Experts attest to the high level of security and data privacy afforded by Germany’s “Corona-Warn-App”. But how does the app stack up in comparison with those of other countries?
How does the German coronavirus tracing app compare internationally? An analysis of different approaches to data privacy aspects provides an interesting contrast.
The German Corona-Warn-App is designed to digitise the manual contact tracing process to make it faster and much more efficient. The official publisher of the app, the Robert Koch Institute (RKI), has already announced more than 14 million downloads of the app. It is designed to prevent the storage of personal data to avoid data privacy issues.
Contact tracing needs to be a collaborative effort
The German government app does not collect any location data because it is not necessary for the system to work. The app also does not know the identity of the individual user. Instead, the app generates a pseudonymised ID number for each user. Using Bluetooth, the app recognises other phones using the app in your proximity and stores the IDs of the other users. This exchange of data is repeated regularly to record the duration of the contact. After 15 minutes a contact is stored.
The data is deleted again after two weeks. However, so that contacts can be informed in the event of risky encounters during this period, another step is necessary: At this stage, anyone testing positive for Covid-19 has to scan the QR code obtained in the laboratory test or enter a PIN. However, this is not mandatory. Once a day, the app server at the Robert Koch Institute retrieves the IDs of people who have tested positive (and who have shared this information with the app) and issues an alert if necessary.
Not yet complete
However, it is still not clear how accurately the app can estimate the distance to other smartphones, so that it only records people within the critical distance. As Bluetooth signals do not emit uniformly in all directions, the process is subject to a certain inherent inaccuracy.
SAP is responsible for the software technology and Deutsche Telekom for the network and mobile communications technology. The German Federal Ministry of Health says that the entire project will cost more than EUR 60 million. The developers are now working on also making the app available in other languages, with plans to include Turkish, English, French, Arabic and Russian.
Germany relying on voluntary model
The basic principle of the German app is that its use is voluntary. The numbers of people using it are therefore even more remarkable. Federal Health Minister Jens Spahn says that the German app has been downloaded more times than the “corona apps all other EU states together”. The good download figures are attributable above all to Apple users, as German broadcaster ZDF reports, although the market share of the Apple operating system iOS on mobile devices is far lower than that of Google’s Android.
In other countries relying on voluntary use of this kind of app, the numbers using it tended to be small. This was the case in Singapore, for example, which is why Singapore has developed a Bluetooth dongle. The new technology is called “TraceTogether Token” and the government wants to distribute it soon to all residents who are always supposed to carry it on them. To counter anxieties about surveillance, the small device works without being connected to the internet or a telephone network. The contact data collected can only be read by the health authorities.
The German app is based on the open protocol “Decentralised Privacy-Preserving Proximity Tracing” (DP-3T or DP3T), which was created by European scientists and researchers. It is used for COVID-19 proximity tracking with the help of Bluetooth low energy radio signals. In the meantime, Austria and Switzerland are taking a similar approach to Germany, as their latest apps are also based on DP-3T. The source code for the app was published as open source on the Github portal and has meanwhile been scrutinised by numerous security experts. What they found is the subject of another article.
Different countries have different approaches to data privacy
Whether Russia, the USA, Norway or India, almost all countries have developed or purchased their own contact tracing apps. But there are considerable differences in their concepts. Most approaches rely on centralised storage models, as in France. Israel has deployed a network-based location tracker that is associated with high data privacy risks. In India, the use of the contact-tracing app is mandatory for certain groups of people, and in the USA, GPS data are also collected to provide the health authorities with an overview of the regions where infections are increasing. The Icelandic app goes even further and saves the movement profiles of users for two weeks with a view to determining where contacts to infected people could have occurred. South Korea is taking a different approach. Based on government data, the app, which was published as early as February, alerts users if they are in a location less than 100 metres from an infected person. The app even indicates the gender, approximate age and case number of the infected person. In some countries, entry is conditional on installing an app.
In mid-March it emerged that many governments had been offered a corona tracker from Israeli spyware manufacturer NSO. Around 12 governments are said to be already testing it. It is designed to analyse large volumes of location data.
You will also find news about all aspects of it-sa and the world of IT security in the it-sa Security Newsletter.