Privacy Implication and Preconditions

[sf0x]

Hi,
incidents in the past COVID-19 influenced year have shown that agencies, police authorities and other state actors are heavily trying to misuse the collected data, original meant to protect of and track infections.
Cases of officers raiding bars and restaurants to get hands on the "who was eating here tonight" lists were present all over the world, especially in Germany. Politicians close to ministry of home affairs have not let out any chance, to call the contact tracing being "hindered" by to much privacy.
To install an application like the luca app on my phone without being scared of someone accessing my data without my consent, it would be necessary to provide an architectural scheme, which will prohibit anyone to access my "data trace" without my consent or knowledge. This would include hashed data, which is not anonym and still lets me being tracable.
Furthermore access of my personal tracing data must be impossible to access without my knowledge, even for the luca app operator itself. And yes, I also mean pseudonymized and anonymized data by that. Only such countermeasures would ensure, that no "non disclosure subpoena" is forced on the luca app operator to hand out my data without my knowledge - to anyone.

How exactly do the creators and the operators of the application counteract such concerns - which you must agree are some realistic scenario, as proven in the past year.

Thank you

[basisbit]

As far as I know, it is a legal requirement that the bar/restaurant/... owner hand out the visitors list to public health agencies on demand. Adding a step to ask the visitor for their consent thus would make it impossible for the bar/restaurant owner to act in compliance to the previously mentioned legal requirement. It would first require a change of this law.

[hrantzsch]

Hi,

we are very aware of this issue and we strive to protect our users from illegitimate access to their data. Regarding your specific questions, we have to distinguish two kinds of data access:

1. Access to users' Contact Data because they visited a venue at the same time as someone infected with SARS-CoV2.

In this case the owner of the Venue is contacted and asked to grant access to the Contact Data of potentially affected Guests. The data that becomes accessible to the health authorities in this case contains (besides the Contact Data itself) only the information that this person visited the given Venue at the given time. The history of other "Check-Ins" done by the same person (their Check-In History) is not revealed to anyone in this process.

Regarding this type of data access, we will soon release an update to Luca where users will be informed when their Contact Data is accessed. See also this discussion.

2. Access to the recent, epidemiologically relevant Check-In History because the user themselves is infected with SARS-CoV2.

In this case the Health Department contacts the user directly and asks them to share their Check-In History. This process is described here. Without the explicit consent of the user, it is not possible for health authorities to reconstruct this history.

Note that the private keys required to decrypt the contact data always remain with Venue Owners and Health Departments. We as the Luca operator do not have access to it.

Please also have a look at the security objectives in our document. Specifically, O4 and O6 are relevant here.

[sf0x]

Hi Hannes,
thank you very much for your reply. :)

But my main question is: Is there any technical way to access the data stored that does not require a tracing condition with a positive COVID-19 test, entered by a health authority?
Would it be possible for i.e. the police to go to the health department or venue owner, file a subpoena to hand out the private keys and than extract the encrypted data from the storage place (bar/restaurant/etc) and get knowledge of the movement of a device? If there is such a way, what kind of data would be accessible?

ps: Can the (maybe technical experienced) venue be able to decrypt any of the same date with the private key it owns? Is the deivce registration in its anonymized/pseudonimyzed form trackable? i.e. can a venue track a user who comes frequently by just registring that the stored data / key has similarities?

[hrantzsch]

If the law enforcement authorities gains access to both the venue's private key and the health department's private key, they could decrypt the Contact Data from the Check-In. So they'd have to ask the Venue Owner for their key and collude with health departments.

There is no way that they can access the history of a user, without that user actively sharing it with a health department, because the user's tracing secrets are stored only locally on the device that runs the Guest App until that point.

Regarding the PS, the Venue Owner cannot decrypt any Contact Data as it is always encrypted in a way that only health departments can access it. They can also not recognize users that have visited them before -- the QR code contains no data that would make it possible to associate two Check-Ins with each other (O3).

Thank you for bringing up these important topics btw.

[sf0x]

Thank you very much for the clarification and for taking the time to answer these qustions.