The short name or acronym of the project

CoronaMelder

The release version of the software application. If there is no official version number, use 20YY-MM-DD-unstable
Android: 1.0.0, iOS: 1.0.4

edit

Main organisation(s) behind the technology

Dutch Ministry of Health, Welfare and Sport (VWS) in cooperation with the Dutch public health authority (GGD)

edit

The web address of the source code of the project
https://github.com/minvws (specifically the nl-covid19-notification-app repositories)

edit

Are all components of the project publicly available under an OSI Approved Licence?
Yes

edit

European Union Public License 1.2
https://github.com/minvws/nl-covid19-notification-app-coordination/blob/master/LICENSE.txt
https://opensource.org/licenses/alphabetical

edit

Pointers to other sources of information, e.g. whitepapers, architectural designs

https://github.com/minvws/nl-covid19-notification-app-coordination/blob/master/architecture/Solution%20Architecture.md

Original requirements document (in Dutch): https://www.rijksoverheid.nl/binaries/rijksoverheid/documenten/publicaties/2020/05/19/programma-van-eisen/20200519+Programma+van+Eisen+def.pdf

edit

Official description of the data flow and the overall architecture

https://github.com/minvws/nl-covid19-notification-app-coordination/blob/master/architecture/Solution%20Architecture.md#baseline-approach

edit

Exposure notification

edit

add

Upload the logo of the project if available. Non-essential, but pretty.

edit

General principles

E.g. Bluetooth, Bluetooth Low Energy, Near-Ultrasound, Ultrasound, LIDAR, 802.11x, Zigbee, infrared, visible light, UV. More than one answer is possible.
Bluetooth Low Energy

edit

Select the technical protocol(s) supported by the application. If the protocol is not yet inthis list, please save this page, navigate to the protocols list and add before proceeding.
Apple-Google

edit

Is the application based on a published technical specification for contact tracing (eg DP3T, BlueTrace, Google-Apple)?
Yes

edit

https://github.com/minvws/nl-covid19-notification-app-coordination/blob/master/architecture/Solution%20Architecture.md#googleapple-exposure-notification-framework-gaen

edit

Is there evidence of the (epidemiological) effectivity of the application? Please add any links to information on studies or trial runs that showcase that the technology proposed .

add

Legal/licensing information

Are all components of the project publicly available under OSI Approved Licence(s)? If you know which license(s), please use SPDX identifiers.

EUPL-1.2

edit

If not all components used are open source, please provide a technical description of these components suitable for publication, and any third party security analysis. Provide contact details of each technology supplier.

Proprietary components used are the OS and the Exposure Notification API. The rest of the Android and iOS apps is open source and includes some third-party open source libraries.

Back end is open source (https://github.com/minvws/nl-covid19-notification-app-backend) and runs on Microsoft Windows servers (proprietary) in Dutch data centre.

edit

If the project is known to be encumbered by (software) patents or other intellectual property claims by any of its creators or known third parties, please indicate which. Also, feel free to list any defensive publications.

add

Platforms, build environment

On which platforms can the application(s) run?
Android 6+ iOS

edit

Smartphone Google Play Services

edit

Location(s) of the app(s) in various app stores (F-Droid, Google Play, Apple Store, Jolla Store, etc).

https://apps.apple.com/nl/app/id1517652429
https://play.google.com/store/apps/details?id=nl.rijksoverheid.en

edit

What external libraries and SDKs does the application depend on?

iOS: https://github.com/minvws/nl-covid19-notification-app-ios/tree/master/vendor

Android:

https://github.com/minvws/nl-covid19-notification-app-android/blob/master/build.gradle
https://github.com/minvws/nl-covid19-notification-app-android/blob/master/app/build.gradle

https://github.com/minvws/nl-covid19-notification-app-android/blob/master/play-services-nearby-eap/build.gradle
https://github.com/minvws/nl-covid19-notification-app-android/blob/master/test-support/build.gradle
https://github.com/minvws/nl-covid19-notification-app-android/blob/master/signing/build.gradle
https://github.com/minvws/nl-covid19-notification-app-android/blob/master/api/build.gradle

edit

Which tools (IDE, etc.) are necessary to build the application from the available sources?

Android: https://github.com/minvws/nl-covid19-notification-app-android#local-development-setup
iOS: https://github.com/minvws/nl-covid19-notification-app-ios#getting-started

edit

Do different builds of the application yield the same bits?
Yes

edit

There is a verification process in place for the process from source code to deployment in the app stores and back end servers, including an expert third party and a notary. This process and verification statements are published here:
https://github.com/minvws/nl-covid19-notification-app-provenance.

edit

Is the user in control when some or all bits of the application are replaced?
Yes

edit

App updates are pushed to the app stores as usual. Users can block app updates on both iOS and Android and hence are in control of updates. The app will notify the user if it is outdated and therefore not compatible with the server anymore (by checking a version number on the server).

edit

Is the update mechanism compatible with the requirements of TUF (https://theupdateframework.io/security), including resilience against rollback attacks, extraneous dependencies attacks and handling vulnerability to key compromises?
Yes

edit

Security

The updates are protected by the normal app-store and play-store vendor managed digital signature framework of the operating system.

edit

If the developers have published or adopted a dedicated threat model for their app, provide a web link.

(in Dutchemoticon_smile https://github.com/minvws/nl-covid19-notification-app-coordination/blob/master/architecture/Crypto%20Raamwerk.md#bijlage-a-dreigingsoverzicht

edit

If there have been in-depth security analyses of the application(s) and/or underlying protocols, provide web links to publicly available reports. One line per report.

https://www.rijksoverheid.nl/binaries/rijksoverheid/documenten/rapporten/2020/07/15/testrapport-penetratietest-coronamelder/testrapport.pdf

edit

If there are known security weaknesses or shortcomings that are currently unresolved, please provide a link to CVE's/bug reports or other available sources.

One known but not disclosed yet (as of 31 Aug 2020): https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-24722

edit

Is the temporary data stored by the solution protected by modern, strong cryptographic means

add

Both on Android and on iOS the standard sandbox protection is used for the app´s temporary data. The TEKs are stored securely by the OS (Android and iOS) and as they are not accessible to the app - we are unable to encrypt these.
The developers consider these data protection mechanisms adequate.

edit

Exposure of interfaces with critical system level security flaws.

add

Privacy

General impact assessment

Has a Data Privacy Impact Assessment (DPIA) or equivalent privacy analysis been conducted in relation to the technologies used or proposed by the project? A DPIA is a formal assessment of privacy risks users are to be exposed to. Provide a link to the outcome of this assessment, and any updates or responses or mitigations that have been implemented since in response to the findings of the DPIA. : Provide web addresses of the DPIA and any follow ups.

https://github.com/minvws/nl-covid19-notification-app-coordination/blob/master/privacy/Gegevensbeschermingseffectbeoordeling_(DPIA).pdf

edit

Provide links to other noteworthy articles and reports regarding or mentioning the project.

Dutch Authority on Personal Data advice to government: https://autoriteitpersoonsgegevens.nl/sites/default/files/atoms/files/advies_voorafgaande_raadpleging_coronamelder-app.pdf

Manifest group: www.veiligtegencorona.nl

edit

Are there any special provisions made for protection of the information of minors, or legally incompetent people?

add

Mobile app specific questions

Does the solution have complete governance/run-time control over client-side hardware while in deployment, including the OS? Or is there shared tenancy, and are there other applications running?
No

edit

https://github.com/minvws/nl-covid19-notification-app-coordination/blob/master/architecture/Solution%20Architecture.md#googleapple-exposure-notification-framework-gaen

edit

Use of the solution does not require the use of an online account which is traceable to individuals. E.g. a vendor account which needs to be activated before a mobile phone can be used.
No

edit

GAEN framework is reserved for registered AppleID/Google Play account holders only.
https://github.com/minvws/nl-covid19-notification-app-coordination/blob/master/architecture/Solution%20Architecture.md#googleapple-exposure-notification-framework-gaen

edit

Is use of the solution tied in any way to the use of (an) account(s) with any third party, other than national?
No

edit

GAEN framework is reserved for registered AppleID/Google Play account holders only.
https://github.com/minvws/nl-covid19-notification-app-coordination/blob/master/architecture/Solution%20Architecture.md#googleapple-exposure-notification-framework-gaen

edit

Does the application make use of fixed, traceable, device specific identifiers or accounts, like phone numbers, IMEI, etc?
No

edit

Android and iOS apps use GAEN with RPIs that change every 10 minutes. No other device-specific identifiers are used.

edit

Is the solution free from telemetry/tracking?
No

edit

No telemetry is present in the app itself. The app only communicates with the back end for downloading diagnosis keys, for uploading TEKs in case of COVID-19 diagnosis confirmed by health authority, and for periodic decoy key uploads (to migitate traffic analysis attacks). There is telemetry enabled by use of the EN framework and Google Play/iOS components of the apps.
See: https://www.scss.tcd.ie/Doug.Leith/pubs/contact_tracing_app_traffic.pdf

When  the  “Usage  &  diagnostics”  option  in  Google  PlayServices  is  enabled  (which  it  is  by  default),  then  telemetrydata on GAEN operation is shared with Google. The data that Google Play Services sends to Google in these connections  also  includes,  amongst  other  things,  the  phone IMEI,  the  handset  hardware  serial  number,  the  SIM  serial number,  the  handset  phone  number, the WiFi MAC address and the user email address. When combined with the potential for fine-grained location tracking via IP address made possible by the frequent nature of the requests Google  Play Services makes to Google servers, on the face of it it is hard to imagine a more intrusive data collection setup.

edit

Does the application request/require OS privileges to e.g. recent contacts, the address book, location based services, the camera, etc.?
No

edit

Android: (https://play.google.com/store/apps/details?id=nl.rijksoverheid.en, under 'Permissions')
• run at startup
• view network connections
• pair with Bluetooth devices
• full network access
• prevent device from sleeping
• Exposure Notification API
Hence, no permissions for contacts, address book, location etc.
iOS:
• refresh in background
• Exposure Notification API
Hence, no permissions for contacts, address book, location, etc.

edit

For each of the requested permissions explain how the data or the funcitonality that can be accessed through that permission is used by the application. Specify whether this access is merely local, or whether information obtained through this is shared centrally.

Apps do not have access to contacts, location etc. Apps do have access to Exposure Notification API. User can opt to share Exposure Notification TEKs. This requires explicit user consent.

edit

Is there any location data (or equivalent) stored?
No

edit

add

Does the application or device have a built-in kill-switch where it ceases to function after a predetermined point in time, to avoid unnecessary risk exposure?
Yes

edit

https://github.com/minvws/nl-covid19-notification-app-coordination/blob/master/architecture/App%20Termination%20Plan.md

edit

Users can choose to expose whether or not they are infected, even under pressure or threat
Yes

edit

Apps do not record key upload action. After uploading, apps do not show infection status.
See also section 15 of the DPIA: https://github.com/minvws/nl-covid19-notification-app-coordination/blob/master/privacy/Gegevensbeschermingseffectbeoordeling_(DPIA).pdf.

edit

Yes

edit

See the DPIA: https://github.com/minvws/nl-covid19-notification-app-coordination/blob/master/privacy/Gegevensbeschermingseffectbeoordeling_(DPIA).pdf

edit

Is the privacy and the security of the user of the solution safe from compromise related to external observability of device-specific Bluetooth identifiers?
No

edit

add

Is a fixed Wifi MAC address broadcast by the solution?
No

edit

add

Is the Bluetooth ID of the user (or a derivation that can be easily linked back to it) broadcast?
No

edit

Detailed privacy related attributes

add

The application only shares anonymous attributes.
No

edit

The attributes shared are specified in the Google/Apple Exposure Notification Bluetooth specification. These do not include Personally Identifiable Information.
https://blog.google/documents/70/Exposure_Notification_-_Bluetooth_Specification_v1.2.2.pdf

edit

Can the user of the app review and redact their data, or decide to not upload some data?
No

edit

User can only upload their entire set of TEKs (Temporary Exposure Keys). These are binary data that are not redactable.
User can decide not to upload the TEKs.

edit

Do users run the risk of involuntary exposure of their social graph?
No

edit

See the DPIA: https://github.com/minvws/nl-covid19-notification-app-coordination/blob/master/privacy/Gegevensbeschermingseffectbeoordeling_(DPIA).pdf

edit

Does the application request/require privileges to e.g. recent contacts, the address book or other user-specific data?
No

edit

See above, on the app's permissions

edit

Is the real identity (or a strongly linked attribute) stored outside of the user device?,
No

edit

See https://github.com/minvws/nl-covid19-notification-app-coordination/blob/master/architecture/Solution%20Architecture.md#security--privacy.

edit

Is the phone number of the user (or a derivation that can be easily linked back to it) stored outside of the user device?
No

edit

The apps do not have permissions to retrieve the user's phone number from the OS.

edit

No

edit

add

Is there any location data (or equivalent) stored externally?
No

edit

add

Is the wifi mac addres of the user (or a derivation that can be easily linked back to it) stored outside of the user device?
No

edit

add

Is the Bluetooth ID of the user (or a derivation that can be easily linked back to it) stored outside of the user device?
No

edit

add

The solution is guaranteed to never leak information about IP addresses of users to the backend.
No

edit

Available third party analysis

The user's IP address is sent to the server as part of the key upload process. This is inherent to use of IP technology. However, in the data center inbound chain, IP addresses are stripped off before the key upload is sent to the upload processing servers. IP addresses are monitored separately for possible attacks. This is also described (in Dutch) in section 3 of the DPIA:
https://github.com/minvws/nl-covid19-notification-app-coordination/blob/master/privacy/Gegevensbeschermingseffectbeoordeling_(DPIA).pdf

edit

https://autoriteitpersoonsgegevens.nl/sites/default/files/atoms/files/advies_voorafgaande_raadpleging_coronamelder-app.pdf

edit

Studies and analyses of the technical aspects of the application

add

Customization and usability aspects

Is the application ready to be used with multiple languages (i18n) if translated strings are provided?
Yes

edit

Both apps support 10 languages: Arabic, Bulgarian, Dutch, English, French, German, Polish, Romanian, Spanish, Turkish.
https://github.com/minvws/nl-covid19-notification-app-android/tree/master/app/src/main/res
https://github.com/minvws/nl-covid19-notification-app-ios/tree/master/Sources/EN/Resources

edit

Give the web address of any accessiblity certifications by an accreditated certifcation instance. If there are more than one, put each link on a new line.

https://github.com/minvws/nl-covid19-notification-app-coordination/tree/master/accessibility/Audits/Stichting%20Accessibility
https://github.com/minvws/nl-covid19-notification-app-coordination/tree/master/accessibility/Audits/Appt

edit

Has the assistive technology been designed to not expose users with disabilities with additional privacy risks?
No

edit

Backend

add

Select where and how the data produced by the solution is hosted
Centralized Data store (national/regional)

edit

If an external back-end technology is used in conjunction with the application or device, please provide a link to its repository or home page
https://github.com/minvws/nl-covid19-notification-app-backend

edit

Any other relevant remarks and considerations
Tags:
Created by Michiel Leenaars on 2020/08/28 17:58
    

Need help?

If you need help with XWiki you can contact:

reviewfacility
XWiki 11.10.3
contact@reviewfacility.eu