search

novid20org / novid20-android-sdk

NOVID20 Android SDK Source Code
https://novid20.org
GNU General Public License v3.0
36 stars 3 forks source link

Initial privacy analysis #4

Open michaelroland opened 4 years ago

michaelroland commented 4 years ago

Hi all,

we appreciate that you publicly released the source code to establish confidence in your framework. We belive that is an inevitable step for any privacy critical project (such as contact tracing). We would like to honor this by providing a first, quick independent privacy analysis. You can find our results and a few suggestions for improvement here:

https://ins.jku.at/publications/2020/Roland_2020_NOVID20_Analysis_v1.pdf

Note that we also stumbled upon a few other bugs (not related to privacy/security) that we will try to share wihin the next few days.

Best regards, Michael

apetersson commented 4 years ago

Thanks for the valuable contribution. We are preparing a detailed response to the issues raised, here are some preliminary points:

Regarding, point 5.2 Please note, that there is a real trade-off between a "server-logic" and "client-logic" solution. Client logic if implemented in a simplistic (like google+apple) allows for some other attacks, by personally identifying affected patients and correlating them to users.

Also, we are closely associated with Pepp-pt and are monitoring the protocol issues by google. I believe that the biggest utility from a contact tracing solution comes from a big network effect. That's why i consider this protocol preliminary and we will focus our efforts to enable interoperability between the most commonly used protocols.

Since the app is new we want to verify that it is working correctly and we want to train a model that can find a correlation between real infection and the data that is possible to record. For example, we want to deduct which public transport vehicle was used by a person and see if that led to an infection. This is one of the reasons why we value an optional "Data Donation" so we can train the heuristic in the future.

I fully agree that an id which is changing more frequently does make much more sense, but we have to be careful to not change this id while also keeping the same bluetooth mac, since this would thwart the effort for privacy.

Thanks and stay tuned for a more detailed response :)