Examine the suitability of existing standards and methodologies for privacy

[tomworthington]

Describe the problem, gap or error in the framework The paper would be improved by first examining the suitability of existing standards and methodologies for assessing, or assuring, privacy of systems. I suspect there is no need to make up a new methodology just for contact tracing systems. But even if there is the existing ones need to be looked at first.

Describe alternatives you've considered Professor Troncoso's team at EPFL seem to have a reasonable approach with "Decentralized Privacy-Preserving Proximity Tracing"

Additional context The work of organizations, such as the Sahana Foundation for Disaster Management Systems, might have something useful to contribute.

[ellenbroad]

Hi @tomworthington thank you for your comment. We were really mindful that what we were trying to do with SOAP was not simply to assure the privacy of a system, but to consider a broader set of considerations alongside it - whether it was fit for purpose (for contact tracing); whether mechanisms existed to make sure it was working as intended; whether it was vulnerable to fraud or misuse. We hadn't seen frameworks looking at these broader elements alongside privacy - if you have seen some, please do share them! We would be keen to map against them. Specifically on privacy, we're keen to draw on the principles here in the next version. We have hesitated to e.g. prescribe decentralised solutions as a criteria for all contact tracing technologies, as we anticipate this will be somewhat context and use specific. Thank you for the link to the Sahana Foundation, we will check them out.