Calibration of RSSI
This line in the risk scoring function says:
// Issue #TODO: update based on calibration tests.
// This value must come from tests on a maximum number of devices, measuring the RSSI (in dB) at one meter
This line implies that the RSSI values are calibrated through an average over brand makes. This is inadequate, as there is too much variability across different brand makes. Instead, each brand make should be calibrated separately. In addition, the calibration should be different also according to their role (whether they were emitting or receiving a HELLO packet). I have detailed the many reasons in a recent blog post. As described in that post, it is pointless to even attempt measuring distance without correcting for such effects.
Depending on how this issue is mitigated, it might have implications for the data protection assessment. Indeed, the calibration above would be dependent on the Type Allocation Code (a truncation of the IMEI), which is allocated at most to one million devices each. If this data was held centrally, it would facilitate reidentification. Not mitigating this issue would also need to be addressed in the DPIA. Indeed, a lack of correction is likely to lead to inequitable distribution of false positives and negatives, which should be at least mentioned and evaluated.