ETSI GS E4P 003 V1.1.1 (2021-04)

GROUP SPECIFICATION
Europe for Privacy-Preserving Pandemic Protection (E4P);
High level requirements for pandemic contact tracing
systems using mobile devices
Disclaimer
The present document has been produced and approved by the Europe for Privacy-Preserving Pandemic Protection ETSI
Industry Specification Group (ISG) and represents the views of those members who participated in this ISG.
It does not necessarily represent the views of the entire ETSI membership.

2 ETSI GS E4P 003 V1.1.1 (2021-04)

Reference
DGS/E4P-003
Keywords
covid, eHealth, emergency services, identity,
mobility, pandemic, privacy, security, smartphone

ETSI
650 Route des Lucioles
F-06921 Sophia Antipolis Cedex - FRANCE

Tel.: +33 4 92 94 42 00  Fax: +33 4 93 65 47 16

Siret N° 348 623 562 00017 - NAF 742 C
Association à but non lucratif enregistrée à la
Sous-Préfecture de Grasse (06) N° 7803/88

Important notice
The present document can be downloaded from:
http://www.etsi.org/standards-search
The present document may be made available in electronic versions and/or in print. The content of any electronic and/or
print versions of the present document shall not be modified without the prior written authorization of ETSI. In case of any
existing or perceived difference in contents between such versions and/or in print, the prevailing version of an ETSI
deliverable is the one made publicly available in PDF format at www.etsi.org/deliver.
Users of the present document should be aware that the document may be subject to revision or change of status.
Information on the current status of this and other ETSI documents is available at
https://portal.etsi.org/TB/ETSIDeliverableStatus.aspx
If you find errors in the present document, please send your comment to one of the following services:
https://portal.etsi.org/People/CommiteeSupportStaff.aspx
Copyright Notification
No part may be reproduced or utilized in any form or by any means, electronic or mechanical, including photocopying
and microfilm except as authorized by written permission of ETSI.
The content of the PDF version shall not be modified without the written authorization of ETSI.
The copyright and the foregoing restriction extend to reproduction in all media.

© ETSI 2021.
All rights reserved.
DECT™, PLUGTESTS™, UMTS™ and the ETSI logo are trademarks of ETSI registered for the benefit of its Members.

3GPP™ and LTE™ are trademarks of ETSI registered for the benefit of its Members and
of the 3GPP Organizational Partners.
oneM2M™ logo is a trademark of ETSI registered for the benefit of its Members and
of the oneM2M Partners. ®
GSM and the GSM logo are trademarks registered and owned by the GSM Association.
ETSI
3 ETSI GS E4P 003 V1.1.1 (2021-04)
Contents
Intellectual Property Rights . 4
Foreword . 4
Modal verbs terminology . 4
Introduction . 4
1 Scope . 5
2 References . 5
2.1 Normative references . 5
2.2 Informative references . 5
3 Definition of terms, symbols and abbreviations . 5
3.1 Terms . 5
3.2 Symbols . 6
3.3 Abbreviations . 6
4 General description. 6
4.1 Introduction . 6
4.2 Objectives . 6
4.3 A Digital Contact Tracing System . 6
5 High level requirements . 8
5.1 General . 8
5.2 Usability - User experience . 9
5.3 Mobile Device . 9
5.4 Mobile Application. 9
5.5 Infrastructure . 11
5.6 Security . 11
5.7 Privacy . 13
5.8 Interoperability . 14
Annex A (informative): Bibliography . 15
History . 16

ETSI
4 ETSI GS E4P 003 V1.1.1 (2021-04)
Intellectual Property Rights
Essential patents
IPRs essential or potentially essential to normative deliverables may have been declared to ETSI. The information
pertaining to these essential IPRs, if any, is publicly available for ETSI members and non-members, and can be found
in ETSI SR 000 314: "Intellectual Property Rights (IPRs); Essential, or potentially Essential, IPRs notified to ETSI in
respect of ETSI standards", which is available from the ETSI Secretariat. Latest updates are available on the ETSI Web
server (https://ipr.etsi.org/).
Pursuant to the ETSI IPR Policy, no investigation, including IPR searches, has been carried out by ETSI. No guarantee
can be given as to the existence of other IPRs not referenced in ETSI SR 000 314 (or the updates on the ETSI Web
server) which are, or may be, or may become, essential to the present document.
Trademarks
The present document may include trademarks and/or tradenames which are asserted and/or registered by their owners.
ETSI claims no ownership of these except for any which are indicated as being the property of ETSI, and conveys no
right to use or reproduce any trademark and/or tradename. Mention of those trademarks in the present document does
not constitute an endorsement by ETSI of products, services or organizations associated with those trademarks.
Foreword
This Group Specification (GS) has been produced by ETSI Industry Specification Group (ISG) Europe for Privacy-
Preserving Pandemic Protection (E4P).
Modal verbs terminology
In the present document "shall", "shall not", "should", "should not", "may", "need not", "will", "will not", "can" and
"cannot" are to be interpreted as described in clause 3.2 of the ETSI Drafting Rules (Verbal forms for the expression of
provisions).
"must" and "must not" are NOT allowed in ETSI deliverables except when used in direct citation.
Introduction
The COVID-19 pandemic has generated significant challenges for many countries and their citizens and showed that
digital technologies could play an important role in addressing this pandemic and future pandemics. Various
applications, services and systems for contact tracing (identification and notification of those who come in contact with
a carrier) have been developed in different regions.
Despite the similar goal of automated detection of COVID-19 exposure as a complementary solution to manual tracing
(interviews with people diagnosed with COVID-19 to track down their recent contacts), their functionality, technology,
scale, required data and limitations are different and may not interoperate.
These systems are currently deployed in many different countries. In particular, mobile devices with their contact
tracing applications can support public health authorities in controlling and containing the pandemic. E4P has been
created to provide a technical answer to pandemic crisis not limited to COVID-19 by specifying interoperable contact
tracing systems.
ETSI
5 ETSI GS E4P 003 V1.1.1 (2021-04)
1 Scope
The present document specifies the high level requirements for digital contact tracing systems operating by proximity
detection, using mobile devices, which are practical to deploy and being compliant with the applicable laws and
regulations, as well as providing a seamless continuity of pandemic contact tracing for people travelling between
countries.
2 References
2.1 Normative references
References are either specific (identified by date of publication and/or edition number or version number) or
non-specific. For specific references, only the cited version applies. For non-specific references, the latest version of the
referenced document (including any amendments) applies.
Referenced documents which are not found to be publicly available in the expected location might be found at
https://docbox.etsi.org/Reference/.
NOTE: While any hyperlinks included in this clause were valid at the time of publication, ETSI cannot guarantee
their long term validity.
The following referenced documents are necessary for the application of the present document.
[1] ETSI EN 301 549 (V3.1.1): "Accessibility requirements for ICT products and services".
2.2 Informative references
References are either specific (identified by date of publication and/or edition number or version number) or
non-specific. For specific references, only the cited version applies. For non-specific references, the latest version of the
referenced document (including any amendments) applies.
NOTE: While any hyperlinks included in this clause were valid at the time of publication, ETSI cannot guarantee
their long term validity.
The following referenced documents are not necessary for the application of the present document but they assist the
user with regard to a particular subject area.
[i.1] CEN/ISO 82304-2: "Quality Requirements Conformity Assessment".
[i.2] ETSI GS E4P 006 (V1.1.1): "Europe for Privacy-Preserving Pandemic Protection (E4P);
Device-Based Mechanisms for pandemic contact tracing systems".
[i.3] ETSI GS E4P 008 (V1.1.1): "Europe for Privacy-Preserving Pandemic Protection (E4P);
Back-End mechanisms for pandemic contact tracing systems".
[i.4] ETSI GS E4P 007: "Europe for Privacy-Preserving Pandemic Protection (E4P); Pandemic
proximity tracing systems: Interoperability framework".
3 Definition of terms, symbols and abbreviations
3.1 Terms
Void.
ETSI
6 ETSI GS E4P 003 V1.1.1 (2021-04)
3.2 Symbols
Void.
3.3 Abbreviations
For the purposes of the present document, the following abbreviations apply:
CSIRT Computer Security Incident Response Team
DCTS Digital Contact Tracing System
ECDC European Centre for Disease prevention and Control
EU European Union
GDPR General Data Protection Regulation
PII Personally Identifiable Information
QR Quick Response (code)
RFID Radio Frequency IDentification
UX User experience
WHO World Health Organization
4 General description
4.1 Introduction
A Digital Contact Tracing System (DCTS) is a system that in the context of an epidemic, aims to warn its users that
they have been in contact with users that have been diagnosed with the disease.
To facilitate the development and deployment of contact tracing systems that are efficient i.e. having a real impact in
fighting a pandemic, interoperable and trusted by their users they need to be built on well-defined functional and legal
requirements. This is the aim of the present document to provide a set of such well-founded high-level requirements.
The requirements in the present document take privacy concerns strongly into consideration. Note that the relevant
requirements need to be completed with the applicable legislation of the country where the DCTS system is deployed
(legislation such as the GDPR in the EU). The present document covers DCTS using proximity detection with mobile
phones. These are the majority of DCTS that are in use or in development at the time of the writing of the present
document. Some systems feature components such as token devices (electronic devices with limited capacity for
communication and/or computation). Proposals have also been made of systems using elements communicating
information from fixed locations (for example entrance of rooms, shops, buildings or other facilities) or linked to
objects (for example via RFID tags). Depending on their adoptions, such more complex systems may be taken into
account in a future version of the present document.
4.2 Objectives
The present document provides high level requirements for DCTS. The requirements are directed to entities that
commission, design, implement, maintain in operational conditions, operate, monitor and supervise a digital contact
tracing system.
4.3 A Digital Contact Tracing System
This clause describes a high level reference architecture of a DCTS using proximity detection which is further defined
in the respective entities of the reference architecture in ETSI GS E4P 006 [i.2] and ETSI GS E4P 008 [i.3].
In the sequel, diagnosed means diagnosed with the disease that is the subject of the epidemic.
The main purpose of a DCTS is to warn its users when they were in contact with users that have been diagnosed.
In a high level description of a DCTS the essential elements are described as below.
ETSI
7 ETSI GS E4P 003 V1.1.1 (2021-04)
User (U): The "User (U)" in the E4P reference architecture, interacting with the "Device (D)" via the interface
represented by the reference point DU). The User is at risk when the DCTS determines the User was in relevant
proximity with a diagnosed user.
Mobile Device: "Device (D)" is responsible for providing the proximity information (stored as proximity data), obtained
from the Proximity Detection Method, by communicating with other Mobile Devices and communicating with the
Infrastructure; via the Mobile Application. The Mobile Device supports the User interaction with the DCTS.
Mobile Application: software running on the Mobile Device, responsible for registering and managing proximity
information, communicating with the Infrastructure, alerting the User that it was in close proximity with a diagnosed
user (through a process called risk calculation) and notifying the Infrastructure that the User was diagnosed (a
functional module inside the Mobile Device, that is not represented in the reference architecture but is refined in ETSI
GS E4P 006 [i.2]).
Note that Mobile Application includes the software dedicated to these tasks irrespective of whether it is part of an
application downloaded by the User or not (for example as included in the operating system of the Mobile Device).
Infrastructure: provides authoritative and trusted information to the Mobile Device. The main role of the Infrastructure
is information sharing between Users via the Mobile Devices and Mobile Applications. Each Mobile Application is
linked to an Infrastructure.
Federation: provides the means to interconnect (exchange information between) different Infrastructures, through a
Federation Protocol (represented as the reference point BF), to provide interoperability of the different DCTS, in the
sense of the full continuity of the proximity information and risk calculation and notification.
Proximity Detection Method: the method used by Mobile Devices for detecting proximity with diagnosed users
(represented as the reference point DD). The proximity Detection Method use ephemeral identifiers that are broadcast
by the Mobile Devices.
Contact Tracing Protocol: the protocol between Mobile Devices and the Infrastructure, used by the Mobile Application
(represented by the reference point DB).
Federation Protocol: a protocol used to exchange information between different Infrastructures (represented by the
reference point BF).
Health Authority: the authority overseeing the DCTS and endorsing the Mobile Application, the Infrastructure and the
risk calculation method. The Health Authority is responsible for certifying the diagnosis of a User. The diagnosis is
provided via a proxy e.g. a physician or a medical laboratory and typically entered in the Mobile Application by the
User via e.g. scanning a QR code (represented as External Systems, out of the scope of the present document, with
reference point BE).
Usually a country operates one DCTS but nothing prevents a DCTS to be used in several countries or a country using
more than one DCTS.
Current DCTS are classified as centralized or decentralized.
Centralized systems are systems where the Mobile Application uploads identifiers of the relevant contacts of the User
(as obtained by the Proximity Detection Method and risk calculation) to the Infrastructure when the User is diagnosed.
Decentralized systems are systems where the Mobile Application uploads the identifiers it used (its own identifiers,
generated as part of the Proximity Detection Method) to the Infrastructu
...