stayaway-app icon indicating copy to clipboard operation
stayaway-app copied to clipboard

Published 20 hours ago verified publisher icon stayawayinesctec

Dependency on GAEN (a closed source component) raises issues

Open marado opened this issue 3 years ago • 6 comments

Hi there. This is by no means an exaustive list, but:

  • This past few days, the Irish Covid Tracker app users suffered huge battery drain, leading many to uninstall the app. The issue was with GAEN, and was silently fixed by Google: https://twitter.com/HSELive/status/1293888350504591362

  • There are hints of a new API version, but no documentation, no changelog, no roadmap is available. https://github.com/google/exposure-notifications-android/commit/339ea6342c7a25a2c238588cb097627ebb020b69

  • The current distribution model of one of the components needed in order to use GAEN on Android raises questions and concerns: https://github.com/stayawayinesctec/stayaway-app/issues/15#issuecomment-668760568

  • There are several known issues on the GAEN framework, but they lack proper documentation, to ensure transparency https://github.com/DP-3T/documents/issues/327 . The problem is highlighted when we see claims in the press about how bullet-proof and privacy-preserving this application is, which seem to purposefully ignore the already known issues

  • These examples come to illustrate and reinforce the concerns by several actors, from the academia ( https://down.dsg.cs.tcd.ie/tact/transp.pdf ), data protection specialists ( https://jornaleconomico.sapo.pt/noticias/contact-tracing-caminho-seguro-ou-passo-em-falso-623571 ) to institutions like the Portuguese Association for Free Software (ANSOL) ( https://ansol.org/STAYAWAY-COVID ), or the Portuguese Data Protection Agency (CNPD) ( https://www.cnpd.pt/home/decisoes/Par/PAR_2020_82.pdf ), whom alert to the dangers of depending on a closed source component (GAEN) for this solution.

  • Implementing DP-3T is possible without closed source dependencies https://github.com/DP-3T/dp3t-sdk-android/issues/143 , and there are several reasons to opt for that, more transparent approach https://github.com/DP-3T/dp3t-sdk-android/issues/10

  • Deutchland is noticing similar issues, in particular since "no clear agreements have been reached with Google and Apple about reprocessing data gleaned via the app." https://www.dutchnews.nl/news/2020/08/dutch-privacy-watchdog-says-coronavirus-app-still-needs-work/

Therefore, I am opening this issue to propose to the project that the issues that arise from having a closed source dependency on GAEN must be openly addressed.

As a "starting point", I'll also link to https://www.lusa.pt/article/RuzdrRtnLzuClNfx09aPxzMSZM5iuSI1 , where INESC TEC's administrator is quoted saying:

“Ao estarmos a usar estas funcionalidades da Apple e da Google perdemos o controlo sobre elas, mais ainda, apesar da aplicação e todo o sistema ser código aberto, esta parte não é e, portanto, perdemos esse controlo”, disse, acrescentando que esta é “uma fragilidade que não vai ser ultrapassada”. “Deixarmos de usar estas funcionalidades da Google e da Apple significaria não termos aplicação”, sublinhou.

(In english, my translation:)

"By using these features from Apple and Google we loose control over them, and besides, while the application and the whole system is open source, this part isn't and so we loose that control", he said, adding that this is "a fragility that is not going to be overcome" . "No longer using these features from Google and Apple would mean not having an application", he highlighted.

marado avatar Aug 18 '20 12:08 marado

Another useful link related to the second point of my initial post (re: API v1.6) here: https://github.com/DP-3T/dp3t-sdk-backend/issues/214#issuecomment-675478720 : there are already planned changes to the backend to accommodate the API version we still know nothing about...

marado avatar Aug 18 '20 13:08 marado

I believe this link also contains useful information: https://lasec.epfl.ch/people/vaudenay/swisscovid.html#ag

marcelosousa avatar Oct 14 '20 18:10 marcelosousa

Is anyone aware of a possible solution for this?

joaoportela avatar Oct 22 '20 10:10 joaoportela

I believe this link also contains useful information: https://lasec.epfl.ch/people/vaudenay/swisscovid.html#ag

@vincenzoiovino was able to perform a replay & "time travel" attack on the GAEN implementation by transmitting spoofed RPIs to nearby devices.

Current open issues regarding this subject on the Immuni App (Italy official app):

https://github.com/immuni-app/immuni-app-android/issues/278 https://github.com/google/exposure-notifications-internals/issues/19

joaovarelas avatar Oct 23 '20 14:10 joaovarelas

There is now a GAEN replacement implementation on Germany's app: https://fsfe.org/news/2020/news-20201208-01.en.html

marado avatar Dec 08 '20 09:12 marado

The privacy risks of using this closed source dependency are no longer in the theoretical field, with the recent news that GAEN on Android was leaking data: https://themarkup.org/privacy/2021/04/27/google-promised-its-contact-tracing-app-was-completely-private-but-it-wasnt .

marado avatar May 06 '21 19:05 marado