Open kolAflash opened 3 years ago
Ein-Tim
commented
3 years ago FYI: The UK tried something like this with their app ("NHS Covid-19") and Apple/Google blocked this update from the store: https://www.bbc.com/news/technology-56713017
So seems like they are not allowing this, even not voluntary.
heinezen
commented
3 years ago Hey @kolAflash
A few things to note about your feature request:
Let me know if you need more details or if I misunderstood something in your post.
Corona-Warn-App Open Source Team
Ein-Tim
commented
3 years ago @heinezen Could you point out the issue that this issue duplicated? Thank you!
kolAflash
commented
3 years ago @heinezen
- The app itself cannot detect if you are infected, it can only detect if you were exposed to an infected person.
I know.
That's what I meant by "had an infection contact ".
In other words: The app can tell if you had contact (were exposed) to an infected person.
A proof of exposure not as useful to the health department as a proof of infection.
The value of a verifyable "proof of exposure" depends on the situation. If you've just been informed by CWA that you had a high risk contact yesterday, there's no time to loose to get the Health Department permission not to go to work and stay at home.
A "proof of infection" by PCR test just takes too long. (usually more than 12 hours)
And a rapid test won't help either in this situation, because it can't detect the infection in the first days. But you're already infectious in the first days.
- The CWA will get a "proof of infection" [...]
See above.
(as said, I'm not talking about a "proof of infection" but about a verifiable "proof of exposure")
Based on this, please remove the duplicate flag.
@Ein-Tim
FYI: The UK tried something like this with their app ("NHS Covid-19") and Apple/Google blocked this update from the store: https://www.bbc.com/news/technology-56713017
So seems like they are not allowing this, even not voluntary.
Google allows the voluntary "Data donation" (Datenspende). So I guess the proposed feature might be OK for Google two.
If you had an infection contact - either by Check-In or exposure notification - it would be helpful if you can (voluntarily) proof this to the Health Department (Gesundheitsamt).
If the Health Department is able to verify, that you didn't fake an infection contact, this would help them to support you staying in quarantine / isolation.
Mostly important the Health Department could allow you not to go to work and stay at home.
But because some people may not like to go to work at all ;-) this should be somehow verifiable.
Technical
I'm not sure if this is cryptographically possible for the standard Exposure Notification system. But for the Check-In system I'm having two different ideas.
Hash Upload
Your name is needed to detect multiple registrations, so one can't just create hundreds of accounts registering at all possible locations to fake an infection contact.
Your phone will store the seed locally and ask you to (voluntarily) upload the hash to the server. The server will store the hash and the time when it's been uploaded under your account. This won't allow the Health Department to get any concrete information, because they can't get any information from the hash. The Health Department will only know that you checked in somewhere, but won't know where. Also there will be an limit on how many hashes you can upload in a certain time interval to prevent infinite fake-Check-Ins to fake an infection contact.
If you provide this data to the Health Department, they'll be able to verify that they really got the hash before. So you won't be able to make up a Check-In after the infection event was made available publicly.
Signing by the location
Another approach would be to make the locations host sign your Check-In. This could be done without sending anything over the Internet. But the locations host would need a device that can actively receive data from your device (e.g. via Bluetooth) and return a cryptographic signature, that you've really checked in at that location.