This blog post is co-authored with Least Authority, a Berlin-based tech company committed to advancing digital security and preserving privacy as a fundamental human right.
This week, Germany’s COVID tracing app finally went live. As governments around the world have been rushing to adopt contact tracing apps in their fight against the COVID-19 pandemic, their efforts have been accompanied by important debates regarding the safety, efficacy, and necessity of the technology. Germany’s approach to contact tracing apps has been a long and winding road, with many delays and shifts in course.
Now that the “Corona-Warn-App” is available for download, we are answering some of the key questions surrounding topics like data protection, privacy, and the rules that govern the app.
Do I have to have the app?
No. The download and use of the app is voluntary. So far, however, there is no law governing the app, and critics have argued that the voluntary nature of the app should be legally protected. Additionally, social pressure or pressure from employers to install the app may undermine individuals’ ability to choose freely whether or not they want to download the app.
Do I need to download a new contact tracing app every time I cross a European border?
Probably not. Most countries that are part of the Schengen zone, in which EU citizens may cross borders without going through border controls, have eased their travel restrictions. EU governments that use “decentralized” apps have agreed to make their contact tracing apps interoperable across borders, but it is not clear when that solution will be in place. However it is unlikely that Germany’s decentralized app would be interoperable with, for example, France’s, which uses a “centralized” approach. It is worthwhile to check a country’s policy regarding contact tracing apps before crossing any borders—Re-open EU is a useful resource.
What’s the difference between centralized and decentralized apps, and what approach does the German app follow?
As governments around the world have become interested in contract tracing technologies, researchers have advocated different solutions. One important question in the design of contact tracing systems is whether they are “centralized” or “decentralized.” In the context of contact tracing apps, both centralized and decentralized models rely on an authority that processes data. The difference is what the authority (for example, a public health authority) knows. In the centralized model, the authority knows enough to contact the people who may have been nearby a person who later tests positive. This includes data about interpersonal associations, which can be quite sensitive. In the decentralized model, the authority usually only knows the identities of users who have been diagnosed with COVID-19. Under a decentralized model, the contact tracing app compares that list of IDs of people who tested positive with the list of IDs it has come in contact with locally, on the users’ phone.
While centralized and decentralized systems can both have a host of privacy problems, centralized approaches rest on the dangerous assumption that one central authority can be trusted to keep vast quantities of sensitive data secure, and will not misuse it. As we have seen over and over again, such trust is often abused. Carefully constructed decentralized models are much less likely to harm civil liberties, and EFF has taken a clear stance against the use of centralized systems for contact tracing.
In the EU, many governments—including Germany—started out with a centralized approach, but pivoted to a decentralized system after criticism from digital rights NGOs and researchers. Germany’s Corona-Warn-App is based on the decentralized framework developed by Apple and Google. While it is not perfect, it is a more privacy-friendly option.
How does the app work?
The goal of the Corona-Warn-App is to notify users when they have been in contact with other users that have tested positive. The underlying assumption is that many people own smartphones, and that most carry their phones with them. The majority of smartphones include Bluetooth technology, which allows the sharing of data across short distances. That technology is used for the contact tracing app.
The app is built on Apple and Google’s exposure notification interface that allows smartphones to exchange short Bluetooth signals that carry rotating identification numbers.. Each phone shares its own identifier approximately every five minutes, and listens constantly for nearby devices doing the same. Phones use daily random keys to generate new identifiers every couple of minutes, and store them locally (i.e. on the users’ phone) for 14 days.
When people who have downloaded the app are near each other for a given period of time, their phones exchange their IDs, and each saves the ID of the other phone. Alongside the ID, phones also save data about the date, time, and the duration of the contact, as well as the strength of the signal, which will be important later on for assessing a users’ risk of infection.
How does the app know whether I’m infected?
When a person tests positive for COVID-19, they can—but are not obliged to—report their test result to the Corona-Warn-App. In such cases, the app will send all of the daily keys that it has used during the past 14 days to a server after the infected user has given its consent to share that data. These keys let anyone who sees them generate the associated user’s rolling device IDs.
Every phone that has the app installed regularly downloads the list of IDs of users that have been tested positive. The app then compares that list with the list of IDs it has encountered during the past two weeks. This matching does not happen on a centralized server, but instead is decentralized on the users phone. Users are also not informed that they had contact with a specific ID that is linked to an infected person, but are only told that contact has been made with an unspecified individual who has been tested positive for COVID-19. Users are told about the day on which they made contact with the infected person, but not the time, to help protect the identity of the patient.
Once the app determines that it has been in contact with a person who is infected, it calculates the risk that its user has been infected with COVID-19. This is when the data regarding the date and curation of the contact, as well as the signal strength that the phone has collected alongside the ID, come into play. In conjunction with the patient’s transmission risk factor, determined by the health authority, the app informs the user about their aggregated infection risk.
Users are not obliged to take any specific measures once they are informed about their risk, and do not have to report their risk factor to their local health authority. Users are thus free to make adjustments to their behavior based on their risk score (e.g. seek testing or self-quarantine) or to ignore the score.
Does the app have my name?
No. In line with Europe’s data protection law, the GDPR, the app minimizes the amount of personal data it requires users to share. Users only have to provide data regarding the following functions:
- Consent to the use of the Exposure Notification framework, the API developed by Apple and Google that allows the app to communicate between iPhones and smartphones that run on Google’s Android operating system
- Transaction authentication numbers (TAN) through which users validate their test result
- Consent for the upload of daily keys, which can be used to generate device IDs (after the user submitted a positive test result)
Why is this supposed to help me to know I was close to an infected person when I cannot get tested anyway?
While it was difficult to get tested for COVID-19 during the first months of the pandemic, the situation in Germany has improved since. People that want to get tested should contact a local hospital, their general practitioner or a testing center. Germany has also pledged to expand testing capabilities for asymptomatic persons. When informing users of their infection risk, the app also provides the contact details of local authorities and further information regarding the steps users can take.
What if people feed the app with false information?
To avoid users submit false test results, the app requires patients to confirm the authenticity of their test result. This can happen via a TAN number or a QR code. The app will upload the list of IDs it has been in contact with over the past 14 days only after a test result has been validated.
Another potential source of false information is the Bluetooth technology on which the app is based. Bluetooth technology was not designed to support contact tracing efforts, and false positives, false negatives, or imperfect results are all possible.
Is the data really anonymized?
Yes. The data will be anonymized — meaning that your personal information will not be shared with the mobile devices that come in contact with yours — but that does not mean everyone’s identity is guaranteed to be unknown to absolutely everyone else and in every context.
For example, if you do not leave your home for 14 days and only one person visits you during that time, and you are alerted to having been in contact with a person who has tested positive, you will be able to deduce that the individual who visited you was the person who tested positive.
How is the data protected?
The data collected by the app is stored on your mobile device. Within the app, all stored data is encrypted according to industry best practices. The stored data also includes one key per day (the “daily key”) that is used to generate the broadcasted identifiers.
When a positive test result is confirmed, the previous 14 days of user keys stored in the device of that individual are voluntarily shared with the server. These keys are then broadcast to every device that is using the app. These devices use the keys to derive the rotating device IDs for the infected user and compare them against their local contact lists. The devices with matches will indicate that they have been in close proximity with an individual who has tested positive for COVID-19.
Does the government have access to the data?
No. According to the design of the Corona-Warn-App, the government should not have access to contact logs stored on your device. Mobile devices upload their daily keys (“Temporary Exposure Keys”), and other mobile devices download those, derive the 10-minute keys (“Rotating Proximity Identifiers”), and compare against their logged contacts. This means that the server, and anyone operating the server (like the government), doesn’t learn your or others’ contact graphs (the information about who you come in contact with and how that all connects together). The applications are only uploading keys from positive users and not the contact logs themselves.
All of this assumes that the mobile devices function the same as is described in the documentation from Google and Apple. The Corona-Warn-App claims that it only adds data about which protocol version it is using and the strength of the signal, but it is not impossible for the app on your mobile device to attach additional data.
Can and will I be tracked through the app?
The Corona-Warn-App is intended to support the tracing of infection chains, and not to access or track the location of the user. Additionally, the developers seem to refrain from using analytics and telemetry tools in order to collect as little personally identifying data as possible. While it is possible that third-party listeners can learn some information from the data broadcasted by the app, it is unlikely that the app can be used as a liable location tracking mechanism, especially compared to the other digital trails already left by our devices. However, some risks remain.
Is the app open-source?
Yes. The code for that app is publicly available on Github, a software development platform. While it is technically possible for the app vendor to distribute a version of the code that was modified to collect more personal data, it is unlikely that such a manipulation would go unnoticed amidst the close scrutiny of the app in Germany.
How many apps are there?
Besides the Corona-Warn-App, there is also the “data donation” app of the Robert-Koch-Institute, Germany’s federal agency responsible for disease control and prevention. The app allows users to—voluntarily—share biometric data collected with wearables like Fitbits. The app has been criticized for its unclear data protection and privacy safeguards. EFF has cautioned against the negative consequences associated with the use of wearables to combat COVID-19.
Will the app be sunsetted after the “end” of the crisis?
The German government has not yet announced its criteria or timeline for sunsetting the app, and critics are calling for a fixed expiration date for the app. Apple and Google have publicly committed to disable their exposure notification system on a regional basis when it is no longer needed. Users are free to deactivate the exposure logging feature, through which phones receive the temporary IDs of other users, at any time. Users can also uninstall the app whenever they feel that their need for it has subsided. We know that, historically, governments often hang on to new powers they acquire during a crisis, so it is critical that the government make its timeline for this technology clear.