This process requires no cryptographic secrets.
Individual Check-Ins are identified by their trace ID that is generated during the Check-In process (via the Guest App and a QR code scanner, scanning a printed QR code or a static badge and QR code scanner 1).
For a checkout of some previous Check-In, the respective trace ID and the current timestamp are sent to the Luca Server. No further authentication or validation is performed and the Check-In is annotated with the provided timestamp.
The actual checkout might be performed in one of the following ways:
Manual App Check-out¶
After a Guest checked in using the Guest App they are presented with a “Check out” button for the currently active Check-In. Upon user request the Guest App informs the Luca Server as described above and terminates the Check-In. The Guest may now perform another Check-In at some other location.
Automatic Check-out via a Geofence around the Current Venue¶
For an automatic checkout the Venue Owner must provide their venue’s geo location and a “Check-In radius” (geo-fence) in the Venue Information during initial venue registration. Once the Guest physically leaves the venue’s radius, the mobile operating system will inform the Guest App which performs the checkout automatically.
Manual Venue Owner Check-out¶
Venue Owners can checkout all active Check-Ins for their venue via the Venue Owner Frontend. In that case, the Venue Owner Frontend informs the Luca Server about the Venue Owner’s wish to end active Check-Ins at their venue. For instance, restaurants might use this to end all remaining active Check-Ins after they close down for the day.
Inaccurate or Tampered Checkout Times¶
Checkouts must use the trace ID to reference their respective Check-In to the Luca Server. As the trace ID is designed to be anonymous, luca cannot give any authenticity guarantees regarding the stored checkout time. Any implementation trade-offs to extend luca’s guarantees for the checkout time would have had an influence on security objectives O2 and O3.
It is worth noting that a Health Department usually does not blindly follow Luca’s data records when identifying likely contact persons of an Infected Guest, but draws educated real-world conclusions from them. Therefore, any checkout times are merely seen as a hint for real-world contact tracing activities by a Health Department.
Usage of Geo-Location Data by the Operating System¶
The above-described geo fence is implemented locally so the Guest’s location is never stored or sent to the Luca Server. Additionally, the Guest must consent to the usage of location services by the Guest App to use this feature. If they deny consent, they can still use luca but will need to always remember to checkout manually.