Guest Checkout

For effective contact tracing the Health Departments must know in what time frame an Infected Guest was present at any given location. Hence, Guests must check-out of locations when they leave.

Overview

Assets

Preconditions

Postconditions

Secrets

This process requires no cryptographic secrets.

Checkout Process

Individual Check-Ins are identified by their trace ID that is generated during the Check-In process (via the Guest App and a QR code scanner, scanning a printed QR code or a static badge and QR code scanner 1).

For a checkout of some previous Check-In, the respective trace ID and the current timestamp are sent to the Luca Server. No further authentication or validation is performed and the Check-In is annotated with the provided timestamp.

The actual checkout might be performed in one of the following ways:

Manual App Check-out

After a Guest checked in using the Guest App they are presented with a “Check out” button for the currently active Check-In. Upon user request the Guest App informs the Luca Server as described above and terminates the Check-In. The Guest may now perform another Check-In at some other location.

Automatic Check-out via a Geofence around the Current Venue

For an automatic checkout the Venue Owner must provide their venue’s geo location and a “Check-In radius” (geo-fence) in the Venue Information during initial venue registration. Once the Guest physically leaves the venue’s radius, the mobile operating system will inform the Guest App which performs the checkout automatically.

Manual Venue Owner Check-out

Venue Owners can checkout all active Check-Ins for their venue via the Venue Owner Frontend. In that case, the Venue Owner Frontend informs the Luca Server about the Venue Owner’s wish to end active Check-Ins at their venue. For instance, restaurants might use this to end all remaining active Check-Ins after they close down for the day.

Time-based Check-out after 24 hours

Regardless of the checkout mechanisms described above, any Check-In is automatically checked out after 24 hours by the Luca Server.

Security Considerations

Inaccurate or Tampered Checkout Times

Checkouts must use the trace ID to reference their respective Check-In to the Luca Server. As the trace ID is designed to be anonymous, luca cannot give any authenticity guarantees regarding the stored checkout time. Any implementation trade-offs to extend luca’s guarantees for the checkout time would have had an influence on security objectives O2 and O3.

It is worth noting that a Health Department usually does not blindly follow Luca’s data records when identifying likely contact persons of an Infected Guest, but draws educated real-world conclusions from them. Therefore, any checkout times are merely seen as a hint for real-world contact tracing activities by a Health Department.

Usage of Geo-Location Data by the Operating System

The above-described geo fence is implemented locally so the Guest’s location is never stored or sent to the Luca Server. Additionally, the Guest must consent to the usage of location services by the Guest App to use this feature. If they deny consent, they can still use luca but will need to always remember to checkout manually.


1

Currently, there is no way for a Guest that uses a Badge instead of the Guest App to perform a manual checkout. See also Inaccurate or Tampered Checkout Times. luca might implement such feature in the future.