Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Initial privacy analysis #4

Open
michaelroland opened this issue Apr 9, 2020 · 1 comment
Open

Initial privacy analysis #4

michaelroland opened this issue Apr 9, 2020 · 1 comment

Comments

@michaelroland
Copy link

Hi all,

we appreciate that you publicly released the source code to establish confidence in your framework. We belive that is an inevitable step for any privacy critical project (such as contact tracing). We would like to honor this by providing a first, quick independent privacy analysis. You can find our results and a few suggestions for improvement here:

https://ins.jku.at/publications/2020/Roland_2020_NOVID20_Analysis_v1.pdf

Note that we also stumbled upon a few other bugs (not related to privacy/security) that we will try to share wihin the next few days.

Best regards,
Michael
@apetersson
Copy link
Member

Thanks for the valuable contribution. We are preparing a detailed response to the issues raised, here are some preliminary points:

Regarding, point 5.2 Please note, that there is a real trade-off between a "server-logic" and "client-logic" solution. Client logic if implemented in a simplistic (like google+apple) allows for some other attacks, by personally identifying affected patients and correlating them to users.

Also, we are closely associated with Pepp-pt and are monitoring the protocol issues by google. I believe that the biggest utility from a contact tracing solution comes from a big network effect. That's why i consider this protocol preliminary and we will focus our efforts to enable interoperability between the most commonly used protocols.

Since the app is new we want to verify that it is working correctly and we want to train a model that can find a correlation between real infection and the data that is possible to record. For example, we want to deduct which public transport vehicle was used by a person and see if that led to an infection. This is one of the reasons why we value an optional "Data Donation" so we can train the heuristic in the future.

I fully agree that an id which is changing more frequently does make much more sense, but we have to be careful to not change this id while also keeping the same bluetooth mac, since this would thwart the effort for privacy.

Thanks and stay tuned for a more detailed response :)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@apetersson @michaelroland