vteague / contacttracing Goto Github PK

Not in Play store, therefore i assume cannot be installed and run on older Androids. Would appreciate any comment on whether there is a technical reasoning for this, or simple oversight / laziness that this demographic of older phone users was forgotten.

If you're wondering why the phone model is logged at all, the BlueTrace white paper (https://bluetrace.io/static/bluetrace_whitepaper-938063656596c104632def383eb33b3c.pdf) explains that this is "Device model of the Peripheral, to calibrate distance estimates", presumably via the signal strength.

Thank you all for your work on this. One question. You state :

COVIDSafe records details about the messages it sends and receives, storing these in unencrypted form, though of course the UniqueID is already encrypted.

Can you explain how the UniqueID can be referred to as encrypted?

In reading about the use of the UniqueID, my understanding is that it is a unique (pseudo) random value assigned to a user of the system by the data store. This to me does not meet the defintion of "encrypted". It does protect the identity of the person (to some extent) but not through encryption.

If my understanding of this is incorrect, please explain (if you have the time - sure you are flat out at the moment with all the coverage you are getting in the media).

Cheers
Shae

It seems to me that a lot of the potentially problematic information collected probably has a legitimate justification, ie:

• timestamps (to work out length of contact)
• phone models (for distance modelling, which probably needs to be done on a central server as the modeling will probably need to be adjusted over time, potentially retroactively).

However it seems to me that the log could theoretically be submitted without any reference to the user sending it, ie it might leak information about "someones" day (or if broken up, as parts of possibly several "someones" days), but not be directly linked to the person submitting?

I suppose with infection rates as low as they are in Australia that probably limits the ability to effectively anonymise the data as few people will actually be be submitting it. The upside to that is that it also means it wouldn't be an effective tool for general state surveillance....

Would there be value in an "Easy Wins" section?
Things like:

• increasing the frequency of ID rotation
• creating a symmetric key on ID rotation, sending it to the central server and encrypting the phone version sent in the public bluetooth beacon

seem like they would bring privacy improvements without requiring significant changes to the system design.

Not sure if you are looking for feedback on this, but there is a rather glaring problem with your mention of missed opportunity to filter contacts before upload - it isn't actually possible to filter contacts according to known identities if they have been properly anonymised, since since by definition you can't tell which contact records belong to which person.

Has anyone found any evidence of different types of app users (e.g. non-mobile phone device apps?).

There appears to be nothing limiting the capability to create COVIDSafe ‘listeners’ and ‘beacons’ which either report back to the COVIDSafe server on all observed COVIDSafe IDs, or which broadcast unique IDs with known fixed locations. For example, a ‘listener’ could be placed in a public place (train station, bus etc.) which captures all heard COVIDSafe messages, and reports these back to the COVIDSafe server. For the same scenario, these ‘listeners’ could be ‘beacons’ which behave like another COVIDSafe app user, but which broadcast a known location to other devices in the area. If any users become sick and upload their received beacons, it will include these known location beacon IDs, potentially allowing understanding of transmission from the location itself rather than other users (e.g. tram users who travelled at different times of day, who contracted the virus from a surface or circulating air, rather than direct person to person contact). The same could also be achieved by 'interested citizens' who place a phone with COVIDSafe in a public location, just to track how many devices they see - and/or how many alerts they receive from a known location.

This would appear to stay within legislation (that your app does not disclose location and data can only be used for contract tracing purposes), but attribution of location can be done with no knowledge of the user, simply by other COVIDSafe actors disclosing their locations. Without release of server source code, or guarantees from the government that only data generated by citizens/people will be uploaded, this is an unknown.

I also found the following interesting:

1. https://eng.unimelb.edu.au/ingenium/research-stories/world-class-research/real-world-impact/on-the-privacy-of-tracetogether,-the-singaporean-covid-19-contact-tracing-mobile-app,-and-recommendations-for-australia
2. https://www.zdnet.com/article/australias-covidsafe-contact-tracing-story-is-full-of-holes-and-we-should-worry/

The technical depth of the analysis is really great, thank you. I do however think that failing to establish the risks in relative terms (i.e. in the context of the normal use of a mobile device) is a serious flaw in the analysis. This is particularly important now because this article is being referenced by major news outlets. An uneducated person could look at this and make the decision to refrain from using the app because of the "risks" while happily continuing to use AirBnB, Facebook, Instagram, Twitter, Google, Google maps etc which all gather more information than COVIDSafe and (if Snowden is to be believed) probably have a backdoor for the CIA to analyze that data. Further, risks must also be considered against the opportunities. By publishing this without context or relative risks you're actually putting society at risk, people's loved ones at risk of actually contracting and dying or suffering long term organ damage due to COVID-19.

I note that the example log provided is for a period overnight, from roughly 11pm to 6am. Is it possible that the iPhone goes into an off-peak standby or "do not disturb" mode overnight, going offline?