[Cryptography] Polish govt open-sources an app for fighting the coronavirus by saving the history of encountered devices

Aleksander Korzyński ak at akorzy.com
Fri Apr 3 12:32:38 EDT 2020


Hi,

Can you help with a security and privacy audit of this mobile app? The
Polish Ministry of Digital Affairs has published the source code of an
early version of an app that is meant to help slow down the spread of the
coronavirus after the nationwide lockdown is lifted. Key points from the
documentation:

After installing, the app securely connects with other users via Bluetooth.
> It saves a 2 weeks history of all the devices encountered. This data is
> stored encrypted only on citizens' devices and is not sent to any central
> server.
> Data is sent to the server only when the user of the application has been
> tested positive for coronavirus. In this case, the health authority
> instructs the patient how to send data from the phone to the server.
> The data is sent to the server where the health authority personel, based
> on their analysis (length, frequency, proximity in accordance with WHO
> standards), decides which people should be subject to home quarantine.
> After opening the application, each user can check their personalized
> status:
> Green - you can go out freely and keep the applicable regulations
> Orange - 2 weeks have not passed since the application was installed, we
> do not have enough data to determine the status. Be careful.
> Red - contact the health authorities and quarantine your home
> Ultimately, the application should be installed by every citizen. We start
> building a culture of using the application, e.g. by showing each other
> your green status.
> Due to understandable social resistance to permanent surveillance of
> citizens, we place great emphasis on ensuring privacy. The application code
> is made public (open source) and can be audited by experts.


https://github.com/ProteGO-app/specs/blob/master/ENGLISH.md

Best regards,
Aleksander Korzynski
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://www.metzdowd.com/pipermail/cryptography/attachments/20200403/a6e3586e/attachment.htm>


More information about the cryptography mailing list