anonymous registration at restaurants, hairdressers etc. using CWA

[hackedal]

Problem and motivation

At the moment there are a lot of negative news in the media about the issue, that personal registration data, which has to be left when visiting restaurants, hairdressers etc. has been abused for example by the police. People are afraid of fraud, tending to leave fake contact data, which makes contact tracing impossible in case of an infection.

Feature description

It would be great, if CWA could generate (bypassing the contact tracing API) a "manual" random key, maybe 12 oder 16 characters long, that is presented for a limited amount of time (5 minutes should be enough) on the display of the device. This key can now be written on the restaurant owners guest list. After the key disappeared from the display, it is stored for 14 days locally in my device. In case of an infection, the restaurant owner will send his list to the health authorities, who will inform the people on the list. If there are non-CWA-guests, who left their contact data, they have to do it manually but if a CWA-user has left his generated key, it will be added to the central database and fetched by all the CWA-users and the restaurant visitor will be warned, because his device matched it's own generated key.

This feature would have a lot of advantages:

• full privacy for CWA-users: neither the restaurant owner nor the police will ever know, who was in the restaurant
• a warning for CWA-users, even when non-CWA-users were in the same restaurant
• more CWA-users, because only CWA-users will have the advantage of staying anonymous

I hope you like my idea!

---

Internal Tracking ID: EXPOSUREAPP-2034

[daimpi]

Related:

• Room based exposure notification #59
• [Feature Request] QR code scanner for IDs of (indoor) locations #70
• Restaurant/Event-Mode #77

[chr-chr]

Hello,

I've come up the same idea but in a different way.

To my understanding the Corona-App is bound to an user.

Having the App working/registered as a location on a device provided by owners,
they would get an active guest list.

The Visitor can actively or automatic login and out having full privacy.
Owners can prove their countermeasures.

Regarding the police interests the CWA might help as well:
Actually a backtrace gets done on a positive corona test.
How about giving the police a way to issue a call for witnesses in an anonymous way?

[Ein-Tim]

How about giving the police a way to issue a call for witnesses in an anonymous way?

I don't think thats a good idea (neither do I think the public would appreciate that).
The CWA should just be used to inform the user if they had contact with an Covid-19 sick person.

Edit:
This is also not allowed by Apple (https://developer.apple.com/contact/request/download/Exposure_Notification_Addendum.pdf):

[DirkReu]

In #140 I described a little different approach. Both variants avoid having a open tracking of the user's daily life. It would be worth weighing advantages and cost of both ways.
I close #140 to keep the number of requests small.

[cutec-chris]

An additional positive effect of this feature is, that more users would use cwa cause this feature makes it a lot easyer to "check in" in restaurants,cinemas and so on.

Additional to the ops idea, the restaurants could have an own app that can scan the code and store it. Maybe those app could additionally "scan" (fotograph) the paper formular of non-cwa users and encrypt it and send all together to the Gesundheitsamt if needed. That would also protect non-cwa users from authorities accessing the paper-registrations. Cause the restaurant yould destroy the paper registrations daily after the app has scanned and encrypted it.

Also the additional app could keep track of deleting the encrypted daily files after 14 days.

[mf179]

I like hackedal´s idea. And that it should be enhanced by scanning the code by an App/phone of the restaurant as proposed by cutec-chris.

So the basic functionality would be the same as of today, just that the BT transmission is replaced by code scanning:

• visitor requests CWA to generate a code that is then displayed as QR-code on his phone, visitor´s CWA keeps the code for 14 days
• restaurant´s CWA scans the code, verifies authenticity as a CWA code (to avoid faked QR-codes), confirms reception with some audio signal so that the responsible knows that obligation of registration is fulfilled, and restaurant´s phone/CWA keeps the received code for 14 days

Just the notification process differs as the feature implies a one-way-registration only. An infected visitor can therefore only warn the restaurant´s app (the usual way with sharing his code via server). And the restaurant app (that collected all visitors) needs then to notify the other affected visitors by sharing the related, stored visitors´ codes via the server. The visitors´s apps need to scan the shared codes for their own codes.

I would share Ein-Tim´s concern that everything that is additionally proposed may mainly delay or even hinder the adoption of the basic proposed feature.

It should be noted that while this feature may extend the reach of the CWA the user is still free to deactivate CWA´s BT-contact-tracing, if they don´t like it. Which may further help for adoption. And it works with all phones regardless whether those support the ENF.

[ferdinand]

Looks like the UK app has included a „Venue check-in“ feature.

I‘m pretty sure this feature would give the CWA a remarkable boost. Both, venue owners and guests, would love to use a privacy friendly check-in app instead of paper lists and shady third-party software.

[stbrit]

This would be a game changer. Everyone would get the app if they don't need to fill out paper registrations anymore. And people would be contacted via the app if needed quickly. Such a game changer. Britain managed to do it in their app surely we can as well. This needs to be an absolute priority.

[gittyhub2018]

I think this is a good idea. Another idea is, that the Corona App scan a QR Code in the Restaurants or something like else. This QR Code can be dynamic created at a screen in the restaurant or can printed every hour. This code have following information:

• Date and Time in UTC. (With this information the CWA can proof, that this code is not too old. UTC is Good for exchange from Time Information between Time zones).
• Public Key and cryptographic signing information, that the random key is allowed for CWA using (Spoofing Protection or Protection against illegal hacking from CWA. If you accept too long unsecured strings, you will be hacked if the CWA has a bug. The Public key, who created the restaurant owner can signed from a CWA Trusted Third Party, that this Public key is allowed to use with CWA. Or the Fingerprint must be printed on screen or paper with the QR Code and the CWA user must confirm that this is the Right Public key. The last idea is easier than the trusted third party idea. ).
• random key.
  The guests can scan this QR Code and if the guests must be warn, the random key in the QR Code will be transmitted over the CWA Servers. With a recreation of this QR code every hour you can tell all CWA Users who are effected. The QR Code have not to be changed so fast, because the code is only in the local app and the owner of the restaurant have not to transmit too much keys, after he or she will warn the users. This could be improve the performance, then you have not be transmit too much keys. Restaurants can change the key every hour e.g with a normal paper print (if the restaurants have not enough technology knowledge or similar things for a Screen.). The Date/Time Information is for CWA to local proof the validity of the QR Code. This can improve the acceptance by the owners.
  If the owner need a acknowledge from the CWA, this could be a Bluetooth beacon, who don’t own any personal information from the users. This acknowledgment must not be stored permanently! The MAC Adress or other informations could be have personal information.

This can improve the acceptance of CWA, solve the problem of personal information with guest lists and with a QR Code an owner can easy implement this in his own workflow. An QR Code is easy to create and make the contact tracing safe and easy (KISS-Principles).

Another idea, who is more complicated is to transmit Bluetooth keys in the owner stores. But the CWA must know that this is not a person for tracing. This is a random key for owners of the restaurant. The different is that the CWA does not try to catch the owners signal strength or try to exchange keys. This could have negative effects of battery lifetime and privacy. The QR Code function is easier and safer.

[daimpi]

I just recently saw someone on Twitter suggesting integration of their registration app into CWA to provide this functionality 🚀.

[cutec-chris]

Yeah a lot of people have this idea, and think its good. But noone of the Devs answers here. Maybe thers not enougth money left ;)

[spekulatiusmensch]

There is now a proposal called CrowdNotifier that seems to fit this issue. It would be interesting how it could be integrated into CWA. They actively ask for feedback and I think it should be discussed here as well.

[daimpi]

Linus Neumann also brings up the idea of "Decentralized Presence Tracing" on his blog (German): https://linus-neumann.de/2020/10/die-corona-warn-app-verliert-den-anschluss/

[thomasaugsten]

Die Qr-Codes können für beliebige Events verwendet werden wie man auch an der Auswahlliste beim Erstellen sehen kann. Es ersetzt aber nicht die Papierlisten.
Start und End Zeitraum sind nur für zeitlich begrenzte Events relevant.
Dauerhafte Lokations müssen keine Start und End-Zeitraum eintragen aber es ist empfohlen die QR-Codes regelmässig zu ändern aber das ganze System funktioniert trotzdem wenn die QR-Codes nicht geändert werden und festverklebt sind.

[alanrick]

I'd also really like to see the use-case for this upcoming feature because even though I supported it I can't figure out how it would help so long as the legal requirement for named-visitor lists remains.

Suppose I visit a concert in Baden Württemberg (where LUCA has purchased).

1. The venue has to print a qrcode which I can scan with the luca app (or I scribble my name in a list).
2. The venue can also (optionally) print a qrcode for the CWA which I can optionally scan.

I realise that Luca could code their qrcode to support the CWA, but why should they? It's an extra effort and I believe BW purchased the Luca licence without committing Luca to be compatible with the CWA.

Bottom line, what is the motivation for the venue to generate and print both codes instead of just the Luca qrcode? What is the motivation for the visitor to scan both instead of just Luca?

I'd supported this feature because I'd hoped it would give the general public an easily understood motivation to install the CWA in order to simplify their lives (as in the UK app), but the opposite seems the case.

[alanrick]

The context... these where the advantages of this feature from @hackedal 's original suggestion. But all 3 are offered by the Luca app (or equivalent such as #darfichrein) and the upcoming CWA doesn't offer more. (Edited to remove typo)

This feature would have a lot of advantages:

• full privacy for CWA-users: neither the restaurant owner nor the police will ever know, who was in the restaurant

• a warning for CWA-users, even when non-CWA-users were in the same restaurant

• more CWA-users, because only CWA-users will have the advantage of staying anonymous

The CWA can only offer an advantage when the BMG retracts the obligation for name-lists to be maintained.

[ndegendogo]

@alanrick I don't know details of the solution design of the UK app. How much is it integrated with the health authorities?

when the BMG retracts the obligation for name-lists

of course this is a political decision. But I don't expect this to happen, especially with the rise in all numbers currently.

cwa philosophy is fully anonymous and fully voluntary. Even when I receive a red warning, it is still my own decision if I take a test, if I self-isolate, or if I just ignore it. And if I am tested positive as a cwa user, I can still decide if I am sharing my keys and warn others or don't (although the latter decision would violate our feeling of fairness).

In an anonymous setting (like cwa) what is possible is to notify / warn others. What is not possible is to enforce quarantine or mandatory testing on all (anonymous) participants of an event. But this is what health authorities might need in some cases.

The solution of cwa was designed under time pressure. It is decentral, which contributes imo a lot to the acceptance / adoption of cwa. But it is not integrated with any of the infrastructure of the health authorities.
(I assume this is different with UK?)

[Sundie1]

In addition to your example with the concert @alanrick
As consumer, on entrance, during i wait, i open the Luca app, my Code is scanned.
Now i can go ahead and close the Luca app... but with the cwa during the Check in i had to switch ne app. (close Luca, open cwa, scan again) this Takes a long time. And nobody understand it.
On other Locations the same. No consumer will open the first App, scan, switch the App and scan again.

Why must Luca change their System to Support the cwa qrCode? They are the market leader. The cwa should handle the Luca Codes.
But becouse there are no usecases for the cwa checkin i think it isnt neccassary to invest development time. If cwa want to beat Luca, the cwa System must be better.

The cwa is good as it is with the nearby contact tracking.
And the nearby contact tracking with Bluetooth will work on my private Birthday. The usecase Birthday and private Event dont need any qr code checkin.

Now i wait for the cwa checkin Release and wait what the politicans and Newspaper will say.

[alanrick]

@alanrick I don't know details of the solution design of the UK app. How much is it integrated with the health authorities?
...
(I assume this is different with UK?)

I shouldn't have mentioned the UK as this is irrelevant. But for the record this is user-anonymous and decentralised, but linked to the health authorities; eg to trigger notifications from a venue (which is not anonymised - I can see in my app which venues I visited, when, and the health authority can trigger a notification with the venue as the source)

I'm not suggesting the UK app is technically better, but by offering the convenient qrcode check-in and by not requiring additional apps or paper lists they increased both the usage ratio and cluster detection.

My struggle is understanding the use-case of this CWA feature, because the advantages described in the initial suggestion no longer apply when the CWA cannot be used alone for venue-checkins, but only in conjunction with a name-checkin app. I don't see how this encourages adoption and the other advantages listed are delivered by the name-checkin app.

[thomasaugsten]

Every 3rd party app to replace the paper lists can generate an CWA code in their QR-Code.
The idea ist that the host is generating by default into his QR-Code an CWA-Code. When a user is scanning the qr-code with the fitting digital paper list app like Luca he sees an button to also checkin into the CWA. When he press the button he will get redirected to the CWA and can press checkin to checkin into the location an to receive warning immediately without waiting to get contacted by the Gesundheitsamt
And not all Gesundheitsämter are supported by the Luca at the moment 104 of 400

[alanrick]

So the use-case is that:

I check-in to a concert, and later another member of the audience using the CWA who was outside my bluetooth range is tested positive but I get notified by the app.

And the advantage is none of the three listed in the original suggestion but a 4th:
4) I'm notified earlier than had I waited for the Gesundheitsamt.

Correct?

I'm not convinced this is as significant as if the BMG dropped the obligation for name-lists so that the original 3 advantages were provided by the CWA.

[alanrick]

Just to add that the Computer Chaos Club has released a statement about the Luca App.

https://www.ccc.de/de/updates/2021/luca-app-ccc-fordert-bundesnotbremse

I hope this will motivate the authorities to allow anonymous venue check-ins via the CWA instead to significantly improve the use-case of the CWA, leading to CWA uptake.

[MikeMcC399]

@alanrick
Wow! Thank you for posting about the Luca app! I am completely shocked 😧 !

Great work on the side of the CWA app though to continue to add value without compromising privacy! I'm looking forward to seeing the release of 2.0 (even though we are in lockdown and I don't see myself checking into any venues the next days!).

[alanrick]

Great work on the side of the CWA app though to continue to add value without compromising privacy!

Exactly. This is revolutionary - not just in theory but in practice. Kudus to all CWA developers.
I'm just furious, that the RKI and BMG have been so sluggish at understanding this, indirectly promoting disdain in the general public. A huge lost opportunity.

(edited - furious not disappointed)

[raceface2nd]

I pointed the anonymized checkin out as well in this post #446 (comment) as the quick test result transfer should work accordingly anonymized.

[vaubaehn]

@thomasaugsten @mlenkeit

Every 3rd party app to replace the paper lists can generate an CWA code in their QR-Code.
The idea ist that the host is generating by default into his QR-Code an CWA-Code. When a user is scanning the qr-code with the fitting digital paper list app like Luca he sees an button to also checkin into the CWA. When he press the button he will get redirected to the CWA and can press checkin to checkin into the location an to receive warning immediately without waiting to get contacted by the Gesundheitsamt
And not all Gesundheitsämter are supported by the Luca at the moment 104 of 400

As we can expect the release 2.0 soon, would you say the specification of the presence tracing QR code data has been finalised?
If so, would be good if you contacted luca, they're somehow waiting ;)
https://gitlab.com/lucaapp/android/-/issues/32

[vaubaehn]

If so, would be good if you contacted luca, they're somehow waiting ;)

The 'draft status' from the Event Registration documentation has been removed, so luca should now be prepared ;)

[Ein-Tim]

@vaubaehn

I told the luca people about this (;

[alanrick]

Kudus to all developers- Ux, code... The implementation is so beautiful that I've already persuaded several friends who'd deinstalled the CWA to reinstall it. It's a shame it took 9 months to arrive (I guess the delay was in approving the development rather than coding) and I'm still hoping the rules will change to permit anonymous checkins with the CWA to increase the apps usage, and hence effectivity (the principle goal), but even without that - it's a success story.

A brilliantly implemented feature.

[Ein-Tim]

Hey @hackedal, version 2.0, which contains the event-registration, has been released on the 21.04.2021 (see blog post "Project team releases Corona-Warn-App 2.0 with event registration"). The releases can be found here for Android and here for iOS.
The feature indeed is not exactly the same as what you've been asking for here, but do you think that another solution, besides of the event-registration feature in version 2.0, is needed?
If you see your proposal fulfilled by the event-registration feature, I'd like to ask you if you could close this issue.

Thank you!

[Sundie1]

German:
Ich finde die Umsetzung und das look&feel der V2.0 bezüglich der QR Code Erfassung gut gelungen.
Stringend wäre es ja wenn der Nutzer sich jetzt aussuchen kann. Entweder CWA oder Papierliste.
Das können aber nicht die cwa Entwickler machen. ABER die CWA Entwickler haben in einer Bundeseigenen App eine Funktion gebaut um eine andere Vorgabe die vom Bund kommt zu digitalisieren (digitalisieren ist ja das Wort schlecht hin bei den Politikern) das bedeutet diese Funktion sollte doch jetzt auch den eigenen Gesetzlichen Vorgaben zur Kontaktnachverfolgung entsprechen.
I know das ist hier in github nicht der richtige Ort für diese Diskussion. Wollte es dennoch mal aufschreiben, denn der Ursprungsgedanke war ja wenn ich das richtige deute a) anonymisierung der Registrierung b) Abschaffung der Zettel. (a ist erledigt) ;-)

[jucktnich]

Just a question (don't know if this is the right place). What happens if a person, who don't uses CWA got tested positive, can the Event owner give a warning to the CWA users? And if this is possible in the app (I didn't found something like that) how could you make this possible for the website?

[Ein-Tim]

@jucktnich

This is not possible currently. Feel free to open an enhancement request.

[heinezen]

Hello everyone,

This feature has been implemented in CWA 2.0 as part of the event registration feature.

This issue will be closed. If you have new ideas for the current implementation of the feature, please consider opening a new issue.

---

Corona-Warn-App Open Source Team