Currently, there are a lot of ideas floating around on how to flatten the curve of the SARS-CoV-2 virus pandemic. One of these ideas is an app that records the presence of other devices in the vicinity via Bluetooth. In case of a confirmed infection with the new coronavirus, people who were in close contact with the infected person can be notified and asked (or forced) to self-quarantine.

A lot of conditions have been already put forward to handle the obvious issue of data privacy. These comments focus mainly on issues related to tracking of people. A privacy centered app, which does not allow associating an abstract ID with actual people, would rely on responsible participation and adherence to quarantine if notified.

My point, on the other hand, focuses on the method of entering positive results. If authorities cannot connect abstract ID and the name of a real person, how are positive test results entered into the system?

If the system relies on the users to enter positive results, this would open up the possibility of a new attack type. Of course, people could hide positive test results and not enter them into the system. This is not what I mean. Why should one go to the doctor in the first place, if one wanted to spread the virus?

My point is, that people could deliberately enter false-positives into the system. An evil-minded person could arrange to be in proximity of the victim for a certain time, such that the contact is tracked by the app. The only thing the evil person needs to do is to enter a false positive into the system in order to quarantine the victim for two weeks. With such a system everybody has the power to confine everybody to their homes for two weeks. Certainly, people would quickly lose trust in such a system and the veracity of every notification on the app would be questioned.

Entering positive test results into the system is a delicate process. The attack, however, can be mitigated. I can think of two easy solutions.

  • Positive results are certified cryptographically. In this case, attackers cannot forge false-positive results.
  • Positive results can only be entered into the system by authorized testing labs.

I favor the first case. The second case entails the danger that the testing lab can connect abstract ID and real person and thus might be able to track people’s movement.