Cwa-app-android: Recorded number of exposure checks too high after 14 days

The count increased today from 223 to 237 (difference of 14), which shows that counts stemming from a period previous to the last 14 days are incorrectly not being aged out.

Hello @MikeMcC399,

thank you for reaching out.
Please make sure that the history you are mentioning is not older than 14 days. To verify this, please export the Exposure Notification history as JSON and attach it to this issue.

Also, it is important to know that Google is managing the COVID-19 exposure notifications in your Android settings. This is something we cannot influence with our Corona-Warn app.

After you have shared the JSON file, we can verify that the calls are either from the past 14 days or from even more days than just the last 14 days.

Thank you,
LMM

Corona-Warn-App Open Source Team

Dear LMM @GPclips,

Thank you for your response. Unfortunately the issue Exposure Checks only show 100 entries in the log (Android) https://github.com/corona-warn-app/cwa-app-android/issues/941 reported by @daimpi means that the json file cannot be used to successfully investigate this issue (https://github.com/corona-warn-app/cwa-app-android/issues/1020). Not only are the Exposure checks in the "Export exposure checks" function, and in the UI display, limited to 100, they are also the most recent exposure checks. They therefore only go back 7 days until Aug 7. We are however interested in the older Exposure checks, which are not shown nor exported.

Here is an Excel analysis of the timestamps and the number of records exported:

Timestamp | Number of records
-- | --
August 14, 2020 08:00 | 14
August 13, 2020 06:24 | 14
August 12, 2020 09:30 | 14
August 11, 2020 10:19 | 14
August 10, 2020 07:11 | 14
August  9, 2020 08:32 | 14
August  8, 2020 09:03 | 14
August  7, 2020 09:47 | 2
Total | 100

Here is the file which you requested in any case:
all-exposure-checks 2020 08 14.zip

Google @nic0lette advised in https://github.com/google/exposure-notifications-internals/issues/3 that issues with the Exposure Notification System need to be passed through the Public Health Authority/App developer in my region, so that is why I am reporting the issue here. The Google UI is a useful interface for checking the detailed working of the exposure notification part of the German CWA app, so it makes sense to try to get bugs and limitations in this interface addressed by Google.

I remember that before the Exposure Check log was limited to 100 entries, it contained 17 days.
17 days, each one having 14 server days makes 238. In the afternoon the number of "Überprüfungen innerhalb der letzten 14 Tage" falls back to 224. On my phone the last day with only 13 server days was July 26, so one week ago the number changed from 237 to 223 every afternoon, which it still seems to do on MikeMcC399's device.

Can we ask the Google developers to change the text into "Überprüfungen innerhalb der letzten 17 Tage"?

@kereng5

Can we ask the Google developers to change the text into "Überprüfungen innerhalb der letzten 17 Tage"?

There is an inconsistency in the information which Google displays, and I agree that it seems like 17 days is being reported. So either Google ENS needs to say that 17 days are reported, and to change the text which says "Random IDs are automatically deleted after 14 days" or the number of checks displayed needs to be limited to 14 days.

I can now provide a log file all-exposure-checks 2020 08 26.zip with 16 day's entries. This is from a mobile device running Exposure Notification System 16203302004. The issue #941 which limited the number of exportable exposure checks to 100 records has been solved and is closed.

The text on Google's Exposure Notification System page on the mobile device
(Settings > Google > COVID-19 exposure notifications)
still says "Random IDs are automatically deleted after 14 days" so to be consistent, the log entries for anything older than 14 days should also be deleted.

After installation of CWA 1.5.0 today, October 19, 2020 need to wait at least 14 days to check new exposure check sums.

Fingers crossed!

Hi @MikeMcC399

The issue that i described https://github.com/corona-warn-app/cwa-app-android/issues/1535 appears in the "version 17203915000" of the exposure notification system.

@vaggelisdouros
You have the same version of ENS as I do (17203915000).

Due to a reset on my device on Oct 23, 2020 I lost the previous exposure checks from the logs. I am now waiting to see what happens in the next days. It currently says 14 checks in the past 14 days and I'm expecting that number to increase then stop as older entries are aged out.

I can confirm that on my device it now says

16 checks in the past 14 days

And the oldest entry is 15 days old (today: 05.11., oldest entry: 21.10.)

I guess the expected/correct behavior would be to see the oldest entry to be 14 days old which would mean "15 checks in the past 14 days".

But tbh: I don't mind the current behavior, given that this additional entry which slightly extends over the RPI retention period could sometimes be helpful for debugging and/or understanding how ENF is working.
Imho the only thing which maybe would make sense changing is the descriptor to something more accurate like "x checks in the past 15 days"

My device:

• Samsung Galaxy S8 (Android 9)
• CWA 1.5.1
• ENF v. 17203915000

@daimpi
At the time I reported this issue there was still a lot of uncertainty about how everything worked and there were several bugs around as well. The exposure check had been showing 0 keys, the numbers of exposure checks didn't seem to tie up, and export truncated the list. In addition the exposure check log was not sorted by date and there were (at least) 14 entries per day making it very difficult to read manually.

In the meantime we understand what the exposure check log means, the entries have been reduced to one per day, they are sorted by date, and the limit on the number of entries which can be exported has apparently been increased to 300.

I am also not concerned if ENS saves 16 instead of 14 days worth of logs. We may however want to document a final case together and put it to the Open Source Team to see if they are willing to address it to Google, but I think it is a cosmetic level of severity only with no impact to the core functionality of CWA.

@svengabr, @GPclips and Open Source Team

Please consider passing this report to Google or if you consider it unimportant please close the issue .

The Google Exposure Notification System (including the latest Version 18204215000) on Android says in the user interface:
"Random IDs are automatically deleted after 14 days."

The example log of exposure checks shows that the history of an individual exposure check is deleted after 15 complete calendar days have expired. In the table below, the entry for 23 October 2020, 18:04 was present in the log when it was viewed yesterday, 7 November 2020 and then was no longer present when the log was viewed one day later, today, on 8 November 2020. The date 23 October 2020 is 16 days before the current date 8 November 2020.

So if the statement "Random IDs are automatically deleted after 14 days." is supposed to be applied also to exposure check logs, then it should say 15 days, not 14 days.

Days before today | Exposure check | Log today | Log yesterday
-- | -- | -- | --
0 | 8 November 2020, 01:05 | X |  
1 | 7 November 2020, 01:05 | X | X
2 | 6 November 2020, 02:55 | X | X
3 | 5 November 2020, 02:51 | X | X
4 | 4 November 2020, 02:43 | X | X
5 | 3 November 2020, 02:30 | X | X
6 | 2 November 2020, 02:30 | X | X
7 | 1 November 2020, 02:15 | X | X
8 | 31 October 2020, 02:09 | X | X
9 | 30 October 2020, 01:46 | X | X
10 | 29 October 2020, 01:42 | X | X
11 | 28 October 2020, 01:42 | X | X
12 | 27 October 2020, 01:31 | X | X
13 | 26 October 2020, 01:30 | X | X
14 | 25 October 2020, 02:21 | X | X
15 | 24 October 2020, 02:20 | X | X
16 | 23 October 2020, 18:04 |   | X

@MikeMcC399

So if the statement "Random IDs are automatically deleted after 14 days." is supposed to be applied also to exposure check logs, then it should say 15 days, not 14 days.

We're probably dealing with a discrepancy here:

1. "Random IDs" (TEKs, RPIs) are indeed deleted after 14 days.
2. EN log entries are only deleted after 15 days.

I.e. the statement "Random IDs are automatically deleted after 14 days" is in principle correct b/c it refers to (1) but I can see how this might confuse users b/c they are not able to see the TEKs/RPIs (unless they have rooted their device) and instead are only presented with the EN log entries (2).

But tbh I would rather focus on the text which is written next to the number of checks (the part you can tap on to get the detailed list of checks - underlined in red). It says "x checks in the past 14 days" but that is indeed not correct and should probably read "in the past 15 days". The other text you mention ("Random IDs are automatically deleted after 14 days") is a bit further down in the description (underlined in blue) and given that it's technically correct I'm not too worried about it tbh.

@daimpi
You are right to point out the other place "xx checks in the past 14 days" as being more relevant. I think it is likely to be unintentional for the log to be kept 15 instead of 14 days. We can only find out if we ask Google and they respond.

I have feedback from Google that they will look at this issue with the number of days held in the exposure check log exceeding 14 days and will review fixing it in a future version of ENS 😁 ! That will take time of course. In the past they have done monthly updates.

Although this may seem a trivial point, it is a data privacy problem if data is not purged according to the privacy notice Section 9. Especially if there is a match recorded in the exposure check log, then that data must be deleted after 14 days.

@MikeMcC399 thanks for the info 🙂.

Tbh I'm not too concerned about privacy implications of those older entries given that they are even protected by biometrics. I think they could even be helpful with some debugging in certain circumstances as I said above. But tbh I can live with it either way 😉.

I think, I have a related issue. After reinstalling the app on 3rd of november (because of 9002 errors, resets and crashes after that) the exposure logs never aged out. So the log now keep 17 days instead of 14 and perhaps even more the next days. Otherwise the app works fine. Here is the log off all my exposure checks:

exposure_checks_20-11-2020.txt

Exposure Notification System: 18204217000
CWA: 1.6.1
Android: 6.0
Mobile device: Huawei P8 Lite

@JoFriede

After reinstalling the app on 3rd of november (because of 9002 errors, resets and crashes after that) the exposure logs never aged out. So the log now keep 17 days instead of 14 and perhaps even more the next days.

I just checked on my Samsung Galaxy A50 and the oldest date in the log is Nov 5, 2020. In your log the oldest timestamp is

1. November 2020, 10:55 with 0 key count.

Did you have to do something special on your Huawei P8 Lite to get Google Play services to work? I'm wondering if you have a non-standard environment.

Did you have to do something special on your Huawei P8 Lite to get Google Play services to work? I'm wondering if you have a non-standard environment.

I am "Beta-Tester" of Google Play-Dienste and did not deactivate it till now (Version: 20.42.17). Apart from that, there is nothing special with my Google Play services (Version 6.08-release-335882674) and nothing special on my (not-rooted) device, as far as i know. I'm wondering about the 0 key count on the 3rd of November as well. But since the 4th of November the key count never have been 0 again.

Hi @JoFriede, @MikeMcC399,

I have updated the internal ticket for the developers with your latest reports on this issue.

Best wishes,
DS

Corona-Warn-App Open Source Team

@JoFriede

I am "Beta-Tester" of Google Play-Dienste and did not deactivate it till now (Version: 20.42.17). Apart from that, there is nothing special with my Google Play services (Version 6.08-release-335882674) and nothing special on my (not-rooted) device, as far as i know. I'm wondering about the 0 key count on the 3rd of November as well. But since the 4th of November the key count never have been 0 again.

Just for comparison, I was previously a beta-tester of Google Play services and then I left because I had no idea what was in the beta versions and Google did not respond to any feedback I gave.

Your Google Play services version (Version 6.08-release-335882674) looks different to mine, which says in Settings > Apps > Google Play services
App downloaded from Google Play Store
Version 20.42.17 (120400-342117392)

I have the same ENS version as you (18204217000) which corresponds to V1.8 20.42.17, so although you are a beta-tester of Google Play services it doesn't look like you have a beta version of ENS.

I don't have any good suggestion about how to solve your issue without destroying the stored keys. I would probably just keep an eye on what it does in the next few days and ignore it, if it doesn't cause any other issues. That is probably the least risky thing to do.

I don't have any good suggestion about how to solve your issue without destroying the stored keys. I would probably just keep an eye on what it does in the next few days and ignore it, if it doesn't cause any other issues. That is probably the least risky thing to do.

That's my plan too. As long as the app works fine I won't reset or delte anything.

Nonetheless, today the 3rd of November is still the oldest day in log. So still no entry has been deleted.

@JoFriede

Nonetheless, today the 3rd of November is still the oldest day in log. So still no entry has been deleted.

Your problem is not the generic problem that this thread was opened to track and resolve, which is that generally Android devices are keeping the log data for 16 days before aging them out.

Strange behaviour has been reported by other users with devices which have not had Google Play services pre-installed. Is your Huawei P8 Lite device licensed for Google Play services or did you have to install it manually? If you want to pursue this issue further I think it would be better to open a separate issue for it.

@JoFriede
I noticed there is a warning about Huawei devices on
https://support.google.com/android/thread/29434011?hl=en-GB

"... In addition, sideloaded Google apps will not work reliably because we do not allow these services to run on uncertified devices where security may be compromised. Sideloading Google’s apps also carries a high risk of installing an app that has been altered or tampered with in ways that can compromise user security.

To check if your device is certified, open the Google Play Store app on your Android phone, tap “Menu” and look for “Settings.” You will see if your device is certified under “Play Protect certification.” You can learn more on android.com/certified."

You might want to check if that applies to your device.

You can get to this Google notice through
Settings > Google > COVID-19 Exposure Notifications
then tap the question mark inside the circle on the top right.

@MikeMcC399

Thank you for your effort! According to Google Play Store, my device is certified. Because my device is a little bit older, I think it is not affected by this prohibition of collaboration with Huawei.

Still no log entry has been deleted till now.