3

Under Apple and Google's contact tracing scheme, Alice's device generates a daily random value (termed a Temporary Exposure Key or TEK in the Cryptography Specification). Every 10 minutes, a Rolling Proximity Identifier (RPI) is generated from the TEK (by first hashing, and then encrypting with AES using the time as the key). When Alice and Bob meet, her device sends his device her current RPI.

The FAQ (p.3) states that

people who test positive are not identified by the system to other users, or to Apple or Google.

How is this accomplished? What prevents Bob from setting up a database of all the keys he receives, indexed by the name of the person, and then, when one of the keys appears on the server, referencing the database to find out who uploaded it?

Marcel
  • 131
  • 4
  • 1
    You have answered your own question, though: the key you capture will only be useful for 10 minutes. That's kind of the whole point. – schroeder Mar 07 '21 at 21:52
  • Is that really the case? Surely if I capture a key and link it to the identity of the user who issued it, I will be able to tell whether or not they test positive within the validity period of that key (14 days)? – Marcel Mar 08 '21 at 06:22
  • 1
    Isn't the point that with just they key you cannot identify the user? What you are saying is that you are taking the list of keys and an external source of information (personally identifying the people you meet) and putting the two together. This is exactly the same as compiling a list of people you met (where and when) and then when you get a phone call from track and trace system cross referencing with the list. Although track and trace doesn't identify the individual, based on the additional information you hold you can make an educated guess. – James Wilson Mar 08 '21 at 07:50
  • At least where I'm from, the contact tracing people don't tell you anything more than that you may have been exposed and need to get tested/quarantined, specifically to avoid this kind of privacy issue. – Marcel Mar 08 '21 at 08:37
  • @schroeder: I've updated the post to clarify the question. Apologies if it was ambiguous before. – Marcel Mar 08 '21 at 11:13
  • 2
    "indexed by the name of the person" -- how do you do that? "tell you anything more than that you may have been exposed" -- is this doing more? How does the app where you're from make the connection between you and the people you've met? "a database of all the keys he receives, indexed by the name of the person" -- how can Bob do this? It's this one step that you seem to be glossing over... – schroeder Mar 08 '21 at 12:03
  • Bob picks up the key (RPI) being transmitted by Alice's device, and notes down "[key value] is one of Alice's keys". Assuming Bob has access to the RPI, it doesn't really matter as far as this question goes where he stores it - he might as well write it down in his notebook. – Marcel Mar 08 '21 at 12:56
  • How does he know it's Alice's device? – vidarlo Mar 08 '21 at 18:00
  • 1
    @vidarlo: The simplest case is if their two devices are the only ones present, or Alice's signal is clearly the strongest (e.g. if they are alone in a room together). For example, if Bob is an employer who wants to fire employees who test positive for perceived 'carelessness", he could set up a device that logs RPIs where employees clock in, and then correlate the RPIs with the clock-in times (assuming only one employee is in the relevant room at a given moment). Alternatively, Bob could save the location where he received each RPI, and then later try to deduce who sent them. – Marcel Mar 09 '21 at 07:48

1 Answers1

1

I am not sure if this answers your question, but in theory you can do the following:

  • Set up a Raspberry Pi with a camera and a Bluetooth card on a trafficked location in a pedestrian street.
  • When someone walks by, snap a picture of them and record their RPI.
  • When one of these RPIs shows up as infected, you can publish the picture of the infected person on your website www.peoplewhogotcovid.com.
  • For bonus points, you can add a wifi card to your RPI-sniffing device; if the infected passerby happens to have a hotspot network called Bob Ross's Iphone, then you know his name, too!
Federico Poloni
  • 829
  • 9
  • 15
  • This is a bad idea. Even if I am infected and end up on your site, I can sue you and demand you prove I am infected. You can prove I am infected only for 10 minutes max, 5 minutes average, so it's a lost cause for you. I will ask for damages' reparation, and you can be sure other people will sue too. – ThoriumBR Jul 18 '21 at 00:00
  • @ThoriumBR Sure, I am not advocating doing any of this. My point here is showing that this kind of de-anonymization is technically possible. – Federico Poloni Jul 18 '21 at 08:00