Frequently asked questions

In-depth information on Savitas QR.
FAQ
Privacy

How does Savitas QR protect the privacy of its users?

An in-depth explanation how Savitas QR manages to provide excellent contact tracing without sacrificing user privacy. Worth the read if you are having doubts.

Well, it is actually not that difficult to explain. SAVITAS essentially builds on three pillars to preserve privacy:

  1. Our solution is active only when the user wants it to be active, it requires an active and conscious action by the user at every step and is technically barred from any background tracking;
  2. For every step we take, from scanning QR codes, to reporting and sending alerts, we only collect and process strictly minimal and born-anonymous data;
  3. We rely as much as possible on local processing and storage on the user’s phone, meaning that we send as little data to our servers as possible and let the user’s device handle the most privacy-sensitive activities.

SAVITAS is a solution that only works in the user’s web browser, requiring no app to be installed on the user’s phone. It cannot run in the background of the device but only activates when the user scans a QR code or deliberately visits the SAVITAS website. That is also the only time it can tell you something because it does not know your phone number of email address.

When a user chooses to scan a QR code, SAVITAS uses a well-known secure hashing function (*) to generate a unique string of characters which relate only to a QR code and a time period. Nothing in this string relates to any user characteristics. Nonetheless, since this single string may be unique for a user, we ensure that it is kept only on the user’s phone.

When the QR code is installed, it will be scanned for the very first time: it will then use the location information of the phone, hash that into an abstract number unusable for location purposes, hash the QR code as well, upload both abstract numbers to the server. At every scan, those numbers will be used for verification that the QR code has not been moved or reproduced, to avoid erroneous results and false conclusions.

The only time the unique string is shared, is when a user, after authorization by a medical professional, decides that the string should be shared to inform others. You will therefore only find a list of strings on our servers, with all strings totally mixed up, which tell us that at a certain place within a certain time there was someone who tested positive for COVID-19. We do not know who. All similar lists are then sent (incrementally) to a user’s phone whenever a QR code is scanned or when that user visits our webpage. The comparison of a user’s strings with those incoming “reported-positive” strings only happens on the user’s phone. We have no way to receive the unique string of a user unless that user decides to share it when having tested positive.

As a consequence, if the outcome of the comparison brings up a match, ONLY the user will be informed as that information never leaves the phone.

As recommended by data protection authorities in Europe (**), we have chosen for an approach which:

  • Is voluntary by giving users the complete freedom to decide whether or not to participate at every step of the way and whether or not they want their personal data to be processed at all;
  • Transparently identifies the roles and responsibilities of all stakeholders;
  • Minimises any personal data collection and use, doing so only when we can truly not avoid it;
  • Is secure by using strong encryption algorithms for all data collected, stored and transferred.

In short, our solution is built from the ground up with privacy in mind. We are continuously performing assessments throughout the entire cycle of conception, development and roll-out, so that any privacy threat which may emerge, is tackled as soon as it is detected.

Document produced in close cooperation with Timelex. As a member of SAVITAS’ advisory board, European leading niche law firm in data protection & privacy Timelex provides the framework and guidelines to ensure that the privacy of all SAVITAS’ users is preserved at all times. This includes a.o. a formal Data Protection Impact Assessment.

(*) https://en.wikipedia.org/wiki/Hash_function

(**) EDPB Guidelines 04/2020 on the use of location data and contact tracing tools in the context of the COVID-19 outbreak, adopted on 21 April 2020: https://edpb.europa.eu/our-work-tools/our-documents/guidelines/guidelines-042020-use-location-data-and-contact-tracing_nl.


Explore more FAQ content: