German COVID-19 app ‘clean’ but still lacks legal basis, experts say

Via Bluetooth, the app will register all instances where users have been close enough to each other to transmit the virus - but only anonymous mobile phone IDs are stored, which are constantly changing. And if someone becomes ill, all risk contacts are warned. EPA-EFE/VALDRIN XHEMAJ

Next week, Germany will present its so-called “Corona-Warn-App,” Health Minister Jens Spahn (CDU) has announced. However, while the public source code seems to be clean, data protection advocates still demand a legal basis. EURACTIV Germany reports.

The soon-to-be-presented “Corona-Warn-App” would work as some sort of contact diary. Via Bluetooth, it will register all instances where users have been close enough to each other to transmit the virus – but only anonymous mobile phone IDs are stored, which are constantly changing. And if someone becomes ill, all risk contacts are warned.

The app’s source code has been public for several weeks now.

While reviewers have given the app good marks, a data protection advocate told EURACTIV Germany in an interview that despite strong IT security, privacy could be defended even better. He is, therefore, calling for it to be regulated by a corona-app law.

EU human rights groups call for COVID-19 app transparency

A cross-section of EU human rights groups have pressed national authorities to provide more information on how citizens’ data will be stored and processed as part of the rollout of coronavirus contact tracing applications across the bloc.

“On a technical level, largely clean”

The first version of the app received praise from the technical side.

There is “nothing that speaks against” installing the app, wrote Fabian Scherschel in his code analysis on In his first analysis, Scherschel found “no obvious security holes and backdoors” and praised the way developers dealt with the feedback from civil society.

Henning Tillmann, co-chair of the association “D64 – Zentrum für digitaler Fortschritt” (and SPD member) also agreed with this analysis and conclusion.

However, some weaknesses were found.

Scherschel, for instance, criticised the app for not being sufficiently checked by automatic tests. While this could be due to the short development time, this still has to be fixed before release in order to quickly eradicate any bugs or overlooked backdoors.

IT security expert Alvar Freude also found a flaw in the databases. Should a hacker penetrate the app, he would have full access rights to the IDs and can publish, delete or manipulate them.

Still, Freude is optimistic that the developers would make improvements in this regard.

In an interview with EURACTIV Germany, he confirmed that his suggestions for improvement had already been taken note of, saying the app is “largely clean on a technical level.”

Germany flips on smartphone contact tracing, backs Apple and Google

Germany changed course on Sunday (26 April) over which type of smartphone technology it wanted to use to trace coronavirus infections, backing an approach supported by Apple and Google along with a growing number of other European countries.

Chancellery Minister Helge …

Data in “code sovereignty” of Apple and Google

Data protection expert Rainer Rehak agrees that the app is “as good as you can make it”. However, the deputy chairman of the “Informatics for Peace and Social Responsibility” emphasised in an interview with EURACTIV Germany that “data security is not equal to data protection.” The former only helps against attacks from outside, he added.

Rehak, however, is concerned about actors who operate inside the app infrastructure, namely Apple and Google. To make the coronavirus app work on their smartphones, they built interfaces between the operating system and the application.

However, the source code for these interfaces, unlike the rest of the app, has not been published. This means that part of the app cannot be tested, which Rehak believes reduces the significance of the code checks.

“It’s not as if the data is uploaded to Google and Apple,” he said, adding that this is because the IDs of infected people are not on their servers – but in the “code sovereignty” of the companies which can determine where data goes by sending it to third parties, for instance.

Apple wins in 'David v Goliath' right to repair battle

Norway’s Supreme Court has upheld a decision by the Court of Appeal, ruling in favour of US tech giant Apple and their claim that an independent smartphone repairer had breached trademark rules by using cheaper repair parts. The decision has sparked an outcry from ‘right to repair’ activists.

Trust is good, law is better?

However, security expert Freude is less concerned about that.

While he recognises the risk of Apple and Google processing the data improperly, he does not believe that the two companies would be interested in doing so. It would be a massive breach of trust, and Google in particular already has much better data sources. “They don’t need to do that at all,” he says.

Nevertheless, just like Rehak, he is calling for the legal protection of users’ data through a corona-app law, which should clearly define what may or may not be done with the data and how this should be guaranteed.

While the Greens and the Left Party (Die Linke) are calling for such a law to be passed, Justice Minister Christine Lambrecht of the Social Democratic Party (SPD) previously said she would not oppose it.

However, SPD digital expert Jens Zimmermann told daily newspaper Frankfurter Allgemeine Zeitung that according to the basic regulation on data protection “no separate legal basis is necessary for voluntary use, as long as it is informed voluntary consent.”

(Edited by Frédéric Simon)

Subscribe to our newsletters