cwa-website
cwa-website copied to clipboard
corona-warn-app
Does `traffic_monitoring` need an update?
Your Question
- Website URL Path: https://www.coronawarn.app/en/faq/#traffic_monitoring & https://www.coronawarn.app/de/faq/#traffic_monitoring
- Line / Paragraph: Whole entry
- Question: Is this information there still up to date?
The entry still says:
Furthermore, various additional technical measures will be introduced shortly, for example, by randomly creating and sending false notifications that will be discarded on the server side.
AFAIK the so called playbook (which creates these random requests) is already implemented (see for example iOS: https://github.com/corona-warn-app/cwa-app-ios/blob/release/2.14.x/src/xcode/ENA/ENA/Source/AppDelegate%20&%20Globals/PlausibleDeniabilityService.swift)
Internal Tracking ID: EXPOSUREAPP-13563
@dsarkar More than half a year passed since I opened this issue, could you give us an update on this? Or maybe mirror it to JIRA?
Thank you
@dsarkar You added the label faq here but the question I asked in this issue more than 6 months ago has still not been answered. It seems bad to keep possible outdated information in the FAQ.
This issue continues to stay undressed even one year after raising it. There was no comment from the @Open-Source-Team, neither was it mirrored to JIRA.
@dsarkar Please, could you asses this issue. The FAQ entry seems to be very out of date meanwhile.
@larswmh
Hey Lars, @dsarkar somehow doesn't respond to this issue (maybe he has muted it), could you please mirror it to JIRA so that it can be addressed?
Thanks for your question @Ein-Tim. We have created an internal ticket for it and will raise this topic internally. Internal Tracking ID: EXPOSUREAPP-13563
Corona-Warn-App Open Source Team
@Ein-Tim / @larswmh
I'm not sure why this is just a question. I think it is a bug when https://www.coronawarn.app/en/faq/results/#traffic_monitoring says:
"Furthermore, various additional technical measures will be introduced shortly, for example, by randomly creating and sending false notifications that will be discarded on the server side."
using a description in the future.
The FAQ just needs to be changed to show that it is already implemented, e.g.
"Furthermore, various additional technical measures have been introduced, for example, by randomly creating and sending false notifications that will be discarded on the server side."
In Android https://github.com/corona-warn-app/cwa-app-android/blob/main/Corona-Warn-App/src/main/java/de/rki/coronawarnapp/playbook/Playbook.kt was implemented a long time ago and shows the description:
* The concept of Plausible Deniability aims to hide the existence of a positive test result by always using a defined
* “playbook pattern” of requests to the Verification Server and CWA Backend so it is impossible for an attacker to
* identify which communication was done.
*
* The “playbook pattern” represents a well-defined communication pattern consisting of fake requests and real
* requests.
*
* To hide that a real request was done, the device does multiple of these requests over a longer period of time
* according to the previously defined communication pattern statistically similar to all apps so it is not possible to
* infer by observing the traffic if the requests under concern are real or the fake ones.
In this context, the FAQ article https://www.coronawarn.app/en/faq/results/#anonymous should also be reviewed to check whether the statements it makes are currently correct.
@brianebeling
Please compare the statements in https://www.coronawarn.app/en/faq/results/#anonymous and PR https://github.com/corona-warn-app/cwa-website/pull/3220.
It is unclear whether false notifications are currently enabled or not.
@MikeMcC399 Thanks for the reminder. We are currently reviewing the options we have going forward. I personally think that we could perhaps remove the section from traffic_monitoring and link to it instead. The https://www.coronawarn.app/en/faq/results/#anonymous goes much more in depth and would be a better place to learn about the "additional technical measures". If possible, I'd like to avoid talking about the current status of those additional measures. The anonymous FAQ article already explains the behavior extensively.
