Anonymising communication metadata when communicating with the backend server.

[hiromipaw]

I understand that in the "Data Protection and Security" document you have mentioned that:

Network observers only observe encrypted data between the app and the backend. This
data is the same for every app installation. Therefore network observers can conclude only
that somebody just installed the app . ​

Because there are a lot of information that can be inferred by analysing the metadata of the communications between apps and backend, I was wondering if you would be interested in considering that users should be anonymous with regard to the backend. The property of anonymity itself is more than just providing an encrypted connection between the source and the destination of a given conversation.
Personally, I believe that this requirement would protect the app users that would prefer not to trust the backend (i.e. those fearing possible discrimination).

At the moment in fact you mention that the App would open a TLS connection between the backend and the server, but this connection could be correlated with other information by ISPs or other entities.

Some example of information that could be correlated are:

• location - where the app is activated
• IP addresses - where do the first calls come from

There are possible mitigations that can be considered:

• Activation of the app happens at a later stage from when the user install the apps and gives consent.
• The connection between the app and the backend can pass through a series of proxy servers (other users' apps). Alternatively more secure network protocols could be considered (ex: Tor).

Personally I would be interested in expanding/collaborating on these points, especially with regards to preserving anonymity of users in relation to the backend and other passive eavesdropper.

[lbarman]

Hi hiromipaw,
Thanks very much for your input. We think it’s addressed in our FAQ, see answer P5 there.

[noci2012]

Requiring TOR might help increase the efficiency and help improve TOR as well as mitigating virus data collection.

[hiromipaw]

Hi @lbarman,
thanks for replying on this one. I have had a difficult week and didn't have time to get back to you sooner.
My suggestion regarding mixnets or directly passing some of the connections through the Tor network was just a part of what I was trying to convey.

I think also considering delaying the activation of the app, or making this process async for the backend, could be a mitigation possibility.
What I would try to avoid is 3rd party learning about the user health status and using that data.

For example it could be possible for the app to activate itself offline and start sending communication to the backend at a later point.

Furthermore, while the Tor network wouldn't possibly scale to serve all these users, in its current form, it would still be possible to just protect the first messages the app sends, and not the full traffic.

[lbarman]

hi @hiromipaw; thanks for your message.

What I would try to avoid is 3rd party learning about the user health status and using that data.

This is crucial, we agree!

For example it could be possible for the app to activate itself offline and start sending communication to the backend at a later point.

Yes, why not. The "problem" with specifying this is that this [activation] part will likely be country-specific (each having a specific way of contacting/authenticating their health authorities, country X wanting a QR-code while country Y wants a phone call with a doctor). Without concrete details, it's hard to tell whether Tor/Mixnets/delaying/padding/chaff traffic would help or not. Otherwise we could say "send exactly these messages of these sizes in that order" to avoid leaking information.

But we are aware of the problem, one option would be to propose one recommended way to do this activation/upload.

edit: hence our general recommendation that non-infected users also regularly upload dummy data (with an invalid authorization from the medical authority)

Thanks! Happy to discuss more if you have other inputs