[Cryptography] Polish govt open-sources an app for fighting the coronavirus by saving the history of encountered devices

bric.de ab at bri-c.de
Sat Apr 4 16:17:58 EDT 2020

> Am 03.04.2020 um 18:32 schrieb Aleksander Korzyński <ak at akorzy.com>:
> Hi,
> Can you help with a security and privacy audit of this mobile app? The Polish Ministry of Digital Affairs has published the source code of an early version of an app that is meant to help slow down the spread of the coronavirus after the nationwide lockdown is lifted. Key points from the documentation:
> After installing, the app securely connects with other users via Bluetooth. It saves a 2 weeks history of all the devices encountered. This data is stored encrypted only on citizens' devices and is not sent to any central server.
> Data is sent to the server only when the user of the application has been tested positive for coronavirus. In this case, the health authority instructs the patient how to send data from the phone to the server.
> The data is sent to the server where the health authority personel, based on their analysis (length, frequency, proximity in accordance with WHO standards), decides which people should be subject to home quarantine.
> After opening the application, each user can check their personalized status:
> Green - you can go out freely and keep the applicable regulations
> Orange - 2 weeks have not passed since the application was installed, we do not have enough data to determine the status. Be careful.
> Red - contact the health authorities and quarantine your home
> Ultimately, the application should be installed by every citizen. We start building a culture of using the application, e.g. by showing each other your green status.
> Due to understandable social resistance to permanent surveillance of citizens, we place great emphasis on ensuring privacy. The application code is made public (open source) and can be audited by experts.
> https://github.com/ProteGO-app/specs/blob/master/ENGLISH.md <https://github.com/ProteGO-app/specs/blob/master/ENGLISH.md>
> Best regards,
> Aleksander Korzynski
> _______________________________________________
> The cryptography mailing list
> cryptography at metzdowd.com
> https://www.metzdowd.com/mailman/listinfo/cryptography

You might approve your proposed tracking scheme against:

   Secure Open Standard for Tracking & Notification
       -> Spec Draft: https://github.com/SecureOpenStandard/specification
       -> reference implementation: https://www.linkedin.com/feed/update/urn:li:activity:6651984872699113472/ 

Have a look.

Andreas Briese

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://www.metzdowd.com/pipermail/cryptography/attachments/20200404/7777b9cc/attachment.htm>

More information about the cryptography mailing list