Re: Google and Apple announce privacy-preserving contact tracing API from Ian Smith on 2020-04-11 (public-credentials@w3.org from April 2020)

From: Ian Smith <ian@vidicode.pro>
Date: Sat, 11 Apr 2020 13:32:24 -0600
To: David Booth <david@dbooth.org>
Cc: Credentials Community Group <public-credentials@w3.org>
Message-ID: <CAG=j93Ad60P82HNTEO6f-R8foEo90U2Wr5G+pRCAYd9gHbjHNw@mail.gmail.com>

I think there is again some confusion among this group how technology works.

It is a rotating random cipher, upload on positive, download to receive
list of positives. The random cipher change frequently, the app holds them
and doesn't share them. The app would work very well even without a cell or
internet connection for tracing.

The main software weakness on standard operation is the Bluetooth secret,
but the protocol is cryptographically sound in a way that no information
needs to be exposed. The biggest weakness is the health code credentials to
unlock the upload process. Positive tests should be data mined. If the
health code credentials are impersonated, the consequences are likely "a
bad practical joke resulting in extra testing notifications." The main
design challenge is making sure that if the same secret is used by
multiple devices, that it errors appropriately.

The comments regarding QR codes and images I don't understand in this
context at all, there are no QR codes or images involved.

The main limitation on efficacy is user adoption. I am going to highly
recommend this app to everyone. I normally shout my pro privacy and
security concerns about software, cell phones and corporations.

I will also disassemble the app, reverse engineering the software to make
sure it works as described.

Ian Smith

On Fri, Apr 10, 2020, 1:00 PM David Booth <david@dbooth.org> wrote:

> "Across the world, governments, and health authorities are working
> together to find solutions to the COVID‑19 pandemic, to protect people
> and get society back up and running. Software developers are
> contributing by crafting technical tools to help combat the virus and
> save lives. In this spirit of collaboration, Google and Apple are
> announcing a joint effort to enable the use of Bluetooth technology to
> help governments and health agencies reduce the spread of the virus,
> with user privacy and security central to the design."
>
> https://www.apple.com/covid19/contacttracing/
>
> Comments, particularly on the privacy aspect?
>
> David Booth
>
>
>

Received on Saturday, 11 April 2020 19:32:49 UTC