• Photo by Rob Hampson on Unsplash

To overcome the corona crisis, experts continue to place great hope in tracking apps for smartphones. These apps should record the position data of their users and help to detect and interrupt chains of infection. But the rollout of such an app in Germany is still a long time coming.

Data protection and data security

Can a corona app help contain the pandemic? A few weeks ago I answered this question clearly with a yes and I still stick to this assessment. But it can only help if it is available! After the original announcement of the German government to release such an app by mid-April at the latest, the population is unfortunately still waiting. The problem is that the app, in addition to its original purpose of containing the spread of the epidemic, must fulfill two other functions, namely data protection and data security.

Because of these two points, an intensive discussion broke out among various scientists and experts in Germany. The originally planned app was supposed to work based on PEPP-PT technology, but this caused great concern among data protectionists. At the heart of the discussion was whether the users’ data should be stored centrally or decentrally. After deciding in favor of centralized storage with PEPP-PT technology, the German government backed down last week and gave in to the concerns of data protectionists by deciding in favor of decentralized storage.

Where is the difference?

The basic principle is the same: When two mobile phones are close enough to each other for a certain time, they exchange pseudonymous IDs via Bluetooth. These change regularly and do not allow a direct conclusion to be drawn as to which specific person is involved.

In a decentralized model, a user sends only his IDs to a server in the event of an infection. From there, all other app users can download them and the actual check, whether there was a contact, only takes place locally on the mobile phone.

In the central model, on the other hand, an infected person’s app additionally sends the codes of the contacts to the server, where a corresponding data network with sensitive information about the movements and contacts of all app users is stored. This is sensitive information, practically “secrets”, which must be specially protected.

Where are we going?

Around 300 experts and scientists signed an open letter on 19 April warning of the danger of surveillance and misuse of centralized data storage. This letter was obviously the straw that broke the camel’s back and ultimately led to a rethink by the German government. The letter does not explicitly mention PEPP-PT, but with its approach of centralized data storage it is undoubtedly the center of the criticism.

In Germany, the companies SAP and Deutsche Telekom have now been commissioned to develop an anti-corona app. They are to decide which technical concept will be used and to discuss possible interfaces with Google and Apple. The two giants of smartphone software are important and necessary players in terms of app development. Independent of the German approach, they are in close contact with each other to make the different operating software systems Android and iOS compatible.

The advice of the experts

An example of this is the Bluetooth function, which is not allowed to run freely in the background with iOS, but this is exactly what is intended for data exchange within the anti-corona app. In their letter the scientists and experts clearly plead for a Bluetooth based solution regarding the anti-corona app. Without the close involvement of Google and Apple, it will hardly be possible to develop an app that has to run in the background and should achieve the necessary distribution.

The letter also demands that the protocols and their implementations, including all sub-components provided by companies, must be fully transparent and available for public analysis at all times. The entire processing of all data must be clearly documented. Furthermore, the use of such an app should always be on a voluntary basis and with the explicit consent of the user.

Besides the letter, numerous experts are now turning similar to a PEPP-PT but decentralized technology, the DP3T.

I will stay tuned…