International Association
for Cryptologic Research

Exposure Notification is a system designed by Google and Apple for notifying individuals when they have been exposed to SARS-CoV-2 by coming in contact with someone who has tested positive for the virus. Within GAEN, no user-identifying data is ever uploaded to the central server; users establish their proximity exclusively peer-to-peer and anonymously, with the sole purpose of knowing whether they have been in contact with an individual who may later be deemed to have been infected. The design choices of the protocols in question, which makes them robust against data collection attacks, unfortunately also make them particularly susceptible to data injection by malicious parties. In particular, these protocols allow for a determined attacker to generate false exposure notifications on a mass scale in an undetectable and unpreventable manner. In this paper we highlight how these data injections attacks can be used to implement voter suppression in political elections and to compromise the integrity of the democratic process.