•
TRL — Transmission Risk Level: a coarse value based on testing and venue information.
•
Venue — Any event, venue, or other location that offers Check-In.
Off-Device Venue Check-Ins
When a person uses the Check-In Mechanism, their phone receives and records data provided by that mechanism.
That data must include thevenue’scryptographically secure random seed value, which must contain at least 128 bits
of entropy. The data received from the Check-In Mechanism can optionally include other information in addition to the
cryptographic seed, such as a venue name, address, or a default attendance duration.The venue must generate the
cryptographic seed, locally, on device and must not share it with any central entity or database — including any owned
or managed by the PHA — nor share any other value from which a central entity or server might derive the seed.
If a PHA uses an NFC device or any other device capable of two-way communication, the phone must not send any
user-identifiable or device-identifiable information back to the Check-In Mechanism.
User Check-In
When a person arrives at a venue that supports the Check-In System, they can use their phone to Check-In. When
they use the Check-In Mechanism, their app must securely store the venue’s cryptographic seed along with the date
and time of the scan.During Check-In, the venue must not record any information.
Check-In data must only be stored locally on the user’s device. The app must delete a Check-In permanently when 14
days have passed since the Check-In. iPhone backups do not include Check-In data, and users can view all Check-In
data in the app. The app must provide a way for the user to delete individual Check-Ins, as well as have an option to
delete all Check-In System data.
After a Check-In, with the user’s permission, their phone will periodically download cryptographically protected data
from the PHA’s server so that the PHA’s app can check whether a person at the venue around the same time as
someone who reports a positive test by uploading Check-In information, which might indicate a potential exposure.
Check-In Protected Reports
A PHA that supports the Check-In System can optionally allow users who have tested positive to share the Check-In
information stored on their devices.If a PHA offers this feature, anyone with a Check-In who receives a positive test
result for COVID-19 can choose to share their cryptographically protected Check-In information with the PHA’s server.
This allows other users to be notified when their device detects that they were at the venue around the same time as a
user who shared a positive test result.The app must not use or send any identifying information as part of this
process.
When a user with a previous Check-Intests positive and consents to sharing their information, the app generates a
Check-In Protected Reportfor any Check-In from the previous 14 days that the user selects. The Check-In Protected
Reports containa venue identifier along with relevant metadata, such as the approximate date and time of the user
Check-In, their calculated infectiousness, and their transmission risk level (TRL).With the user’s permission, the app
sends the selected Check-In Protected Reports to the PHA’s server.
To create a Check-In Protected Report, the app first creates a presence recordby applying a one-way cryptographic
function to the Check-In data, which must include the venue’s cryptographic seed received from the Check-In
Mechanism. The app requires the original cryptographic seed received from the Check-In Mechanism in order to
access the presence record. That requirement means that other devices that Check-In at that venue can link the
report back to the venue. The PHA and devices that didn’t Check-In at the venue don’t have the cryptographic seed
required tolink the report back to a venue or location.