What is ensureMinNumExposures supposed to do?

[OttoWinter]

While trying to build a script to analyze some of the Stopp-Corona data I stumbled on this method ensureMinNumExposures in the export service:

RCA-CoronaApp-Backend/src/main/java/at/roteskreuz/covidapp/service/ExportService.java

Lines 316 to 349 in d90c655

	private List<Exposure> ensureMinNumExposures(List<Exposure> exposures, String region, Integer minLength, Integer jitter) throws NoSuchAlgorithmException {
	List<String> diagnosisTypes = Arrays.asList("red-warning", "yellow-warning");
	if (exposures.isEmpty()) {
	return Collections.EMPTY_LIST;
	}
	Random random = new Random();
	int extra = random.nextInt(jitter);
	int target = minLength + extra;
	Integer fromIdx;
	SecureRandom secureRandom = SecureRandom.getInstanceStrong();
	while (exposures.size() < target) {
	// Pieces needed are
	// (1) exposure key, (2) interval number, (3) transmission risk
	// Exposure key is 16 random bytes.
	byte[] bytes = new byte[ApplicationConfig.KEY_LENGTH];
	secureRandom.nextBytes(bytes);
	fromIdx = random.nextInt(exposures.size());
	Integer intervalNumber = exposures.get(fromIdx).getIntervalNumber();
	fromIdx = random.nextInt(exposures.size());
	Integer intervalCount = exposures.get(fromIdx).getIntervalCount();
	String diagnosisType = diagnosisTypes.get(random.nextInt(diagnosisTypes.size()));
	Exposure exposure = new Exposure(new String(Base64.getEncoder().encode(bytes)), null, region, intervalNumber, intervalCount, diagnosisType);
	// The rest of the publishmodel.Exposure fields are not used in the export file.
	exposures.add(exposure);
	}
	return exposures;
	}

I'm assuming this method is there to add some additional anonymization to people who report keys. So to add some keys to make keys with actual confirmation indistinguishable from random noise.

However, this method is pretty useless as-is. One can just download the 7d and 14d exposure export, and then take the intersection of the keys. Each export has its own random keys, so the intersection only leaves "real" keys.

Since this is only a minor issue (and there probably exists no solution to the base problem), I'm posting this here as an FYI. I'd recommend removing the method because it just adds more data to download for each user, but it's low-priority at best.

[OttoWinter]

I've created a POC here which demonstrates how to extract actual exposures from the exported archives: https://github.com/OttoWinter/corona-de-at-data (run python3 at_stop_corona_dump.py)