Other deployment scenarios and stigmatization concerns

[pdehaye]

In the threat model, the Tech-Savvy user is described as "Blackhat/Whitehat hackers, NGOs, Academic researchers, etc". It might be worth adding explicitly three roles there: journalist, public health authority and epidemiologist.

Indeed it might also be useful for epidemiological research or public understanding to deploy sensors in one location in order to count the number of infections signaled to public authorities transiting through that location, without the need to obtain consent from the individuals (see Art 9.2.i). This might be particularly useful when done along a highway or on a train, for instance.

Note that this deployment scenario introduces new concerns around stigmatization ("this neighborhood is full of infected cases"), but I am not sure how the GDPR appreciation of this would work, as it would amount to an individual encouragement to install an app that would potentially lead to collective effects.

[kennypaterson]

The tech-savvy user classification is meant to capture actors who set out to gain more information from the system than would otherwise be available to users via the app. We don't consider the 3 roles you mention as falling under that classification, except possibly "journalist" under some circumstances. So we don't plan to expand our text here.

The deployment of sensors for "mass harvesting" of ephemeral IDs is part of our threat model, not our operational model. Epidemiology research needs to be supported by other means, e.g. via information about infected individuals that becomes available to the health authority as a natural part of its use of the system.

[pdehaye]

This paper is making assertions about data protection issues as well as privacy.

Please re-open and re-classify as a legal issue. The stigmatization concerns brings in new obligations to explain under GDPR (among others).