Potential privacy issue of new Exposure Notifications Express?

[r-r-liu]

I just installed iOS 13.7 and read about the Exposure Notifications Express (https://developer.apple.com/documentation/exposurenotification/supporting_exposure_notifications_express). This seems to be merely a configurable general purpose app that (a) doesn't need to be installed, but (b) mediates between the user and his PHA's Test verification server and Key server. I see a possible privacy issue here.

Although these servers presumably are under the control of the PHA, on the user side there seems to be nothing but Apple/Google code, and I suppose that Apple and Google are no more likely to submit their code to an audit now than they were when it consisted only of the GAEN api. Yet it might be necessary in the future for a PHA that now decides to the use Exposure Notifications Express to enable certain functionality in the Key server that requires input from the user. That, I suppose, would have to be done in the ENE. That would be the case, for example, if a PHA using ENE decided to support the exchange of exposure notifications with other PHA's. For example, preliminary designs to support, say, users of the Swiss Covid app in Germany, or of the German Covid Warn app in Switzerland, indicate that users might have to specify to their respective backends when they were in the other country, so that each server could pull exposures from the other's backend. Now suppose in this example that one of the countries has no app of its own but is relying on the ENE, and that Apple and Google agree at some point to pass such information through the ENE to the Key server. When that happens, Apple/Google code is effectively handling location information, and absent an audit, nobody knows that it isn't being misused.

I think DP-3T has a vested interest in ensuring that countries, resp. PHA's, that do not wish or cannot afford to develop their own GAEN apps nevertheless enjoy the same level of privacy and security as those that do, and I would encourage you to increase the pressure on Apple/Google to permit a code audit, this independent of any plans that the Swiss FOPH might or might not have to replace SwissCovid by the Exposure Notifications Express.

[pdehaye]

Data exchange between countries was always going to be a problem for SwissCovid, especially given DP-3T's rather cavalier approach to what legally constitutes "personal data". It seems - but it is hard to pin down - that SwissCovid operates on the pretense that all those identifiers circulating and then stored in the clear do not constitute "personal data", which flies against existing Swiss case law. This also is opposite to what other European countries have sensibly decided (some walked backwards into this decision, but indeed they had to agree as there was a level-up effect if they wanted to interoperate between them).

Your concerns are valid, but I would address them elsewhere if you want to effect true change. Switzerland has managed to sideline itself completely on issues of legal interoperability, and it has been a few months now anyways since the DP-3T team has had any impact on decisions taken by Google and Apple (if there was ever a time where that was the case).

[r-r-liu]

A Note to Those Who Believe that This Discussion Does Not Belong Here
Please suggest where it does belong. Admittedly, @pdehaye seems to be taking it in a direction that I had not intended. Interoperability is not the issue that I have with ENE, it was just an example of that issue, based on information in DP3T -Interoperability Decentralized Proximity Tracing Specification (Preview) that suggested that, if DP-3T compatible apps are allowed to take advantage of the designed-in compatibility, the user would have to tell his app the foreign region in which he is operating it so that his regional backend could exchange exposure lists with the other region's. If his region chooses not to develop its own app but to use ENE instead, presumably he would have to communicate that information to the backend through ENE, in which case Apple/Google code would be able to connect the mobile phone's operator to a region that he visits.

@pdehaye:

I believe you are confused. Where exactly (i.e., on which device(s)) is "what legally constitutes 'personal data'" being stored in the manner that you describe, and why do you put quotes around personal data? Is it, or is it not, personal data, and by what criteria and whose legal system? If you wish to continue this discussion, please refer to the components of the system as outlined in DP3T -Data Protection and Security when justifying your objections. Please be aware that some features of the system described in the document have not in fact been implemented. You might also wish to peruse DP-3T White Paper to inform yourself about the three designs for decentralized proximity tracing that DP-3T provides. I believe I read somewhere that GAEN doesn't "do" all designs, just the simplest, which would be the one that provides the least elaborate privacy, but I can't find the reference right now. What is the case, is that GAEN is evidently handling the generation and broadcasting of the EphId's, the logging of received EphId's, the pulling of the possible infections from the backend and even some steps in the calculation of the exposure risk score. Therefore, whatever objections you have to SwissCovid might well extend to all or some other national Covid-19 apps based on GAEN.

If you have been following the discussion about interoperability of various regional versions of the app, you will be familiar with DP3T -Interoperability Decentralized Proximity Tracing Specification (Preview). It is plain and evident that interoperability was designed into the system. Furthermore, Sang-Il Kim, Director Digital Transformation, FOPH, confirmed in one of his first press conferences that interoperability is not a technical problem, but a political one, in this case, having to do with the EU's insistence on a Framework Agreement before discussing any cooperation with Switzerland, in this case, in the area of public health. Neither my nor your view on this political issue is germane to this technical discussion.

[pdehaye]

@r-r-liu I was trying to respond to your valid remark. You mentioned privacy and ENE interoperability, with a technical lens. I added a legal layer to your argument, and explained why you are barking at the wrong tree here, talking to the DP-3T collaboration.

I had the poor idea of putting "personal data" in quote because I was referring to the legal definition of what constitutes personal data: "data about an identified or identifiable individual". The legal systems are either EU Member States' (following case law from Court of Justice of the European Union) or the Swiss legal system (following case law such as Google Street View).

The data that I claim are personal data are:

1. Rolling Proximity Identifiers (also called EphIDs) when in flight (because they can be intercepted by others, this data is made public) - as well as the Associated Encrypted Metadata;
2. RPIs once stored on someone else's device - as well as the AEM;
3. Temporary Exposure Keys once stored on the server;
4. Temporary Exposure Keys once downloaded back to the apps.

You mention that GAEN is handling a bunch of stuff, and that "whatever objections [I] have to SwissCovid might well extend to all or some other national Covid-19 apps based on GAEN." It is true that GAEN is handling a bunch of stuff. Nevertheless the party legally responsible for this is the national health authority (see Section 4 of the Exposure Notification APIs Addendum). As you will read there,

You acknowledge and agree that You are, in Your capacity as the legal entity responsible for any user data processed in connection with the use of Your Contact Tracing App, solely responsible for complying with applicable data protection and privacy laws and regulations.

My beef is thus with countries who took shortcuts with that last bit, and this is my basis for telling you those countries might not care very much about the issue you raise, or have put themselves in such a position that they can't do anything about it.