O6 may - in practice - not be strong enough

[fritzalder]

In general, I like the idea of these apps and it is always nice to see privacy-friendly solutions to such challenges.
However, the core assumption of this app (and please correct me if I am wrong here) is that the health departments should not gain unchecked access to all guest data. If this assumption can be dropped, then we could as well simply have each guest transmit the data directly to the health departments.

That being said, the security concept of luca app seems to rely on the vendors as the only control instance to prevent unnecessary access to data. Right now, the health departments can present a request for cooperation to any vendor. Depending on the amount of requests such a vendor receives and the size of the business, these requests may not even surprise the vendors after several weeks.
Thus, I am not convinced that venues would deny any such access if they get prompted to please help out. This effectively makes the whole crypto useless simply by letting the health departments circumvent all of the carefully designed steps and have it continuously poll for every event. Of course, one could argue that the luca servers would currently neither give out all venue IDs nor help the healthcare departments to perform this 'attack', but that is a weak argument in my opinion. In fact, it might not even be realized by the luca servers if venue owners never update their keys or IDs. Even further: The luca servers should not be able to interfere with the health departments to prevent any collusion attacks between revealed users and requested venues. This means that health departments have free reign over which venues to request for assistance. As an end-user, you have no control or insight into how often this may happen or when your data was revealed to the health departments.

I would be interested to hear your opinion about the practicality of O6.

I do see several possible extensions that could at least bring back some real-world trust to the system. Especially if we assume that the health departments may try to poll more than they should but will not be actively malicious (also known as honest-but-curious models). One such solution would be to let users generate an anonymous authorization for venues that at least one user has been infected and shared his data. That way, the venue could at least be displayed a notification "The health department wishes to see the data. At least one guest is infeceted./No guests have been infected." Maybe the system could even cryptographically prevent data publication by letting the guests share a venue secret that is only revealed when a guest publishes her data.

Of course this would assume that the health department does not send their own guest to the venue. But I think once we reach that assumption we can all agree that we did our best and should complain somewhere else ;-).

My ad-hoc extension aside: What are your thoughts behind O6?

[fritzalder]

Ah, one PS: I was not sure about the preferred language in the discussions as the security concept and the build instructions are both in english. So feel free to respond in german if you prefer.

[reneme]

Thank you for taking the time to read our concepts, your feedback is appreciated.

The objective O6 (i.e. "Traced Guest's Contact Data is disclosed to the Health Department only after Venue Owners' consent") is inspired by the traditional paper-based approach where health authorities need to (physically) obtain contact data lists from affected venues. We found it worthwhile to reflect this concept in luca to establish a "second pair of eyes" principle (i.e. by the venue owner) before health authorities can access guest's data.

Nevertheless, you are making a valid point that the venue owner's consent to data disclosure might become moot for larger venues where requests happen frequently. Therefore, we are working on a privacy-friendly notification feature where individual users get notified when and by which venue their data was disclosed to the authorities. The advantage of such a feature would be two-fold: 1) users would get a better understanding of when and where their data was disclosed and 2) disclosure of their data to the health department means that they might have been exposed to SARS-CoV2.

Providing venue owners with a trustworthy information whether at least one of their guests tested positive as you suggested is a great idea indeed. It might give venue owners a reasonable handle to deny the data access by the health authorities. We'll think about the possiblities.

Thank you again very much for you constructive input.