From 5pm English law allows police to access track and trace exposure data. They *can't* get app data due to the decentralised technical design, but the police would have had access to app data if the original centralised design abandoned in June had been implemented. https://twitter.com/AdamWagner1/status/1355120586603831298

This is of course a hypothetical (perhaps a different law would have been drafted). But regardless — this is the direction we predicted, function creep, and a core driver behind DP-3T.

also worth noting that the UK does have a legal system that can prevent abuse of such data by other public actors, or purpose limitation across police purposes (not those aligned with an enforcement view of public health). many countries definitely do not. we designed for them.

many countries don't even need to specify these police powers in a new statute because they clearly can derive from extensive police powers that have very few limits or practical oversight.

it's worth noting nuances here too:
- it is compatible with a decentralised design that the result of a notification is transmitted somewhere. Not how the EN/WA app works, but it's possible.
- this statute allows notification information to be accessed, but such information [...]

[..] would not be the framing in a centralised design, as a notification is a centralised outcome of analysis of a graph. The data accessed in that case would be linked to the original graph, which is highly sensitive. That graph does not exist in a decentralised design.