Privacy Considerations

The key schedule is fixed and defined by operating system components, preventing applications from including static or predictable information that could be used for tracking.

A Temporary Exposure Key is required to correlate between a user’s Rolling Proximity Identifiers. This reduces the risk of privacy loss from broadcasting the identifiers.

Without the release of the Temporary Exposure Keys, it’s computationally infeasible for an attacker to find a collision on a Rolling Proximity Identifier. This prevents a wide range of replay and impersonation attacks.

When reporting Diagnosis Keys, the correlation of Rolling Proximity Identifiers by others is limited to 24 hour periods due to the use of Temporary Exposure Keys that change daily. The server must not retain metadata from clients uploading Diagnosis Keys after including those key in the aggregated list of Diagnosis Keys per day.

Test Vectors‌

Test vectors for interoperability testing between implementations of this specification are available upon request in a machine-readable format.

• Overview

• External Functions

• Key Schedule for Exposure Notification

• Positive Diagnosis

• Value Matching of Positive Users

• Privacy Considerations

• Test Vectors

• Revision History