user behaviour on notification of risk about documents HOT 4 OPEN

Hi @pylls , thanks for your input.

An attacker able to assert control over the notification service (e.g., by simply dropping traffic) can selectively notify users and observe their behaviour.

It can drop messages, but cannot easily generate at-risk events. In addition, it could selectively drop messages, but it cannot guess which users are going to raise an at-risk alert (as this computation is done locally from public data). Its power is therefore fairly limited (to DOS'ing the system - which is another problem).

Your second proposition is very valid; it is not clear yet if the application directly shows "you're at risk" or advise to contact health authorities, this will need to be designed with health professionals.

Would this answer your question ? Thanks

from documents.

Hi @pylls , thanks for your input.

Thanks for taking the time to reply and your work!

An attacker able to assert control over the notification service (e.g., by simply dropping traffic) can selectively notify users and observe their behaviour.

It can drop messages, but cannot easily generate at-risk events. In addition, it could selectively drop messages, but it cannot guess which users are going to raise an at-risk alert (as this computation is done locally from public data). Its power is therefore fairly limited (to DOS'ing the system - which is another problem).

If "but it cannot guess which users are going to raise an at-risk alert " is true or not all depends on what happens when an at-risk alert is raised. This goes back to the analysis I quoted above, "an outside observer, the phones of both at-risk persons, those who have been in contact with an infected person, and those who are not at risk, behave the same" in the same way. You cannot make this statement without taking the vital part of the system of what happens on an at-risk alert into account.

Imagine the flawed design of an alert that points people to https://example.com/learn-more-about-staying-safe-at-home, a website not regulary visited by people other than for the purpose of this alert (same argument made if the traffic fingerprint is distinct). This is clearly observable to any modestly capable outside observer. It's even debatable if commonly visited resources are used without any randomized delay between shown alert and the observable event.

Your second proposition is very valid; it is not clear yet if the application directly shows "you're at risk" or advise to contact health authorities, this will need to be designed with health professionals.

Would this answer your question ? Thanks

I agree that it has to be designed and evaluated with health professionals in the loop. As the analysis currently stands it's incorrect and incomplete (because you cannot complete the analysis of an incomplete system). It's important that issues like this is highlighted as large number of developers around the world are implementing versions of this proposal.

from documents.

Absolutely, we agree. This procedure will need to be examined notably with respect to the "eavesdropper" adversary. I think the proposal is voluntarily loose because different countries will have different approaches.

from documents.

Great, thanks. It would then make sense to update the analysis, or at least add some caveats on the design to guide developers for this part.

from documents.