[Reelin]

It's a bit more complicated than that. What's being suggested here is that it would be possible for a bad actor to observe all Bluetooth activity over a large area. They could then use a diagnosis key to reconstruct someone's path through this monitored area, and then deanonymize that person by combining their path with other data sources. Later, an uneducated and hostile individual might somehow gain access to this deanonymized data and abuse it.

[nsgi]

Couldn't they do that for anyone with bluetooth on, whether or not they're using the app? I get that knowing they have Coronavirus might make them a bigger target, though

[Reelin]

Sort of.

If you enable the framework but never test positive (and thus never publish any of your keys), it's no different than if you had just kept Bluetooth on all the time.

If you enable the framework, later test positive, and choose to publish your diagnosis keys, each key can be used to link all your rolling identifiers together for the corresponding time period (nominally 24 hours). Contrast this with a randomizing Bluetooth implementation, which never intentionally reveals anything that would allow the different MAC addresses to be linked.

Of course, Bluetooth MAC address randomization itself is trivial to defeat for a reasonably capable and motivated adversary. If they can plant a bunch of radios for the purpose of tracking you, why can't they also use cameras?

[azinman2]

That would work if there's just 1 person who is crossing the path, and you're able to physically identify them. If it's a crowd of people, you won't know who was what device unless their device is immediately next to the evil antenna. This isn't very realistic in practice, and is very unlikely to become common place world-wide. However, the virus IS already world-wide, and is a giant threat to many.

[Reelin]

> If it's a crowd of people, you won't know who was what device unless their device is immediately next to the evil antenna.

Actually that's not true for the situation I described.

The bad actor would be able to connect any of your broadcast identifiers they observed back to each other via the diagnosis key that you published. Assuming they have a number of nodes monitoring Bluetooth traffic over a broad area that you passed through, they will be able to reconstruct the path you traveled over time.

For a naive implementation, the resolution of this reconstruction would depend on the spacing of the nodes. For a more advanced implementation, other data could be integrated to drastically improve it. Remember, your Bluetooth device is a broadcasting radio at the end of the day.

As to the likelihood of such things becoming commonplace worldwide, do bear in mind that many devices now periodically randomize their Bluetooth MAC addresses due to real world examples of tracking. Thankfully in this case it would only be possible to compromise the privacy of those who tested positive, and only within a singe 24 hour period (ie the daily tracing key rotation time frame) at that.

[azinman2]

Yes, I agree this is true if someone was to go to extreme efforts. It seems to me personally quite unlikely, especially since the governments are already the ones who distribute the apps, and at least it seems in the initial implementation, are the ones who confirm your status.

I'm much more concerned about reducing COVID-19 to save millions of lives.