[clug] Apple-Google Contact Tracing API. V1 released May 20, 2020

Alex Satrapa grail at goldweb.com.au
Mon May 25 00:13:40 UTC 2020

> Does anyone see security or privacy issues with the spec?

The attack vectors will only be tracking the IP address of who uploads
contacts, and the over-the-shoulder viewing of notifications from the app
to the user. Without a corresponding tracking database (eg: geolocation via
mobile phone towers or physical surveillance) there's no way of identifying
which contact keys came from whom. You can't even watch for repeated keys
unless people are working together.

The people with the tools to use these bluetooth messages to track
individuals will have other, better, ways of tracking people such as
bluetooth, wifi or mobile phone radio IDs.

There is the possibility of the system being broken by non-COVID-positive
people uploading their contact keys as a form of disruption.

One way this could be misused is having you download a dodgy app which
uploads contact tracing without your consent, to a server used for, eg:
tracking contacts of certain people the state doesn't like.
> It’ll mean rewriting the local AusGov contact tracing App, the one
that they haven’t fully developed the back-end for.

They hadn't fully developed the front-end either, and were already using
the app as a means of excluding people from social events while writing
legislation to ban people using the app the exclude people from social
events. No doubt this "tough on ~~crime~~COVID" attitude will be used as
one of their selling points in their election campaign.

> There is a central database of rapidly (15-30 min) keys generated on

No, each device maintains its own history of keys emitted, and keys seen.
In fact let's not call them keys, they're just labels or tags.

> It’s unclear to me how the keys-device connection is made within the
server database.
> The Notification side of the server must push a notification to devices
(presumably when they connect to upload keys).

The other way around: the central database only holds a list of
contact-tags uploaded by the COVID-19-positive subject. The other
participants in the contact-tracing network regularly check the central
database to fetch any new contact-tags added to it, then the local device
notifies the local user that they've had contact with a suspect and need to
get tested. There's no matching done at the server end, it's only there as
a repository of contact-tags uploaded by subjects.

> Currently, App developers - presumably public health authorities - have
to build local Apps for users to download & ‘accept’. This allows local
’tuning’ of what constitutes a ‘contact’.

I have no idea what they're trying to say here. The only "tuning" will be
which tracking group you belong to.

More information about the linux mailing list