Cwa-documentation: Privacy Notice TeleTAN term different to app usage

Where to find the issue

Privacy notice 16 December 2020 for app version 1.10 and later
1 March 2021, version 1.13
Last amended: 24 March 2021, version 1.15

https://www.coronawarn.app/assets/documents/cwa-privacy-notice-en.pdf (English)
https://www.coronawarn.app/assets/documents/cwa-privacy-notice-de.pdf (German)

6. Why is your data processed?

b. Retrieving a test result

Retrieval of the test result

"If you have tested positive for coronavirus, the app uses the token again to request a TAN
(transaction number) from the server system. The TAN is required to ensure that no false
warnings are transmitted to other users. For this purpose, the server system reassigns the
token to the hashed code number and requests confirmation from the test result database that
a positive test result really does exist for the hashed code number. If this is confirmed, the
server system generates the TAN and transmits it to the app. A copy of the TAN remains on
the server system"

c. Warning others

If you have not retrieved your test result in the app:

"Even if you have not retrieved your positive test result via the app, you can still warn fellow
users. To do this, select the “Request TAN” procedure. The app will then prompt you to call
the app hotline. A hotline worker will then ask you a few questions to make sure that you really
have tested positive for coronavirus. This is to prevent false warnings being transmitted, either
by accident or intentionally. Once you have answered these questions sufficiently, you will be
asked for your mobile/telephone number and your name. This is so that you can be called back
later and given what’s called a TeleTAN to enter in the app. Your mobile/telephone number
and your name will be temporarily stored for this purpose only and deleted after an hour at the
latest. Immediately after your call, the hotline worker will generate a unique TeleTAN via a
special access to the server system and then call you back to tell you this TeleTAN. A TeleTAN
is only valid for one hour and will therefore be deleted no later than one hour after it has been
passed on to you. After a valid TeleTAN is entered in the app, it is transmitted to the server
system. The TeleTAN thus makes it possible to check that a positive test result really does
exist and thus prevent false alarms. The app then receives a token from the server system, as
it does after a valid QR code is scanned (see “Retrieving a test result” in Section 6 b. above)."

Describe the issue

The term "TeleTAN" in the Privacy Notice refers to the "TAN" in the app.
The term "TAN" in the Privacy Notice however does not correspond to the "TAN" in the app, therefore the use of these terms is confused.

The Privacy Notice uses the term "TeleTAN" to refer to a 10-digit TAN which can be entered into the app by the user. It distinguishes the term "TeleTAN" from the term "TAN". In the Privacy Notice, Section 6, b, "TAN" refers to the internal transaction number which is transmitted from a server to the app. The "TeleTAN" on the other hand is transmitted by phone to the user and then back to the server.

Since the user interface of the app only uses the term "TAN" in visible text it is confusing for the Privacy Notice to refer to this object as "TeleTAN", whilst referring to another object, with a different purpose, as a "TAN".

The table Core Entities from the Verification Server - Architecture Overview explains the terms TAN and teleTAN.

|Entity| Definition|
| ------------- |:-------------:|
|TAN| Is a proof that the user has a SARS-CoV-2 Test with status positive. Depending on the context the TAN has a different length. Has a default length of 128 Bit. |
|teleTAN| Is a subtype of TAN with reduced length and lifetime. This TAN is handed over via phone and contains only uppercase letters and numbers, excluding 0,O and I,1,L. Length of teleTAN is 9 characters, plus 1 check character. The lifetime of a teleTAN is 1h. |

Suggested change

The Privacy Notice and the app should be consistent in their use of terms. If the use of the term "TAN" in the app is not changed, then the Privacy Notice should also refer to this as "TAN", instead of "TeleTAN".

The other use of the term "TAN" in the Privacy Notice could for instance be changed to something like "internal TAN" to distinguish it from a "TeleTAN".

Alternatively the Privacy Notice could explain about the difference between the two TANs and about the differing use of terms.

Edit: Updated with for Privacy Notice 1 March 2021, version 1.13 and copied text from 6b. into issue.

Internal Tracking ID: EXPOSUREAPP-4708