Are you an EPFL student looking for a semester project?
Work with us on data science and visualisation projects, and deploy your project as an app on top of Graph Search.
We present an analysis of the SwissCovid application which is currently being tested. We observe that the essential part of SwissCovid is under the control of Apple and Google. Outsourcing the heart of SwissCovid to Apple and Google has apparent benefits in terms of security but drawbacks in terms of transparency, flexibility, and sovereignty. we observe that SwissCovid is far from being open source. The Source code is kept by Microsoft. The protocol is implemented and controlled by Apple and Google. The server is hosted by Amazon. The current information suffers from unclear or incorrect statements. We confirm some of the threats which had been identified before. Users may be traced or identified by third parties while tracing is on. Diagnosed users who report using SwissCovid have a risk to be identified by a third party. Malicious users may create false encounters and inject false at-risk notifications on targeted phones. They could abuse the system to have vacations paid by authorities by self-injecting false alerts. Diagnosed users could be corrupted to sell a covidcode which would ease those attacks. Malicious apps could collect more information or do the job of SwissCovid outside of any control, and on behalf of a third party, even though SwissCovid is deactivated.
Francesco Regazzoni, Mirjana Stojilovic, Dina Gamaleldin Ahmed Shawky Mahmoud, Ognjen Glamocanin
David Atienza Alonso, Miguel Peon Quiros, Simone Machetti, Pasquale Davide Schiavone