Sybil attack - Multiple accounts to identify infected people
In the risk analysis published by the Robert team ( https://github.com/ROBERT-proximity-tracing/documents/blob/master/Proximity-tracing-analysis-EN-v1_0.pdf ), risk IR1 is "Identify infected individuals". It is stated as one of the most important risks of proximity tracing and lowering this risk has been one of the most expected and revendicated benefits of Robert against decentralized approaches / DP3T.
In this document we can read "In the centralized approach, this de-anonymization attack [...] implies the need to register another account. The cost of this operation would depend on the adopted countermeasures (e.g., proof of work, or anonymous tokens delivered from an trusted party)"
In other words, if an attacker can create many accounts, authors recognize that the centralized approach looses this expected benefit. In other words too, preventing attackers from creating several accounts is required by the team which designed Robert.
In the current implementation, I could not find such protections :
- IP/Ports of users should probably not be logged, it would go against other requirements of the Robert team (to prevent re-identification)
- A captcha is not a solution to prevent multiple accounts creation. It is easy to solve a few tens of captchas manually (which is sufficient in this case) or to buy lots of captha resolution (dedicated mechanical turks)
Am I missing something ? As far as I understand, this critical issue (regarding the published privacy properties) is not yet addressed. How will it be addressed ?