SAP and Deutsche Telekom are working at full speed on the German government's Corona Warning App. Data privacy is at the center of the public discussion surrounding the app. Dr. Stefan Pütz, Head of Network & IT Security at Telekom Security, explains what both companies are doing in terms of security for the app.
Dr. Pütz, what is your view on the data privacy discussions surrounding the Corona Warning App? Are they necessary? Or should we just say: let the companies do their thing?
Stefan Pütz: The debate is useful and necessary. Until a vaccine is found, we will be confronted with the virus in all aspects of our lives. And as long as the pandemic is around, a Corona warning app is also a public issue. Large sections of the population should use it. A broad public discourse is therefore in the nature of things. This mirror which we hold up to ourselves is indispensable. It shows us what people find acceptable and what they do not.
What do people find unacceptable?
Stefan Pütz: People don't want to be legally obliged to use the app. They want full protection of their personal rights. And they want a completely trustworthy app. That means: they don't want a tracking app like other countries use them. In these countries, the state determines the user's location via mobile phone cells or GPS. This is particularly unpopular in Germany and it would be a massive violation of data protection laws. This is why Germany is relying on a tracing concept. Tracing means searching for traces. Employees in health authorities are already laboriously trying to research chains of infection by telephone. This costs valuable time. The app does nothing else. It supports the search for traces and because it does this digitally, it is faster. Finally: People also want their identity protected. Disclosing a positive test result to others remains the personal decision of the individual – even with the app.
How are you taking the users’ wishes into account?
Stefan Pütz: With a whole package of measures: First of all, the app will be totally voluntary. Nobody will be forced to use this app. And whoever uses it and then changes their mind, can delete the app and with it all the collected data. Furthermore, this app uses special Bluetooth technology. This technology measures the distance between two smartphones. No one outside of this range is detected. Furthermore, the app does not interfere with our personal rights. It does not warn in real time. It does not flash and does not beep when there is direct contact with somebody who has tested positive for the virus. It informs me later that I have been in the vicinity of an infected user. I cannot trace this contact.
What kind of data does the app-user’s smartphone actually exchange, how does the app work?
Stefan Pütz: The user’s smartphone recognizes all other devices that come within two metres of the user for a certain period of time. In this case, the devices exchange an encrypted code with each other and store it. So our smartphone remembers our contacts for us. If someone tests positive, they can voluntarily indicate this in the app. All mobile phones with the app then receive the code of the infected person. The smartphone automatically checks with the app whether the code appears in the stored contacts. Thanks to encryptions, no one can trace the infected person, nor where and when the contact occurred. The only piece of information I receive is the relevant one: that I had contact with an infected person. Personal data is never collected or processed at any time.
Back to trust: Time and again in the past, security specialists have discovered vulnerabilities in apps. Why should users trust the Corona Warning App?
Stefan Pütz: App security flaws are fundamentally troublesome, of course. But security is also a craft. And that doesn't just mean that you have to know your trade. Above all, it's about transparency. That's why the Federal Office for Information Security and the Federal Data Protection Commissioner for the Corona-Warn-App have been closely involved in the Corona Warning App since the very beginning. We know what this app is all about. We are also ensuring full transparency in the programming. On the public platform Github, every programmer and interested person can get an insight into our work. He can download program code, comment on it, improve it. Critical companions like the Chaos Computer Club are also taking the opportunity to look at the software. This transparency creates trust. We will continue to stick to this approach in the coming weeks.