Easy deanonymization of infected individuals about documents HOT 9 OPEN

Hi All, thank you for this discussion. I believe our new "Security and Privacy Analysis" document might answer some of your questions. We hope this help.

from documents.

Yes of course the user could disable it at will (possibly inside limits mandated by public policies), but still I guess a very large chunk of users would end up broadcasting their IDs from their homes in late evenings, or from their workplaces during working hours.

from documents.

See #24

from documents.

To mitigate the risk of revealing location data of home address, people should deactivate bluetooth for the app while at home. I do not see a safe mechanism to automate this.

from documents.

@FroehlichMarcel Don't we all meet people while at home? Friends, relatives, visitors, neighbors, baby sitters, cleaning ladies, mailmen...
In the moderate social distancing scenario we are going to live in for the next months, most close contacts might happen inside or near homes (and the same reasoning applies to workplaces). Sacrificing them might mean losing a lot of possible contacts.

Interestingly enough, this would also be where a gps-based tracing would most likely fail.

from documents.

@inaitana Right. Still the assumption basic is that I use it because I want to trace, not because I have to.
So when I deactivate BT (to avoid skimming of my broadcasted IDs) then I do it because there is nothing to be tracked (e.g. over night). If the app provided a prominent switch and status, it could be helpful.

from documents.

Would it be possible to control the sending strength of the Bluetooth and lower it when at home?

Detecting that the user is at home could maybe be done with checking if connected with the home WiFi (the user could confirm that in the app) or GPS (user selected home on a map).

Negative results of this are:
The app has information about the user's home / geolocation.

To prevent the app holding pinpointed geolocated data, the app could download the housing data from the current city, region, province/state (download a level higher to add a little bit of anonymity) via OpenStreetMaps or something like that and then check if the user is inside a house.

A very complex way to mitigate the app knowing the user is in his home but still knowing it is in a home, all with the end result to lower the broadcast signal strength so malicious other can not record EphIDs while the user is at home.

from documents.

@danielbeeke Geodata is a no-no in this app. WLAN probably hard to avoid.
I am more concerned that the data can be linked by commercial data aggregators than by people walking down the street. Google and some more likely know your WLAN.

from documents.

Don't we all meet people while at home? Friends, relatives, visitors, neighbors, baby sitters, cleaning ladies, mailmen...

This is not my understanding of the term "social distancing" at all. Nobody should be coming over. Mailmen leaving packages out front, is a small, but necessary risk. Of course it's a spectrum of response, and as we make it past the various peaks, we should be considering how to gradually relax this.

More to your underlying point though... I agree that most contacts will be somewhat localized. Making the ability to remove yourself from isolation and probe specific locales seems worrisome to me.

from documents.