exposure is not exposed to CWA by ENF and, the greater problem:
  2. Neither CWA nor ENF are using your Location Data to trace your contacts. I'm not sure if the most people would support an extension from ENF with GPS Data, I personally would deinstall the App if it would request my Location.

Related Issue: A Related Issue to your proposal is #178

My opinion:

There are two problems with this proposal:

  1. The exact time of an exposure is not exposed to CWA by ENF and, the greater problem:
  2. Neither CWA nor ENF are using your Location Data to trace your contacts. I'm not sure if the most people would support an extension from ENF with GPS Data, I personally would deinstall the App if it would request my Location.

Related Issue: A Related Issue to your proposal is #178

There seems to be one misunderstanding here that from which device those data will be taken. Both location and time of encounter will be OPTIONAL feature which people can enable or not themselves on their phones. So in you case, you don't have to uninstall anything but just leave the option disable, in the case of 95% of users I know they want this feature and would enable both location and time tracking so there is no concern about this part here.

The only problem here that I see is technical as does not expose location or time of handshake, so have to make extension there for or some other solution

daimpi commented 4 years ago

@kristijorgji recording/sending and matching rolling proximity identifiers (RPIs) is done by the Google/Apple Exposure Notification Framework (ENF) not by CWA. CWA doesn't come into contact with the RPIs, they're all (intentionally) handled within ENF.

Additionally: ENF based apps (like CWA) are not allowed to request location permissions by Google/Apple.

Ein-Tim commented 4 years ago

@kristijorgji Okay well, when these features are optional this is something what can be discussed... But there is still the problem @daimpi stated that this isn't possible with the currently used ENF technology. But since this is the wishlist I think this Issue is okay to stay open (could still be that the Developers say something else, but yeah πŸ‘)

kristijorgji commented 4 years ago

Yes exactly the features are optional, and those people that find app useless without those features will not have to uninstall anymore, but instead keep the app and contribute with their data. Idea is to make app more appealing and useful to mass population because as we know, the more participants the more useful the app is. Meanwhile I am checking ENF draft and if there are some workarounds for the location

daimpi commented 4 years ago

@kristijorgji is your proposal to encode the location information in the RPI (i.e. decision on location sharing is made by the sending device) or is the idea to record the location info on the receiving device and let the receiver make this decision?

You might find some of the following resources helpful:

kristijorgji commented 4 years ago

@daimpi thanks for the resources checking them. Yes the idea is to be on the sending device, so for example I am the user interesting in enabling this optional option and I enable it "storing of location and time for the encounters" Afterward, when I get new "handshakes" with other devices before sending the initial contact to server also fetch my location and add it to the request.

Then later on if the other contact is reported positive and I get notified about this low risk danger, I should be able to see the location and time (of course if I enabled these optional options and those are stored)

daimpi commented 4 years ago

@kristijorgji

so for example I am the user interesting in enabling this optional option and I enable it "storing of location and time for the encounters" Afterward, when I get new "handshakes" with other devices before sending the initial contact to server also fetch my location and add it to the request.

Then later on if the other contact is reported positive and I get notified about this low risk danger, I should be able to see the location and time (of course if I enabled these optional options and those are stored)

First of all: this would be something Google/Apple have to add to ENF, there is nothing CWA can do about this. And this would require a major change in their design philosophy, so I doubt that they would ever do this.

But let's set those problems aside for now: If I understand you correctly, in the scenario you describe above, you're meeting a person who is infected and you would later on like to know the date/location of this encounter. First of all: you as the non-infected person won't send anything to the server, you're just downloading the diagnosis keys (DKs) of infected ppl who decided to share them.

But now you (the non infected person) are making a decision which affect the privacy posture of the infected person, b/c you'll be able to know where you met them, but not the other way around.

If anything I'd suggest to have consent be requested from the other side i.e. from the infected person who is kindly sharing their DKs. In this scenario (where Google/Apple are just bending to our wishes) I could imagine an option for an infected person to allow their contact's to see the location/time of the encounter (this could be implemented e.g. via an option to broadcast RPIs which contain location information).

ehambuch commented 4 years ago

I think it would be sufficient in the first step to find out the day of exposure. The information would help any affected person to think over "where have I been on that day". As we are all supposed to limit our contacts, the activities should be limited to "way to work", "work", "supermarket" and "home".

Isn't it possible to derive the day from the Temporary Exposure Key (TEK) that is generated every 24hours?

Ein-Tim commented 4 years ago

@ehambuch For sure this would be possible and this is requested here: #178 Feel free to vote up πŸ™‚

juergenruge commented 4 years ago

This request for improvwment is really important to raise the acceptance of the cwa and avoid that people uninstall it. I myself have had an issue with error 39508 starting on 27.09., solved with update on 15.10. and 24 hours not opening the cwa. Result: 2 contacts with low risks. I closed the cwa and opened it again 2 hours later, and result: no contacts low risk. Definetly it' s needed to have a date and time stamp for the contacts, which should be possible to get when codes are exchanged. Location itself it would be great to have, but not mandatory. Only then, and I support this request, wie are able to take the right next steps. Btw. NSA and CIA are able to find you in 15 minutes, when using a mobile device with Android or IOS, even when you have switched of your phone.and have not activated the location function....

daimpi commented 4 years ago

@juergenruge

Result: 2 contacts with low risks. I closed the cwa and opened it again 2 hours later, and result: no contacts low risk.

Do you by chance remember whether a check was performed in the two hours between you opening CWA for the first and second time? Could you share your EN log here?

Definetly it' s needed to have a date and time stamp for the contacts, which should be possible to get when codes are exchanged.

Getting exact timestamps of encounters is not possible if you don't have root b/c this information is not exposed by ENF to CWA (cf. here).

Getting the day of the encounter also for green encounters would be easy though. Feel free to upvote #178 πŸ™‚.

ohobby commented 4 years ago

From my own experience, I can report that reporting that you have had one or more low risk encounters, but you don't know when it happened, causes many people to panic and/or brood a lot about when and where it happened. My partner and some friends are such candidates. For this reason it would be very important that the date of the encounter is mentioned very quickly, even in the case of low risk encounters. This would help some users not to panic or brood. And prevent many requests to the health department and/or doctor.

webermike commented 4 years ago

Please show Date and Time of later on announced risk contacts, even if this leads to still having a green status.

As such contacts might occur only at shopping or eating in a restaurant, one can reconstruct with Date and Time where one habe been and if shopping or queuing anywhere is the risk reason.

This would enhance the analyse and discussion and avoiding of behavior in the future much, when it ia shown if the risk contact was at 8:00 in the bus ir at 12:00 in the McDonalds restaurant or at work at 10:00 o'clock at a certain date/day.

so it is not about "10 days ago" but about exact time and day.

Thanks for implementing that local showup fast.

daimpi commented 4 years ago

@webermike see my answer above. Also: feel free to upvote #178.

webermike commented 4 years ago

I see location and geo location as a problem. Butbthe exact time stamp day:hour:minute is not a problem, as these need to be informed in case. In both directions that is the sense and be thankful about it. I know l met Anke at that day and time and she got a positive result helps me also as to know in the bus was someone at that exact time.

daimpi commented 4 years ago

@webermike as others have already explained in the other thread: you have to distinguish between

  1. the Exposure Notification Framework (ENF) which is provided by Google/Apple and
  2. CWA which docks onto ENF and is developed by SAP/RKI.

ENF doesn't provide exact timestamps to CWA via the API instead this information (which o/c exists inside ENF) is only exposed with a one day granularity. In order to change this Google/Apple would therefore have to be convinced. As a workaround I would recommend using the warn-app-companion if you have an Android device πŸ™‚.

heinezen commented 4 years ago

Hello community,

Thank you for the suggestions and the ongoing discussions. We have mirrored the request to the internal Jira, so iit can be tracked by the developers. We will inform you about any updates on this topic as soon as we get them.

Regards, CH


Corona-Warn-App Open Source Team

kyklos commented 4 years ago

Any update on this request available?

heinezen commented 4 years ago

@kyklos No, nothing new yet.


Corona-Warn-App Open Source Team

thomasaugsten commented 4 years ago

There are no plans from google and apple side to provide location or the exact time. In the future we will integrate a list of days and the number of exposures on this days

Ein-Tim commented 3 years ago

@thomasaugsten

Can you tell us for which version this list is planned?

schaupets commented 3 years ago

I would like to emphasize the need for this proposed feature (Location and date for risks) with some arguments:

Solution: I would modify the suggested solution as follows:

  1. Store location and time only locally on the phone for contacts, not on central servers.
  2. For privacy of the infected: Blur the location to a range of e.g. 200m and store day + hour only, not down to the minute.

From the comments, I have learned that two restrictions prevent the implementation:

  1. The exact time of an exposure is not exposed to CWA by ENF, only the day.
  2. ENF based apps (like CWA) are not allowed to request location permissions by Google/Apple.

But the need for the feature is still there and does not go away from the restrictions. So changing the restrictions / APIs or workarounds should be discussed. Yes, this change may be a difficult process, but maybe it will be successful for the next Pandemic.

Data privacy considerations: Due to local storage of the location, no central tracking of users is possible.

The only attack to privacy can be done by other users (which is illegal anyway from current laws). Still the protection of the infected person is an issue, but the concerns can be removed considering three cases: Case 1: The infected contact person belongs to my circle of acquaintances (friends, colleagues): These contacts should match the manual contact diary in the app. The contact person knows me and vice versa. Then this infected contact person must compulsorily report me to the health department anyway. Currently the health offices ask the infected to inform me personally about the infection and go into quarantine. Mutal information about the infection is requested anyway. Case 2: The infected contact does not know me and I do not know him: This is typical for public spaces, mass transit, trains, planes, stores, etc. With blurred location and day+hour, I cannot identify an individual infected person. Case 3: I may know the infected contact person (VIP), but he/she does not know me. In this case the contact is probably in a public place, see case 2, an unique assignment is unlikely. In addition, infections of VIPs are generally also public knowledge, as they have to be quarantined.

Summary: local storage and display of blured location and day+hour do not give more information about the other infected person as requested by Infektionsschutz anyway.

Some comments on Acceptance: A comment said β€œI personally would deinstall the App if it would request my Location.β€œ Given the amount of location information that is sent to Google anyways, I do not understand the concern, given that the location is stored only local by CWA and not given to Google/Apple. In general I would reply to the concerns:

Outlook to further benefits: If the (blurred) location is available, it could be sent voluntarily and anonymously to a central RKI server without ID, Time or other related info to the user. Voluntarily. Location only. Only RKI has access to the data. Then RKI can perform analyses on HotSpots and Lockdown measures can be taken based on real data. But that’s another story.
So far my New Year wishes and dreams for 2021.

Grossstadtkind commented 3 years ago

I would like to emphasize the need for this proposed feature (Location and date for risks) with some arguments:

* The display of non-critical contacts without time and location is completely useless for the user, as he cannot derive any measures to better protect himself.

* People do get infected by people ( as Mr.Kelber says, the Bundesdatenschutzbeauftragter) but they get infected in certain places. And I can protect myself only if I avoid these places. To do this, I need the location of the contacts.

* The risk assessment of the CWA cannot consider my own protection (mask) and circumstances (outside, wind, walls). Therefore the location and time are necessary for my own assessment in order to avoid unnecessary panic and quarantine.

* According to RKI, 85% of infections are not traceable. Therefore, the current contact restrictions are not backed by data, but are purely political measures and do not necessarily protect me.

Solution: I would modify the suggested solution as follows:

1. Store location and time only **locally** on the phone for contacts, not on central servers.

2. For privacy of the infected: Blur the location to a range of e.g. 200m and store day + hour only, not down to the minute.

From the comments, I have learned that two restrictions prevent the implementation:

1. The exact time of an exposure is not exposed to CWA by ENF, only the day.

2. ENF based apps (like CWA) are not allowed to request location permissions by Google/Apple.

But the need for the feature is still there and does not go away from the restrictions. So changing the restrictions / APIs or workarounds should be discussed. Yes, this change may be a difficult process, but maybe it will be successful for the next Pandemic.

Data privacy considerations: Due to local storage of the location, no central tracking of users is possible.

The only attack to privacy can be done by other users (which is illegal anyway from current laws). Still the protection of the infected person is an issue, but the concerns can be removed considering three cases: Case 1: The infected contact person belongs to my circle of acquaintances (friends, colleagues): These contacts should match the manual contact diary in the app. The contact person knows me and vice versa. Then this infected contact person must compulsorily report me to the health department anyway. Currently the health offices ask the infected to inform me personally about the infection and go into quarantine. Mutal information about the infection is requested anyway. Case 2: The infected contact does not know me and I do not know him: This is typical for public spaces, mass transit, trains, planes, stores, etc. With blurred location and day+hour, I cannot identify an individual infected person. Case 3: I may know the infected contact person (VIP), but he/she does not know me. In this case the contact is probably in a public place, see case 2, an unique assignment is unlikely. In addition, infections of VIPs are generally also public knowledge, as they have to be quarantined.

Summary: local storage and display of blured location and day+hour do not give more information about the other infected person as requested by Infektionsschutz anyway.

Some comments on Acceptance: A comment said β€œI personally would deinstall the App if it would request my Location.β€œ Given the amount of location information that is sent to Google anyways, I do not understand the concern, given that the location is stored only local by CWA and not given to Google/Apple. In general I would reply to the concerns:

* People who like the App will get more benefits from this feature

* People who do not like the App, have not installed it

* People who do not want to be recognized as infected, just do not register their infection in the CWA (what happens frequently right now, unfortunately)

* It must be stated clearly, that the location + Date is only stored locally on the mobile phone.

Outlook to further benefits: If the (blurred) location is available, it could be sent voluntarily and anonymously to a central RKI server without ID, Time or other related info to the user. Voluntarily. Location only. Only RKI has access to the data. Then RKI can perform analyses on HotSpots and Lockdown measures can be taken based on real data. But that’s another story. So far my New Year wishes and dreams for 2021.

In addition to schaupit's suggestion: Could location and time be stored locally in encrypted form so that no movement profile could be read out even in the event of unauthorized access to the smartphone?

Could the location and time be displayed automatically if the signals of at least 10 (e.g.) other apps had been received at the time of the contact? This would improve anonymity and at the same time give an indication of "cluster events" (public transport,...). This as an addition to the QR-code-based "Crowd-Notifier" development.

ctueck commented 3 years ago

I'd like to bring in one other thought: maybe there's a need for more explanation what low risk contacts mean? Personally, I have taken them simply as reassurance that the app is actually working. :) I anyway know that going to places where other people are - supermarket, street, bus, ... - bears a certain risk of walking past somebody with Covid-19 at some point.

And making decisions based on the number of low-risk encounters captured by ENF (the like of: supermarket A is more risky than fast-food outlet B) might also risk attaching much more meaning to it than accuracy of the protocol and adoption rate would justify. (At least as far as I understand, there's a fair amount of randomness/chance involved in how many identifiers are exchanged in one supermarket visit or another.)

PS: Personally, I believe there are important reasons why ENF prevents exact time-stamping of encounters and disallows apps to also use location services. But showing the dates of encounters seems a good compromise to satisfy the more curious users.

Ein-Tim commented 3 years ago

Starting with v 1.12.0 it will be possible to see when you had encounters: https://github.com/corona-warn-app/cwa-app-ios/pull/1801

ndegendogo commented 3 years ago

The use case they have in mind is interesting. If I know the day of contact I can decide to warn other people I met on that day. Because they may have been exposed to the same infective person.

Ein-Tim commented 3 years ago

Just btw maybe somebody can correct the typo in the title?

32u-nd commented 3 years ago

I have a question for clarification on this topic: I know the RPIs, AEMs and timestamps for each contact. The TEKs are downloaded and compared with the list of my collected RPIs. Even if I get a match to multiple RPIs, I can narrow it down to the timestamp of matching RPIs. Or is my assumption simply wrong?

Downloaded exposure.db and analyzed with SQLite browser. I'm running LineageOS without any Google services and therefore use the F-droid fork, but this feature should be exactly the same.

grafik

thomasaugsten commented 3 years ago

The assumption is correct