Dependency on GAEN (a closed source component) raises issues #34
Comments
|
Another useful link related to the second point of my initial post (re: API v1.6) here: DP-3T/dp3t-sdk-backend#214 (comment) : there are already planned changes to the backend to accommodate the API version we still know nothing about... |
|
I believe this link also contains useful information: https://lasec.epfl.ch/people/vaudenay/swisscovid.html#ag |
|
Is anyone aware of a possible solution for this? |
@vincenzoiovino was able to perform a replay & "time travel" attack on the GAEN implementation by transmitting spoofed RPIs to nearby devices. Current open issues regarding this subject on the Immuni App (Italy official app): immuni-app/immuni-app-android#278 |
|
There is now a GAEN replacement implementation on Germany's app: https://fsfe.org/news/2020/news-20201208-01.en.html |
|
The privacy risks of using this closed source dependency are no longer in the theoretical field, with the recent news that GAEN on Android was leaking data: https://themarkup.org/privacy/2021/04/27/google-promised-its-contact-tracing-app-was-completely-private-but-it-wasnt . |
Hi there. This is by no means an exaustive list, but:
This past few days, the Irish Covid Tracker app users suffered huge battery drain, leading many to uninstall the app. The issue was with GAEN, and was silently fixed by Google: https://twitter.com/HSELive/status/1293888350504591362
There are hints of a new API version, but no documentation, no changelog, no roadmap is available. google/exposure-notifications-android@339ea63
The current distribution model of one of the components needed in order to use GAEN on Android raises questions and concerns: binary distribution of play-services-nearby #15 (comment)
There are several known issues on the GAEN framework, but they lack proper documentation, to ensure transparency [DOCUMENTATION] FAQ on Apple/Google framework issues DP-3T/documents#327 . The problem is highlighted when we see claims in the press about how bullet-proof and privacy-preserving this application is, which seem to purposefully ignore the already known issues
These examples come to illustrate and reinforce the concerns by several actors, from the academia ( https://down.dsg.cs.tcd.ie/tact/transp.pdf ), data protection specialists ( https://jornaleconomico.sapo.pt/noticias/contact-tracing-caminho-seguro-ou-passo-em-falso-623571 ) to institutions like the Portuguese Association for Free Software (ANSOL) ( https://ansol.org/STAYAWAY-COVID ), or the Portuguese Data Protection Agency (CNPD) ( https://www.cnpd.pt/home/decisoes/Par/PAR_2020_82.pdf ), whom alert to the dangers of depending on a closed source component (GAEN) for this solution.
Implementing DP-3T is possible without closed source dependencies Is it possible to implement dp3t in a country not yet allowed by the Google Exposure API in a local environment? DP-3T/dp3t-sdk-android#143 , and there are several reasons to opt for that, more transparent approach Dependency on GMS DP-3T/dp3t-sdk-android#10
Deutchland is noticing similar issues, in particular since "no clear agreements have been reached with Google and Apple about reprocessing data gleaned via the app." https://www.dutchnews.nl/news/2020/08/dutch-privacy-watchdog-says-coronavirus-app-still-needs-work/
Therefore, I am opening this issue to propose to the project that the issues that arise from having a closed source dependency on GAEN must be openly addressed.
As a "starting point", I'll also link to https://www.lusa.pt/article/RuzdrRtnLzuClNfx09aPxzMSZM5iuSI1 , where INESC TEC's administrator is quoted saying:
(In english, my translation:)
The text was updated successfully, but these errors were encountered: