(June 18, 2020) On June 16, 2020, the German government launched the “Corona Warning App,” a voluntary mobile phone application to alert persons who have been in proximity to someone infected with COVID-19. Since its launch, the app has been downloaded by 6.5 million people.
As of June 15, 2020, 186,461 people had tested positive for COVID-19 in Germany. 8,791 people had died. On May 25, 2020, the federal government and the German states agreed to further ease restrictions that had been put in place to stop the spread of COVID-19. Social distancing, hygiene measures, and contact tracing are among the means of containing the virus that are being continued.
Operation of the App
Once installed on a mobile device, the app broadcasts a rolling proximity identifier (RPI) while also regularly scanning for identifiers of other phones. The app uses the Bluetooth Low Energy technology.
The app follows a decentralized approach based on the DP-3T and TCN protocols as well as contact tracing specifications by Apple and Google. Identifiers are stored locally and remain valid for 10–20 minutes. The temporary keys from which the identifiers are created change every 24 hours.
Users who have tested positive for COVID-19 can voluntarily upload to the server the temporary keys from the last 14 days. This can be done either by scanning a QR code that users have received at the testing location, if the location supports the electronic process, or by calling a hotline. The test result is verified by the backend of the app to prevent misuse. If the result is confirmed, the keys are added to a list that is regularly broadcast to mobile phones that have the app installed. The app checks for matches with the RPIs. If there is a match, the risk is assessed and the user receives instructions.
Legal Basis
The German government has been criticized for not adopting a legal basis for the Corona Warning App. The German federal minister of justice and consumer protection, Christine Lambrecht, has stated that a legal basis is unnecessary because downloading and deleting the app is voluntary and all data protection rules are applicable to the operation of the app. The Green Party disagrees and has submitted a draft law to rectify the situation. The law would ensure that the app does not become de facto mandatory if its use becomes required for entering certain places, such as businesses and workplaces, and would guarantee that the data be used only for the purpose specified in the law.
Data Security
The app was developed with input from the Federal Office for Information Security (Bundesamt für Sicherheit in der Informationstechnik, BSI) to ensure data security. The BSI is the “national cyber security authority” and “promotes IT security in Germany.” The BSI has stated that the app guarantees the “highest degree of information security” and confirmed that the Corona Warning App adheres to the requirements of the technical guidelines for the safety of digital health apps. In addition, the BSI will continuously monitor the operation of the app.
Furthermore, the source code has been made available online on GitHub. The BSI supported the open source process by reviewing code and performing penetration tests of the frontend and backend codes. According to the BSI, critical weaknesses that were discovered during the testing were made transparent and addressed together with the app developers.
Data Protection and Privacy
The operation of the app is supervised by the federal commissioner for data protection and freedom of information (Bundesbeauftragter für den Datenschutz und die Informationsfreiheit, BfDI). The commissioner has stated that the data protection standard for the app is “sufficient” and that “nothing speaks against downloading it from a data protection standpoint,” but that there are “weaknesses that need to be addressed as soon as possible.” In particular, he was concerned that the requirement to call a hotline to confirm a positive COVID-19 test would interfere with the pseudonymous use of the app. He also warned owners of stores and public transportation that they are not allowed to require that people show data on the app before they are granted access.
The launch of the app had been delayed by two months because of concerns of data privacy advocates that the originally envisioned method of storing anonymized infection data on a centralized server would be turned into a tool for surveilling the population. At the press conference introducing the app, the German minister of health, Jens Spahn, stated that “the app is secure, voluntary, and easy to use, what more could you want?” The head of the Federal Chancellery, Helge Braun, added that “we all know that it is not the first corona warning app in the world, but I am convinced that it is the best. Downloading and using it is a small step for each of us, but a giant leap for fighting the pandemic.”