Cwa-documentation: Missing Documentation of Rapid Antigen Test Implementation - Questions regarding security

Missing Documentation of Rapid Antigen Test (RAT) Implementation

Works on implementing Rapid Antigen Tests into CWA have begun: A RAT portal (for testing staff?), the connected RAT server backend have been published on GH, and app coding (at least for Android, didn't look up iOS) has started.

Unfortunately there is no documentation at all about this new feature yet.
When do you plan to publish such a documentation for assessing technical and security implications, similar to the Event Registration (=presence tracing) documentation?

Security Related Questions

For now I have only questions with regard to the data embedded into the generated QR code.
From a short code review, I assume following workflow with associated tech specs (which for sure can be far away from the actually planned implementation):

1. The testee visits the testing location, performs test and provides personal data: First name, last name and date of birth, sex, full address, e-mail, phone number, consent to process the personal data, as can be found here:
   https://github.com/corona-warn-app/cwa-quick-test-frontend/blob/f95b94b1e1e852f29b2c7f9904fdf6a0b7d3258d/src/api.tsx#L75-L89
2. The testing staff registers the test into the RAT portal (cwa-quick-test-frontend), entering testee's personal data (and also the test result?).
3. The test also receives a timestamp, a test ID, a salt, and a hash, a test status, and probably more data.
4. A certain amount of this data is stored on the backend server (I didn't look into the code yet, but at least timestamp, test ID, and a SHA-256 hash of at least parts of the registered data seems to be necessary).
5. A QR code is generated, embedding an URI (for fetching result/verification?) with base64 encoded data, containing timestamp, test ID, hash, testee's name and date of birth, that can later be extracted by CWA, see: https://github.com/corona-warn-app/cwa-app-android/blob/42c0907f68b9a47c290587f0b0e08a4005262638/Corona-Warn-App/src/main/java/de/rki/coronawarnapp/coronatest/qrcode/RapidAntigenQrCodeExtractor.kt#L21-L30
   A current sampe URI can be found here: https://github.com/corona-warn-app/cwa-app-android/blob/feature/6031-extract-data/Corona-Warn-App/src/test/java/de/rki/coronawarnapp/coronatest/qrcode/TestQrCodes.kt
   QR code no. 3's URI is:
   [...]s.coronawarn.app/?v=1#eyJ0aW1lc3RhbXAiOjE2MTg1NjM3ODIsInNhbHQiOiI1QTI3M0REREJCQTFEMkFDQUEzN0ExMDg4NjhGNkIwMjM3NjQzRjhBNjdCQTNENkQ3RUE3RkREQ0M0RDJGMjBEIiwidGVzdElkIjoiMGQ5ZTg0MzItZWI5MS00YzhmLTgyYWYtNWEwMWZiMWI2NzYwIiwiaGFzaCI6IjdiMWMwNjNlODgzMDYzZjhjMzNmZmFhMjU2YWRlZDUwNmFmZDkwN2Y3NDQ2MTQzYjNkYTBmOTM4YTIxOTY3YTkiLCJmbiI6IkFsbWEiLCJsbiI6IkhheWVzIiwiZG9iIjoiMTk2Mi0wMS0wOCJ9
   whereas the payload would decode to
   {"timestamp":1618563782,"
   salt":"5A273DDDBBA1D2ACAA37A108868F6B0237643F8A67BA3D6D7EA7FDDCC4D2F20D",
   "testId":"0d9e8432-eb91-4c8f-82af-5a01fb1b6760",
   "hash":"7b1c063e883063f8c33ffaa256aded506afd907f7446143b3da0f938a21967a9",
   "fn":"Alma",
   "ln":"Hayes",
   "dob":"1962-01-08"}
6. The QR is possibly printed out by the testing staff and registered inside CWA by the testee.
7. CWA receives the test result later.

Questions:

• Is there a plan that the RAT QR code can be used as an entry pass to venues, by presenting it to gate keepers?
• Why is it necessary to store personal data (i.e., firstname, lastname and date of birth) inside the QR code?
• Do you see any risk, that this QR code might unintentionally be exposed to unauthorized persons, for example by posting photographs with the QR code to facebook ("Look, my first rapid test!") or by presenting it to fraudulent fake gate keepers, and personal data could be disclosed?
• Why was an approach different from PCR test chosen, which obviously does not contain directly linkable personal data?
• If the personal data inside the QR code is necessary, why did you not choose an approach, where the embedded personal data is encrypted for the QR code and can later be decrypted by fetching the decryption key via an (authorized) app/personnel?

If it is indeed intended that the QR code in its current implementation could be used as an entry pass, social engeneering attacks might be possible. A fake gate keeper could scan the QRs en masse with an arbitrary scanning app, extract names and birthdates, find people via telephone books, and use the personal data for better social engeneering attacks like Enkeltrick and alike.

If there is no way to skip or to encrypt the personal data embedded in the QR code for the planned implementation, people must be warned, that the QR code contains personal data and must not be presented publicly or to unauthorized persons (which is not trivial, if blinds, analphabetics or people with language barriers are supposed to be included).