Next week, Germany will present its so-called “Corona-Warn-App,” Health Minister Jens Spahn (CDU) has announced. However, while the public source code seems to be clean, data protection advocates still demand a legal basis. EURACTIV Germany reports.
The soon-to-be-presented “Corona-Warn-App” would work as some sort of contact diary. Via Bluetooth, it will register all instances where users have been close enough to each other to transmit the virus – but only anonymous mobile phone IDs are stored, which are constantly changing. And if someone becomes ill, all risk contacts are warned.
The app’s source code has been public for several weeks now.
While reviewers have given the app good marks, a data protection advocate told EURACTIV Germany in an interview that despite strong IT security, privacy could be defended even better. He is, therefore, calling for it to be regulated by a corona-app law.
“On a technical level, largely clean”
The first version of the app received praise from the technical side.
There is “nothing that speaks against” installing the app, wrote Fabian Scherschel in his code analysis on heise.de. In his first analysis, Scherschel found “no obvious security holes and backdoors” and praised the way developers dealt with the feedback from civil society.
Henning Tillmann, co-chair of the association “D64 – Zentrum für digitaler Fortschritt” (and SPD member) also agreed with this analysis and conclusion.
Ich teile die Analyse. Code ist bis jetzt gut, Dokumentation auch hervorragend. Es spricht nichts gegen eine Installation der #CoronaWarnApp. Ob sie aber was bringt, wissen wir erst im Laufe des Sommers. https://t.co/O9vVy9riXC
— Henning Tillmann (@henningtillmann) June 7, 2020
However, some weaknesses were found.
Scherschel, for instance, criticised the app for not being sufficiently checked by automatic tests. While this could be due to the short development time, this still has to be fixed before release in order to quickly eradicate any bugs or overlooked backdoors.
IT security expert Alvar Freude also found a flaw in the databases. Should a hacker penetrate the app, he would have full access rights to the IDs and can publish, delete or manipulate them.
Still, Freude is optimistic that the developers would make improvements in this regard.
In an interview with EURACTIV Germany, he confirmed that his suggestions for improvement had already been taken note of, saying the app is “largely clean on a technical level.”
Data in “code sovereignty” of Apple and Google
Data protection expert Rainer Rehak agrees that the app is “as good as you can make it”. However, the deputy chairman of the “Informatics for Peace and Social Responsibility” emphasised in an interview with EURACTIV Germany that “data security is not equal to data protection.” The former only helps against attacks from outside, he added.
Rehak, however, is concerned about actors who operate inside the app infrastructure, namely Apple and Google. To make the coronavirus app work on their smartphones, they built interfaces between the operating system and the application.
However, the source code for these interfaces, unlike the rest of the app, has not been published. This means that part of the app cannot be tested, which Rehak believes reduces the significance of the code checks.
“It’s not as if the data is uploaded to Google and Apple,” he said, adding that this is because the IDs of infected people are not on their servers – but in the “code sovereignty” of the companies which can determine where data goes by sending it to third parties, for instance.
Trust is good, law is better?
However, security expert Freude is less concerned about that.
While he recognises the risk of Apple and Google processing the data improperly, he does not believe that the two companies would be interested in doing so. It would be a massive breach of trust, and Google in particular already has much better data sources. “They don’t need to do that at all,” he says.
Nevertheless, just like Rehak, he is calling for the legal protection of users’ data through a corona-app law, which should clearly define what may or may not be done with the data and how this should be guaranteed.
While the Greens and the Left Party (Die Linke) are calling for such a law to be passed, Justice Minister Christine Lambrecht of the Social Democratic Party (SPD) previously said she would not oppose it.
However, SPD digital expert Jens Zimmermann told daily newspaper Frankfurter Allgemeine Zeitung that according to the basic regulation on data protection “no separate legal basis is necessary for voluntary use, as long as it is informed voluntary consent.”
(Edited by Frédéric Simon)