18 June 2020
It has been under discussion since March, and now the German “Coronavirus Warning App" is available for download. The app is designed to help detect and break transmission chains more quickly. How does the German warning app work, what’s the story with data protection, and what experience have other countries had with similar apps? Here’s an overview.
With 12,000 cases and 277 deaths out of nearly 52 million people, South Korea is seen as a prime example of effective coronavirus control without a nationwide lockdown. The government of the East Asian state also placed its trust in a tracing app as early as late March: GPS and credit card data are used to track the patient’s movements and identify the people they have been in contact with. These data are matched with the images taken by surveillance cameras. Once the patient’s movements have been tracked and the individuals they have been in contact with identified, these data are sent as a text alert to the mobile phones of all those people, assuming they have a South Korean mobile phone number. In addition to their exact locations, this centralised record also stores the patient’s gender, age and neighbourhood of residence – a major incursion into individual privacy that would be incompatible with European regulations and notions of data protection.
Singapore is also one of the pioneers of digital measures against the pandemic. Unlike its counterpart in South Korea, the city-state's tracing app does not use GPS. The use of “TraceTogether“ is voluntary; contacts are detected via Bluetooth and stored only locally on the device. This means that the authorities cannot generate movement profiles for their citizens. In the case of a confirmed infection with SARS-CoV-2, the virus carrier is asked to upload the stored records of their contacts to a central server at the health department. The contacts are then informed by telephone that they may have become infected. The code used in the app is open source, so it can be inspected and changed by third parties.
About a third of the population has downloaded the app - although the government had originally targeted a figure of 75 percent. In the future, the authorities also want to use a token to track the virus. This new device, which is as big as a car key and can be kept in a handbag or attached to a backpack, works via Bluetooth and is to be distributed to the population at the end of June.
At the height of the pandemic, this island in the North Atlantic was relatively badly affected by COVID-19, with around 1,800 cases out of 360,000 inhabitants. The authorities responded with mass testing, contact tracing teams and a coronavirus app released in early April. About 38.5 percent of Iceland's population downloaded “Rakning C-19”, the highest penetration rate of a coronavirus app in the world, according to the MIT Technology Review. It is not without privacy concerns, however: “Rakning C-19” transmits the GPS data of the users to the authorities, who can use them to create movement profiles for the affected individuals. There are no specific figures for the effectiveness of the app. The GPS data have proven useful in some cases, Ingi Steinar Ingason, team leader at the National Center for eHealth, told Netzpolitik.org. According to Ingason, a new version of the app based on Bluetooth is going to be developed as a next step.
At the beginning of June, France also launched its own coronavirus warning app. “StopCovid“ was activated a million times in four days, according to government figures. The authorities had previously said that, for the app to be effective, it would have to be used by several million French people. Like “TraceTogether” in Singapore, “StopCovid” uses Bluetooth signals to record the proximity of different smartphones to one another. Users are then warned if it turns out they have come close to infected people. Unlike the Singaporean version, the data in the French model are matched on a central server. This drew criticism from data protectionists in the run-up to the app’s release.
Another criticism from experts is that the app does not use the interfaces that Apple and Google have recently provided for coronavirus tracing apps for their iOS and Android operating systems. This can lead to problems such as increased power consumption and more unreliable Bluetooth recognition. Especially with the iPhone, the tracing app needs to open in the foreground for the phone to be able to constantly send and receive Bluetooth signals. This makes it virtually unusable with Apple's iOS operating system, experts say.
In Germany, too, the initial discussions revolved around a centralised solution. However, the “Coronavirus Warning App” subsequently developed by SAP and T-Systems on behalf of the Federal Government relies on the decentralised storage of the recorded contacts exclusively on the user's smartphone to ensure compliance with data protection regulations. The app uses Bluetooth Low Energy, an energy-saving version of Bluetooth. This allows phones to recognise when two app users have been in proximity to one another for 15 minutes at a distance of less than 1.5 metres. In this case, a user’s own smartphone will send an anonymised and encrypted random code to the mobile phone of the other user and receive the latter’s own random code. These codes are stored locally on the smartphone and deleted after 14 days.
Once a day, the device retrieves a list of anonymous random codes for which COVID-19 infection has been confirmed. If a number matches the stored contact list on the mobile phone, the user is warned. For this to work, users who have tested positive for the virus need to communicate their result to the app. They can do so by scanning a QR code provided by the test laboratory or entering a TAN code, which they can request by calling a hotline. This free call can be made directly from within the app. These registration procedures are designed to prevent misuse of the app.
The “Coronavirus Warning App” uses the Apple and Google interfaces. It runs on all Android devices, starting with Android 6 Marshmallow, which was released in 2015. IPhones must have the current iOS version 13.5 installed. This is possible for all phones including and after the iPhone 6S, which has likewise been on the market since 2015. The source code of the “Coronavirus Warning App” has been open source since Pentecost, meaning that members of the public can check how the app works and make improvements if necessary.
A team from TÜViT examined the app for compliance with privacy and IT security. Two questions for Dirk Kretzschmar, Managing Director of TÜViT.
How exactly did you go about testing the app?Our testers examined the app for two weeks in the phase model. Our data protectors checked whether data protection policies, declarations of consent and the data protection concept had been sufficiently well observed. Our “good hackers” or “penetration testers” analysed the source code at the same time and tested it for possible security vulnerabilities. The limited time available meant that our experts in Essen racked up various amounts of overtime. The tests were carried out under high pressure, but always with the necessary care.
What did the tests reveal?
The app runs safely and stably without spying on its users. Previous versions of the app were less stable, and our testers also identified a major vulnerability. In the end, however, our testers got a very positive impression of the app and were pretty enthusiastic about how quickly the developers fixed this vulnerability and the quality of their remedial work. We now hope that as many people as possible will download the app so that it can be effective.
You may also like
© TÜV NORD
Dirk Kretzschmar is Managing Director of TÜViT and an expert in all matters concerning Internet security.