Security Objectives

luca provides the following guarantees to the respective actors in the system:

List of Objectives

O1. An Uninfected Guest’s Contact Data is known only to their Guest App

The Guest’s personal data is undisclosed as long as they didn’t test positive (and become an Infected Guest) or show up in a tracing process by a Health Department (and become a Traced Guest).

O2. An Uninfected Guest’s Check-Ins cannot be associated to the Guest

Individual Check-Ins of an Uninfected Guest are not disclosed. Only when a Check-In shows up in a tracing process (making the Guest a Traced Guest), is this particular Check-In disclosed to the Health Department.

Naturally, the Guest App itself may have knowledge about the Check-Ins.

O3. An Uninfected or Traced Guest’s Check-Ins cannot be associated to each other

The entire Check-In History of a Guest is disclosed to the Health Department if, and only if, the Guest tested positive and explicitly consents to the tracing (making them an Infected Guest). Thus, not even an anonymous Check-In History can be generated.

Note that the Guest App may keep a local history of Check-Ins.

O5. The Health Department learns only the relevant part of the Infected Guest’s Check-In History

The Health Department only learns the epidemiologically relevant part of a Guest’s Check-In History.