Status of This Document
This document is an incomplete draft. The sections that have been incorporated have been reviewed following the SafeTogether [Process]. However, the information in this document is still subject to change.You are invited to contribute any feedback, comments, or questions you might have.
Contributors
Many people contributed to this specification; here is an incomplete list (please contact editor to add your name in this list):
-
Andrea Carmignani
-
Enrico Fagnoni
-
Leonardo Longhi
-
Luca Merealli
-
Luciano Baresi
-
Michele D’Aliessi
-
Michele Mondora
-
Mohd Ehtesham Miah
-
Silvia Loffi
-
Stefano Quintarelli
-
Yassine Ouahidi
Many thanks to all contributors in GitHub
1. User Personas
This section descrbes the personas. A persona, is a fictional character created to represent a SafeTogether application user
1.1. Giovanni the physician
Details
Giovanni is 60 years old, he has been a physician for over 30 years so he knows his way around. Like many physitians Giovanni has been overwhelmed by the Covid-19 crisis seeing the effect it had on the population with visists from his patients decreasing and calls going the other way. Giovanni owns a private studio and he also works in a hospital.
Goals
As a physician Giovanni wants to help as many people as possible, even if this means providing health care remotely.
Values and Fear
He values technology as a useful tool in everyday life but he prefers a more human touch when it comes to treating people.
1.2. Marco the Volunteer
Details
Marco is 34, he’s a general adult with a strong civic sense. He knows how to use a smartphone, but technology isn’t really his thing.
Goals
Marco would like to help his local community, specially provide care to fragile people. He is looking for the fastest and simplest way to achieve this goal.
Values and Fear
Marco cares about privacy in general and doesn’t want to be tracked or share his data with any large government or corporation
He is afraid of:
-
Getting sick
-
Carrying the virus to the fragile people he is helping
-
Being tracked and observed in his daily life
-
Not knowing how to use the application properly
1.3. Walter the Civil Defence
Details
Walter is 51, he works with the Civil Defence forces and he is in charge of coordinating volunteering efforts in a large province with a population of 1.2M people.
Goals
Walter wants to leverage all existing resources to mitigate the damages of the current epidemic. Supporting all those in need with essentials and protective equipment. He needs to recruit the most immune volunteers possible to serve the local population.
Values and Fear
He fears to unknowingly spread the virus while trying to mitigate its damages. While he values privacy, he needs technological aid to gain visibility and make quick decisions.
1.4. Franca the Fragile Person
Details
Franca is 72, already home-bound due to the government directions to the elderly. She’s getting essentials delivered at home by either supermarkets or volunteers. Living alone, with no family within her city she needs external support to survive.
Goals
Survive. She needs to rely on low-tech communication, not having a computer and having only limited experience on how to use her smartphone.
Values and Fear
Franca fears to be “left behind” and to have little means to request help and support.
1.5. Aleksandra the lorry driver
Details
Aleksandra is 39, she is from Poland. She drives a lorry for work. Sometimes she has to travel across countries to deliver goods.
Goals
Aleksandra’s goal is to get back to “business as usual" as soon as possible. Her family depends on her.
Values and Fear
She fears that she might lose her job in case travel across Europe is restricted.
Some countries may deny her access, even though she could be immune and therefore not a threat.
2. User state
There are four core user state that MUST be considered inside SafeTogether application :
- U (unknown)
-
the state Unknown says that the system knows nothing about citizen health status.
- Q (quarantined)
-
the state Quarantined (at home) means that the outcome of a swab test was positive, and the citizen is now quarantined.
- S (suspended)
-
if the citizen is hospitalized, the quarantine Suspended
- I (immune)
-
when the patient is not hill and antybodies test are positive (i.e. he/she recovers from Covid-19) becomes Immune
This diagram summarizes the state transition diagram for a citizen can go through while part of the SafeTogether system.
application state:
SafeTogether applications MAY introduce some additional application state as generalization or as specialization of the four core user state, for example :
-
a SafeTogether application MAY consider the additional state positive (P) defined as the union of quarantined and suspended state.
-
some SafeTogether stories MAY consider the additional state pending (D) to qualify the "Unknown" state after the execution of a medical test but before the test result. For SafeTogether purposes the Pending virtual state MUST be considered equivalent to the Unknown state.
This diagram shows an example of a more complex design of application state that can be assumed in some stories about volunteers:
In previous diagram Volunteer can be defined as a specialization of the Immune state, Autenticated a specialization of "Volunteer and Fraudolent a specialization of Autenticated
3. Privacy and rights requirements
- Citizens MUST have view only rights on their state
-
citizens can view their status but they are not allowed to change it.
- Institutional Forces (Police, etc) – MAY have view only rights citizen’s state
-
Policeman who needs to check circulation rights and citizen status to regulate and enforce government directives.
- Sanitary Personnel (Doctors, Pharmacists, Nurses, etc) – MAY* have view and edit right
-
Sanitary Personnel is the only person who can digitally sign the report on the patient’s state of health.
In the case of immunities, he is the only person who can decide the period of validity and its revocation.
Citizens that have recovered, are immune and want to help during the crisis.
- Immune volunteers *MUST authenticate
-
they MUST be digitally identified to be part of a Shielding program. They SHOULD provide geographic position when operates for the program.
they MUST provide to authorized people their immunity credentials in order to accept a Shielding task.
like other citizen they have view only rights
- Legally quarantined people *MUST authenticate
-
they MUST provide a strong biometric authentication to quarantine system and They MUST provide to the aothority their geographic position.
4. Stories cross index
Here is a cross-reference index between stories and application domains:
Tracing*:
Tracing apps are a well known reality, you can find lot of user stories in the internet.
About the user journey and use cases we suggest to use as reference the article This Is What a Contact Tracing App Could Look Like written by Jelle Prins.
Quarantine:
-
§ 5.2 US02 - Marco Confirms His Location -- Enforce Quarantine,
-
§ 5.3 US03 - Marco Goes to the Hospital -- Suspend Quarantine,
-
§ 5.4 US04 - Marco Goes Back Home from the Hospital -- Restore Quarantine,
-
§ 5.5 US05 - Marco Recovers while at the Hospital -- Immune,
Shielding:
Self-certification :
5. User stories
This section describes some paradigmatic stakeholder journeys (story)
5.1. US01: Marco is positive to the Swab Test
Actors:
Preconditions:
Marco’s state is unknown
Postcondition:
Marco’s state is quarantined.
Story:
Marco visits Giovanni, who runs a Swab test on him (the result will be available in a few days depending on the test). The Swap test is positive, so Giovanni calls Marco instructs him to go home immediately and asking him to install the Mobile App
The Mobile App requests Marco to show his face, then he is enrolled in the system. The app also creates a unique COC_ID, which is associated with Marco’s information.
Giovanni registers Marco in the sanitary system which sends an email to Marco; the email contains a QR-code.
Note: QR-code could be substituted by a smart notification to Marco’s smart-phone.
Marco scans the QR-code using his phone then he authenticates himself to complete the registration.
At this point, the Mobile App shows a single-button interface that, when pressed, records the current location and sets it as a possible quarantine location (depending on the test result).
After a predetermined amount of time (e.g., one hour) the Mobile App reminds Marco to press the button. Once at home Marco opens the Mobile App and presses the button. The mobile app shows a confirmation prompt, and then authenticates Marco using his face. This saves the current location in the app, and completes the enrollment process.
After some time, the result of the test is back. Giovanni enters the result in the operator app, which also notifies Marco’s Mobile App, as well as the authorities.
5.2. US02 - Marco Confirms His Location -- Enforce Quarantine
Actors:
Preconditions:
Marco’s state is quarantined.
Story:
Marco receives a notification on the Mobile App that requires him to confirm his location. He taps on the notification, which brings him into the Mobile App. The Mobile App asks him to authenticate using his face and checks that his current location is close to the location that was selected to complete the enrollment. The result of this check is reported to the authorities.
If Marco does not respond to the notification in a timely manner (e.g., within 3 minutes), the Mobile App notifies him again. After a predetermined number of unanswered notifications (say 2), the Mobile App notifies the authorities.
The Mobile App periodically polls Marco’s phone location. If the phone is outside of the designated quarantine area, it notifies Marco as well as the authorities.
5.3. US03 - Marco Goes to the Hospital -- Suspend Quarantine
Actors:
Preconditions:
Marco’s state is quarantined.
Postconditions:
Marco’s state is suspended.
Story:
Marco feels sick and calls an ambulance. He is taken to the hospital. At the hospital, an operator markes Marco’s state on the backend as suspended. This dismisses any pending notification received by Marco’s Mobile App in the last 1-2 hours, and suspends the quarantine until further notice.
5.4. US04 - Marco Goes Back Home from the Hospital -- Restore Quarantine
Actors:
Preconditions:
Marco’s state is suspended
Postconditions:
Marco’s state is quarantined.
Story:
Marco is still sick, but he no longer needs hospital care. On hospital discharge, an operator make Marco’s state on as quarantined again. At this point, Marco has a predetermined amount of time (say, 2 hours) to go home. After the predetermined amount of time, Marco receives a notification, which asks him to authenticate as described in § 5.2 US02 - Marco Confirms His Location -- Enforce Quarantine.
5.5. US05 - Marco Recovers while at the Hospital -- Immune
Actors:
Preconditions:
Marco’s state is suspended
Postconditions:
Marco’s state is negative.
Story:
Marco is now healthy. On hospital discharge, an operator make Marco’s state in the backend as negative. The mobile app no longer receives notifications and no longer checks Marco’s location.
5.6. US06 - Marco Dies while at the Hospital -- Immune
Actors:
Preconditions:
Marco’s state is suspended
Postconditions:
Marco is removed from the quarantine system
Story:
Marco dies at the hospital. An operator enters Marco’s codice fiscale into and remove him from the system. The mobile app no longer receives notifications and no longer checks Marco’s location.
5.7. US07 - Marco is Removed from Quarantine -- Recovery
Actors:
Preconditions:
Marco’s state is quarantined
Postconditions:
Marco’s state is unknown
Story:
Marco’s quarantine is over, and he has recovered. The app notifies Marco that his state is now negative.
5.8. US08 - Proof of Immunity
Actors:
Preconditions:
Marco’s state is immune
Story:
Marco is asked by Walter to prove that his state is immune. Walter sends an immunity request to Marco . Marco recives a notification on his smartphone, he opens the Mobile App, he authenticates and he responds to the request prooving his immunity. Walter’s app verifies Marco’s proof (including the expiration date if the immunity has an expiration date).
5.9. US09 - Marco Volunteers to Join Shielding Program
Actors:
Preconditions:
Marco’s state is immune
Story:
Marco goes to Walter at the civil defence and volunteers to join the shielding program for at-risk individuals support. Marco proves that he is immune as described in § 5.8 US08 - Proof of Immunity. Walter registers Marco’s information, including his COC_ID and photo, to protezione civile’s system. Protezione civile’s system creates a volunteers certificate and sends it to Marco’s, that saves it on the his certificate wallet on the smarphone.
5.10. US10 - Marco’s Immunity Expires
Actors:
Preconditions:
Marco’s state is immune and an official volonteer
** Post-condition:**
Marco’s state is unknown
Story:
The Mobile App notifies Marco that his certification has expired. His state is now unknown and his volonteer can no longer be carried out.
5.11. US11 - Marco has a relapse from the illness
Actors:
Preconditions:
Marco state is immune.
** Post-condition:**
Marco state is quarantined.
Story:
Marco feels sick again, and goes to Giovanni who made a new swab-test.
The test is positive, Giovanni updates Marco’s state to quarantined - thus revoking Marco’s immunity certification.
5.12. US12 - Marco Visits Franca.
Actors:
Preconditions:
Marco’s state is immune and he is an official volonteer.
Story:
Walter asks for Marco to bring Franca some medicines asking him for his volunteer and immunity certificate. Marco with his Mobile App sends his certificates to Walter for approval. Walter then sends an autentication code to Marco. Marco knocks on Franca’s door, who asks him to identify himself. Marco authenticates with the code. Franca calls the civil defence call center to check the truthfulness of the code. After that Franca can trust him and open the door otherwise she won’t open the door.
5.13. US13 - Antibodies test
Actors:
Conditions:
Preconditions:
Marco’s state is unknown
Postconditions:
Marco’s state is immune
Story:
Marco goes to Giovanni in order to perform an antibodies test because he want to be a certified Shielding Voluntary.
If the result is negative (doesn’t have the antibodies), Marco’s state is unaltered and he does not obtain the certification. If the test is positive (does have the antibodies), Marcoask to Giovanni a cartification to participate to the Shielding program. Giovanni via sanitary system generates an immunity certification for Marco.
Giovanni asks Marco to install and enroll in a credential application. Marco is recieves a notification on his smarphone which enable the certificate transmission to his digital wallet.
Note: the certificate transmission could be initiated also by scanning a QR-code printed on the paper certificate.
Note: this story could very similar to the case where Marco is immune because of the vaccine. See similar use case in covidcreds.com workstream https://docs.google.com/document/d/1anv0qiqYJXypyprX7qbolVgJrA18QHZ8BQjBLBpIAcY
5.14. US14 - Marco is a bad person
Actors:
Conditions:
Preconditions:
Marco has an immunity certification and he is an official volonteer
Story:
When Marco goes to Franca he robs her. Franca reports the crime to the cops.
The policeman asks Walter to revoke Marco’s volunteer status.
5.15. US15 - Aleksandra crosses the italian border
Actors:
Conditions:
Preconditions:
Aleksandra’s state is unknown.
Postcondition
Aleksandra’s state is immune.
Story:
Following her bosse’s advice Aleksandra takes the immunity test and obtains an immunity certification. Now she can cross the Italian boarder. At the border she authenticates herself using the user application by showing the associated QRcode. The authorities grant her access after verifying her immunity status.
5.16. US16 - Marco goes to pharmacy or to the shopping center
Actors:
Conditions:
Preconditions: Marco’s state is unknown. Marco’s wants to avoid gathering of people.
Postcondition Marco’s state is unchanged and didnt meet anyone.
Story: Marco needs to go out, and exit his safe zone, to shop for foods and medicals. In accordance with the Italian law, he must exibit the self-certification document to state the need of exiting the safe zone. Using his app, Marco chooses his destination and the time he plans to get there. The app shows how many people declared to go in that place at the same time, so that Marco can choose whether to go or to change his plans. Marco confirms he will go there. The app thus produces the documentation (pdf) to be printed out and shown to the police once outside.