The authorization mechanism to upload data is prone to easy de-anonymization

[GennAvi]

Quoting from the readme file: "To make sure only users who actually tested positive for SARS-CoV-2 upload their keys to the server, the upload procedure can only be performed with the cooperation of an authenticated healthcare operator. The operator asks the user to provide a code generated by the app and inputs it into a back-office tool. The upload can succeed only if the code used by the app to authenticate the data corresponds to that entered in the system by the healthcare operator."

Please make it explicit that by doing that you have to trust the provider of the service (the government) to not collude with the health authority in order to not link the uploaded data with the user's real identity. The attack is really easy: the health authority who is aware of the real identity of user U, can forward the mapping between the activation code and the real identity of U to the server, which can in turn derive the mapping between this code and data uploaded by U. If coupled with Paparazzi attack, this can lead to undetectable fine-grained tracing of targeted individuals.

Note that de-anonymization of uploaded data is also possible via IP address, so some mechanism to ensure anonymity while uploading data is also necessary, but this does not seem to be mentioned either. Please Clarify.

[ivanvisconti]

I agree with the issue. Interestingly, this is not due to limitations of Apple-Google API but instead is just a weakness in the design of Immuni that seems to introduce several privacy threats. I wonder if the team that designed immuni includes any expert of privacy by design. Notice that this is not an inherent privacy problem, it can be mitigated. For instance the privacy-preserving contact-tracing system Pronto-C2 (https://eprint.iacr.org/2020/493.pdf) suggests to use in this phase a cryptographic tool named "blind signature". Why is immuni neglecting such well known mechanisms that are very useful to protect the privacy of the citizens? Let me also add that what @GennAvi is pointing out is a problem documented in the literature (Brutus attacks in the Pronto-C2 paper) so it seems that Immuni is on purpose (not just by mistake, unless they ignore the scientific literature...) trying to deanonymize the citizens that will use it. This is very scary. Anyway, I hope to see the issue solved since it is technically possible as I suggested (i.e., using blind signatures).