[lasdfas]

This is great. My only worry is that people shouldn't be allowed to self diagnose Covid-19. It will lead to trolls and cause tons of people self isolating unnecessarily, then eventually not using it once they realize the abuse. Maybe have the sever validate the diagnosis or have the person required to enter a code signed by the server's private key.

[conroy]

My understanding is that to mark yourself as Covid+, you’ll need a code from a health care provider.

I agree that allowing self diagnosis would ruin the entire system.

[emptybits]

A quick scan of the linked project suggests no such healthcare provider code is required. The source[1] suggests the flow is literally: "I Have COVID-19" -> "Are You Sure?" -> "Click OK", and that's that.

Anyways, I take this project to be a proof of concept. One would hope that governments will have healthcare professionals replacing the self-diagnosis step. * hope *

[1] https://github.com/CrunchyBagel/TracePrivately/blob/master/T...

[odensc]

> A quick scan of the linked project suggests no such healthcare provider code is required.

That's why this is a sample app and not the actual application that public health authorities will be using.

See below:

"A representative from Apple and Google's joint contact-tracing project said that their system similarly envisions that patients can't declare themselves infected without the help of a health care professional, who would likely confirm with a QR code." [1]

[1]: https://www.wired.com/story/apple-google-contact-tracing-str...

[Reelin]

Sure, you can report any arbitrary key as positive. I can even do it right here on HN; my positive key that I just made up is "0d d8 cb 25 8a 88 aa df 6a 33 17 5f 59 ad fd bf"!

... now what? Someone has to aggregate that key (along with all the other flagged ones) somewhere, and then end users have to voluntarily choose to download the keys from that source and check for themselves if they came into contact with it. So you would have to get someone to accept your self reported positive key, and then convince a bunch of end users to trust that (apparently untrustworthy) data source.

I expect that most databases will require some sort of authentication from a healthcare provider or known laboratory before they will accept a key from an end user.

[prawn]

Yes, just a concept. Developer tweeted about issues with government’s plan and then spent part of a day building a concept to show how it should be done, then fleshed it out to share code publicly.

[yegle]

If the Rolling Proximity Key is not recorded by other users (e.g. the abuser haven't put their device in a high human traffic location and intentionally broadcast your RPK), attacker uploading Diagnosis Keys will not cause any effect.

If the abuser took the effort to place a device and broadcast RPK for a while, then upload the Diagnosis Keys, I'm hoping Apple or Google have a way to validate the requests is from a legit device and thus abuser would have to have a lot of devices to game the system.

[catchmeifyoucan]

Or possibly they could take a picture of their diagnosis sheet?