-
Notifications
You must be signed in to change notification settings - Fork 180
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Anonymising communication metadata when communicating with the backend server. #39
Comments
Hi hiromipaw, |
Requiring TOR might help increase the efficiency and help improve TOR as well as mitigating virus data collection. |
Hi @lbarman, I think also considering delaying the activation of the app, or making this process async for the backend, could be a mitigation possibility. For example it could be possible for the app to activate itself offline and start sending communication to the backend at a later point. Furthermore, while the Tor network wouldn't possibly scale to serve all these users, in its current form, it would still be possible to just protect the first messages the app sends, and not the full traffic. |
hi @hiromipaw; thanks for your message.
This is crucial, we agree!
Yes, why not. The "problem" with specifying this is that this [activation] part will likely be country-specific (each having a specific way of contacting/authenticating their health authorities, country X wanting a QR-code while country Y wants a phone call with a doctor). Without concrete details, it's hard to tell whether Tor/Mixnets/delaying/padding/chaff traffic would help or not. Otherwise we could say "send exactly these messages of these sizes in that order" to avoid leaking information. But we are aware of the problem, one option would be to propose one recommended way to do this activation/upload. edit: hence our general recommendation that non-infected users also regularly upload dummy data (with an invalid authorization from the medical authority) Thanks! Happy to discuss more if you have other inputs |
I understand that in the "Data Protection and Security" document you have mentioned that:
Because there are a lot of information that can be inferred by analysing the metadata of the communications between apps and backend, I was wondering if you would be interested in considering that users should be anonymous with regard to the backend. The property of anonymity itself is more than just providing an encrypted connection between the source and the destination of a given conversation.
Personally, I believe that this requirement would protect the app users that would prefer not to trust the backend (i.e. those fearing possible discrimination).
At the moment in fact you mention that the App would open a TLS connection between the backend and the server, but this connection could be correlated with other information by ISPs or other entities.
Some example of information that could be correlated are:
There are possible mitigations that can be considered:
Personally I would be interested in expanding/collaborating on these points, especially with regards to preserving anonymity of users in relation to the backend and other passive eavesdropper.
The text was updated successfully, but these errors were encountered: