Hello,

thanks, Cedric, for the diagram. This matches pretty much our mental image of the system. Our only concern is that calling the bottom box Backwards tracing may be misleading as we do not do that in the epidemiological sense. We so far proposed "Presence Tracing", but we don't have a strong opinion.

Then, our reflections from yesterday's meeting is that this system's requirements are moving too fast. In the last 3 days the purposes of the system have augmented ("creeped"):
- We started with a *notification* system: CrowdNotifier, whose only goal was to be able to tell patrons that they were at a "contagious" venue
- Then, we added the *contagious venue identification* purpose. The goal is to support contact tracers to efficiently find these venues so that they do not become a bottleneck.
- Yesterday, we added the *notified-users' data collection*. The goal, still not very clear to us, seems to be to support contact tracers (or hotline operators?) to collect  data from notified users and (or?) to facilitate the issue of quarantine certificates.

While we can see that each of the added purposes could be of interest, these moving targets make it very hard for us to do our privacy engineering job. We cannot follow data minimization, and purpose limitation principles; let alone argue for the proportionality of the system. The problem is not only that we are not clear about the goals; but also about their motivation. Because we don't know what problem exactly we are solving (yes, "increase productivity", but we really do not know which are the bottlenecks), we can't really come up with minimal-data purpose-limited solutions. And also because we don't know the magnitude that each design element solves, it is hard to assess the proportionality (data collected & risk of creep vs. overall sociotechnical gain).

Here are some questions that we would like to have the answer to in order to be able to do our privacy engineering exercise and propose solutions:
 * Which problems does this system aim to solve? (E.g., identifying contagious venues, is counting infections the right metric? is this even what epidemiologists would recommend? what cantonal doctors / BAG can agree is the best way forward?)
 * Are these the best problems to solve? (e.g., are these the bottlenecks that prevent the overall system from working? are there other problems that if we solve them get you 80% of the way there at 20% of the cost/effort/privacy-impact) Even if we do not build those, this comparison is essential to understand and defend what we are building.
 * Is technology the right way to solve this problem? are there other approaches that get you 80% of the way there at 20% of the cost/effort/privacy-impact? (e.g., maybe we need a publicity campaign, hire more people, ease legal/adminstrative processes, or wait for 2 weeks for the problem to go away :P )
 
These questions are also very important for us to write up the narrative to back up the system and explain it to the public.
 
We would be very happy to engage in discussions to better understand the questions above, and also to meet with relevant parties to help tease out which are the problems to solve. 

Wouter and Carmela