luca provides the following guarantees to the respective actors in the system:
List of Objectives¶
O1. An Uninfected Guest’s Contact Data is known only to their Guest App¶
O2. An Uninfected Guest’s Check-Ins cannot be associated to the Guest¶
Individual Check-Ins of an Uninfected Guest are not disclosed. Only when a Check-In shows up in a tracing process (making the Guest a Traced Guest), is this particular Check-In disclosed to the Health Department.
Naturally, the Guest App itself may have knowledge about the Check-Ins.
O3. An Uninfected or Traced Guest’s Check-Ins cannot be associated to each other¶
The entire Check-In History of a Guest is disclosed to the Health Department if, and only if, the Guest tested positive and explicitly consents to the tracing (making them an Infected Guest). Thus, not even an anonymous Check-In History can be generated.
Note that the Guest App may keep a local history of Check-Ins.
O4. An Infected Guest’s Check-In History is disclosed to the Health Department only after their consent¶
O5. The Health Department learns only the relevant part of the Infected Guest’s Check-In History¶
O6. Traced Guest’s Contact Data is disclosed to the Health Department only after Venue Owners’ consent¶
This requirement is meant to mitigate illicit disclosure of arbitrary Guests’ contact information by the authorities.