COVID-19, Koronavilkku, Errors, Honeytoken
Corona virus / COVID-19 national tracking application in Finland is under my testing. Let's see how this works out and if there are any bugs / features to report out. It's designed to make tracking infection chain much easier, by allowing tracking people and their contacts. (Probably a gold mine for intelligence services?) Service is voluntary to install and it's free to use. Application also allows to warn people whom might have gotten infected via contacts when someone is tested as positive. Application is basically recording where you have been, when you've been, how long you've been there and whom you've been with and how close. They claim that the application data is protected and won't be shared without being connected to infection channel and being interviewed by officials. Yet it remains interesting question how this is technically implemented. I'm wondering if this also drains battery. Involved with this project are: THL (Finnish Institute for Health and Welfare), STM, Kyberturvallisuuskeskus (National Cyber Security Center, later NCSC-FI), Kela, Sotedigi and Solita (mobile app developer). All users and identities of the appliation are pseudonymous. From technical perspective the application is running in the background constantly and using Bluetooth Low Energy (BLE) (@ Wikipedia) and it's utilizing the Exposure Notifications System (GAEN / ENS) (@ Wikipedia). Following international standard DP-3T (Decentralized Privacy-Preserving Proximity Tracing). Back-end is probably (Speculation) run by Cygate / Crescom and kept in Finnish data centers. Officially the data is owned by Kela. Platform utilizes Openshift containers, and access to it is restricted to European Union using a firewall. It contains two sections / databases, registry of infected "identifiers" and registry of alert activation codes. iOS app is written using Swift and Android version using Kotlin. Backend uses Postgres database and two service exposure-notification and publish-token. The publicly facing project website koronavilkku.fi (@ koronavilkku.fi) is hosted at Hetzner, Helsinki Data Center. Technically not in Helsinki, but in Tuusula. I were curious to see, if the user / location data is being sent to Google, Amazon or Microsoft. Positive thing is that only pseudonymous identifiers are shared in case of alerts are triggered. And the actual alerts are being sent to the database as well as pseudonymous pseudorandom identifiers are regenerated every 10 minutes based on random temporary exposure key which is regenerated daily. This is nice optimization, which reduces amount of data needed in the exposure database by factor of 144. Keys are 16 bytes aka 128 bits. From this daily information the Rolling Proximity Identifier Keys can be generated. Yet, it's still required that the random identifiers are processed as personally identifying information (PII) and the information must be destroyed after 21 days. Which keeps the database small and limits abuse potential greatly. Application is also security audited by NCSC-FI. The application is called Koronavilkku in Finnish. As usual it turns out that all the Finnish articles and news about this application were totally inaccurate as usual. Interestingly the reporting resolution in Finland is said to be 15 minutes, which would mean 7.5 minute identifier intervals. kw: COVID-19, tracking app, ENS. Also studied the: Google's documentation about Exposure Notifications (@ google.com). Which explains key schedules, encryption, and detailed Bluetooth payloads. The Wikipedia article about Exposure Notification (@ Wikipedia) is also pretty sweet and compact.
I'm pretty paranoid privacy techie and worst thing I can come up with the Koronavilkku (@ Wikipedia) app is the fact that the Bluetooth BLE needs to be enabled. Someone has clearly thought a lot about the privacy of this application or ENS from technical perspective. kw: Exposure notifications, ENS, privacy
Stupidification of error messages? Windows Activation error message is legendary. Can't activate, check internet, or contact administrator, click here if I've changed hardware. - So, what's the problem? The error message is absolute garbage. Absolute and utter s*it! - Thank you Microsoft!
Something not so different? Honeytoken (@ Wikipedia).