Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

What is ensureMinNumExposures supposed to do? #13

Open
OttoWinter opened this issue Jul 24, 2020 · 1 comment
Open

What is ensureMinNumExposures supposed to do? #13

OttoWinter opened this issue Jul 24, 2020 · 1 comment

Comments

@OttoWinter
Copy link

While trying to build a script to analyze some of the Stopp-Corona data I stumbled on this method ensureMinNumExposures in the export service:

RCA-CoronaApp-Backend/src/main/java/at/roteskreuz/covidapp/service/ExportService.java

Lines 316 to 349 in d90c655

private List<Exposure> ensureMinNumExposures(List<Exposure> exposures, String region, Integer minLength, Integer jitter) throws NoSuchAlgorithmException {
List<String> diagnosisTypes = Arrays.asList("red-warning", "yellow-warning");
if (exposures.isEmpty()) {
return Collections.EMPTY_LIST;
}
Random random = new Random();
int extra = random.nextInt(jitter);
int target = minLength + extra;
Integer fromIdx;
SecureRandom secureRandom = SecureRandom.getInstanceStrong();
while (exposures.size() < target) {
// Pieces needed are
// (1) exposure key, (2) interval number, (3) transmission risk
// Exposure key is 16 random bytes.
byte[] bytes = new byte[ApplicationConfig.KEY_LENGTH];
secureRandom.nextBytes(bytes);
fromIdx = random.nextInt(exposures.size());
Integer intervalNumber = exposures.get(fromIdx).getIntervalNumber();
fromIdx = random.nextInt(exposures.size());
Integer intervalCount = exposures.get(fromIdx).getIntervalCount();
String diagnosisType = diagnosisTypes.get(random.nextInt(diagnosisTypes.size()));
Exposure exposure = new Exposure(new String(Base64.getEncoder().encode(bytes)), null, region, intervalNumber, intervalCount, diagnosisType);
// The rest of the publishmodel.Exposure fields are not used in the export file.
exposures.add(exposure);
}
return exposures;
}

I'm assuming this method is there to add some additional anonymization to people who report keys. So to add some keys to make keys with actual confirmation indistinguishable from random noise.

However, this method is pretty useless as-is. One can just download the 7d and 14d exposure export, and then take the intersection of the keys. Each export has its own random keys, so the intersection only leaves "real" keys.

Since this is only a minor issue (and there probably exists no solution to the base problem), I'm posting this here as an FYI. I'd recommend removing the method because it just adds more data to download for each user, but it's low-priority at best.
@OttoWinter
Copy link
Author

I've created a POC here which demonstrates how to extract actual exposures from the exported archives: https://github.com/OttoWinter/corona-de-at-data (run python3 at_stop_corona_dump.py)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@OttoWinter