Germany’s Search for a Viable Tracing App, by Christian L. Geminn Johannes Müller

This paper is part of the e-conference on « Data protection Issues and Covid-19: Comparative Perspectives » which consist in a daily publication at 12 p.m. (GMT+1) except on Sundays until the Summer break. A new session will start again at the beginning of the academic year 2020-21. Please subscribe to blogdroiteuropeen, so you don’t miss a publication. This e-conference was organised by Dr. Yseult Marique, Senior Lecturer at the University of Essex and FÖV Speyer and Dr. Olivia Tambou, Associate Professor at the University of Paris-Dauphine, External Scientific Fellow at the Max Planck Institute of Luxembourg, and Founder- Editor of Blogdroiteuropeen. If you are interested to contribute for our September session feel free to contact us at blogdroiteuropeen@gmail.com

The German “Corona-Warn-App” was finally released on 16 June after a turbulent development process. Users are not located and there is no permanent centralised processing of data. Phones communicate via Bluetooth and temporary identification numbers. Contact data is stored encrypted and only on the user’s smart phone where they are automatically deleted after two weeks. The app can run in the background. Lawfulness of processing is secured via the consent of the users.

The Road to the “Corona-Warn-App”

Development of an official app was surrounded by controversy concerning the underlying technology and data protection. This (among other issues, esp. concerning competence) led to significant delays in the development of an officially endorsed tracing app; the original release deadline (mid-April) was pushed back several times. Importing an existing, foreign app was dismissed because of data protection concerns. 81% of Germans use smartphones. 60% of the German population would have to use a tracing app for it to be a useful tool to loosen restrictions on social interactions. False positives and technological issues (e.g. varying signal strength) can undermine any success of a tracing app from the get-go. A lack of trust in the underlying data protection concept could also hinder its success.

Discussions about tracing contacts of infected persons using mobile phones started around the beginning of March. A first draft of the “Act on the Protection of the Population During an Epidemic of National Scope” issued by the Ministry of Health led by Jens Spahn would even have allowed public health authorities to use any “technological means” to trace contacts. The provision was removed from the draft after substantial criticism, including criticism from the Federal Commissioner for Data Protection and Freedom of Information, Ulrich Kelber.

The first proposal focused on the telecommunications traffic data (Verkehrsdaten) and cell data (Funkzellendaten) stored by telecommunications providers. The use of such data was immediately dismissed due to the broadness of this measure and the ineptitude (locating cell phones via cell data is not very precise and traffic data only indicates the social network of an individual, not physical contacts) and bulk of the data however. As a result, other means of cell phone-based tracing entered the discussion, particularly apps that rely on GPS and Bluetooth.

GPS – the second proposal – was however rejected as a possible solution since GPS-data are acknowledged to be significantly more inaccurate than the alternative Bluetooth. Additionally, the technology does not properly work within buildings. Regarding data protection, the use of GPS data is recognized as coming into conflict with data minimisation, as data collection would not be limited to situations relevant to the spread of the virus. Tracing of contacts to reveal and interrupt chains of infection only requires two “necessary” types of information:

The information that a person has stayed with an infected person long (> 15 minutes) and close enough (< 2m) to make an infection likely and
how this fact can be communicated to that person.

Nevertheless, the first German tracing app that has been developed (independently by a private company without government mandate; supported by the Z Zurich Foundation) uses GPS location data: the geoHealthApp uses a traffic light system that turns red if a nearby person is (voluntarily) registered in the app as a Covid-19 patient. GPS data of the users taking part are stored in a falsified form on servers. Acknowledging the limitations of the app, it was marketed as an interim solution.

The third approach is designed around Bluetooth. The relatively weak signal strength which only allows transfer of data in close proximity is now deemed to be the technologies strongpoint.

One of the main issues discussed is whether to store data in a centralized or in a decentralized way. A centralized architecture would mean the collection of all contact events from infected users and notifying persons at risk on servers under control of one single institution. Such a design was favoured at the beginning by the federal and by state governments. On 18 April – three days after the centralized approach was put forward – 300 researchers published a joint statement rejecting the centralized approach. Among other issues, the statement points out data minimisation, and argues, that strong privacy-preserving measures are necessary to ensure public acceptance and broad use of the app.

A decentralized architecture does not grant the server access to contact events which become possible infection events if a contact tests positive for the virus. It limits the server to the storage of “anonymous” data. In this architecture the app itself (on each user’s device) detects possible infection events by calculating it on the device. Given the issues of a centralized approach as well as the history of Germany, a decentralized architecture was ultimately preferred and promoted by the Federal Data Protection Commissioner as well as leading researchers from all fields. The federal government officially adopted the decentralized approach on 25 April and tasked Deutsche Telekom and enterprise software specialist SAP with development (with consultation by the Fraunhofer Society and the Helmholtz Centre for Information Security). An unofficial data impact assessment regarding the primarily discussed frameworks and concept proposals was published on 29 April. The technological basis of the app is provided by Apple and Google and ensures that the app can run in the background. A pre-presentation of the app to the public took place on 29 May.

To ensure the lawful operation of the app, the creation of an accompanying law was discussed. The Infection Protection Act does not contain specific provisions that could serve as a basis for processing of personal data. Particularly members of The Greens and The Left called for an ancillary law with a specific legal basis for processing of personal data. An unofficial draft for such a law was published on 3 May by a group of four researchers led by a judge at the administrative court in the town of Schleswig. Even if a data subject uses an app voluntarily, this does not necessarily mean that this person thereby consents to the specific processing of his personal data. The Robert Koch-Institut (RKI) serves as the distributor and operator of the app. As the RKI is a government agency responsible for disease control and prevention, there may be a need for a legal basis beside Art. 6(1)(1)(a) GDPR, as Art. 6(1)(e), (2) and (3) GDPR stipulate that any processing of data in the public interest must be authorised by a specific legal basis in each Member State. Because health data is involved, Art. 9 (2)(h) and (i) GDPR must be adhered to. Nevertheless, the federal government maintained the position that individual consent is a sufficient basis for the operation of the app; with the main argument being that the app does not infringe on any fundamental rights. The Federal Data Protection Commissioner has stated that in the absence of an ancillary law, the rights of the data subject according to Chapter III of the GDPR fully apply.

Shortly before the release of the app, another controversy emerged: The result of a test for the coronavirus must be entered into the app which sends the information to the RKI ; only then a warning message can be transmitted to other users. Verification is performed via QR code or TAN. However, there is a third option of calling a hotline. This third option has been criticised as a possible method to report fake infections. To prevent this, an operator will ask the caller a series of questions (without revealing the identity of the caller). The Federal Data Protection Commissioner has voiced no concerns regarding the hotline. The establishment of the hotlines was necessary because not all laboratories that perform tests for the virus have the ability to generate QR codes or TAN.

On June 16, the app officially sanctioned by the federal government was finally released; accompanied by a public advertisement and awareness campaign. The official assessment pursuant Art. 35 GDPR was also made public. By July 3, the app has officially been downloaded 14,6 million times.The RKI serves as the distributor of the app. Its source code can be accessed via GitHub; FAQ can be accessed here. From a data protection perspective, the app is a milestone regarding the early implementation of data protection by design into the development process of a far-reaching IT solution – notwithstanding the fact that it took significant time to acknowledge the importance of data protection. Nonetheless, limited technical effectiveness of digital contact tracing remains an issue: e.g. false positives caused by taking on Bluetooth-signals through walls or varying Bluetooth signal strengths. As the crisis induced by the Covid-19 quickens digitisation across society, it is important not to lose sight of the constitutional requirements that are meant to frame the use of modern IT, particularly the right to informational self-determination.

Other Apps

Significantly earlier (4 April), the RKI released a separate app called “Corona-Datenspende” (Corona data donation). Its development took place in cooperation with a private company, Thryve (mHealth Pioneers GmbH). The app uses sensors found in fitness trackers and smartphones to identify potential symptoms of a Covid-19 infection. The data collected by the app on the user (sex, age in steps of five years, weight in steps of five kg, height in steps of five cm, postal code, data on health and activity incl. sleeping habits, heart rate and body temperature) can voluntarily be sent to the institute. RKI then uses the data to get an overview of the situation regarding the pandemic and to estimate the number of cases not reported to physicians. However, the security of the app was criticized by the Chaos Computer Club.

Information on the Coronavirus is distributed among others via the app NINA (Notfall-Informations- und Nachrichten-App; emergency information and messaging app) of the Federal Office for Civil Protection and Disaster Assistance.

Dr. jur. Christian L. Geminn, Mag. iur. Senior researcher and lecturer at Kassel University and Managing Director of the Project Group Constitutionally Compatible Technology Design (provet) at the Research Centre for Information System Design (ITeG)

Ass. iur. Johannes Müller, MLE., Assistant researcher at Kassel University and member of the Project Group Constitutionally Compatible Technology Design (provet) at the Research Centre for Information System Design (ITeG)