Data Protection in the German Corona-Warn-App: A Statement and our Approval

Since mid-June 2020, the German government’s widely announced Corona-Warn-App (CWA) has been available for download. While the number of downloads has now exceeded 15 million, many data protectionists asked themselves whether the app is really as unproblematic as promised by the developing companies. The security experts of Boxcryptor therefore also took a close look at the code and the functionality of the Corona-Warn-App.

Our result: The app meets the promised data protection standards.

In this article we explain how we came to this statement and clear up any misunderstandings.

The Most Important Facts in Brief

• The Corona-Warn-App is data protection friendly and meets all required standards
• The use is anonymous and voluntary
• The publicly accessible code is well written and transparently communicated (publicly available to check on the developer portal GitHub)
• Health authorities and government agencies have no access to data
• The app does not track your GPS position

How the App Works

Press reports in the run-up to the release of the app repeatedly speculated about an alleged location tracking. But that doesn’t exist. We make it clear: The German Corona-Warn-App doesn’t use GPS tracking and can’t track the movements and whereabouts of its users.

Data exchange works on basis of a Bluetooth signal, which almost every modern smartphone can send out. The Corona-Warn-App uses this signal to transmit randomly generated, anonymous numbers. These are only exchanged between devices within range, only stored locally on the respective devices and automatically deleted after two weeks – provided the respective devices have activated the app.

The numbers used change regularly. Therefore, no number can be assigned to a specific device (or person). In addition to the anonymous ID, the duration of the contact and the approximate distance between the devices is recorded. The latter is not, as often feared, determined via GPS, but by the strength of the Bluetooth signal.

Why Does the Corona-Warn-App Need a Location Share?

This topic mainly concerns Android devices. Although the application doesn’t actually perform GPS localization, its use still requires location sharing. Google justifies this with the mandatory connection of Bluetooth use and location sharing in the operating system – independent of the Corona-Warn-App. This detail had caused uncertainty among many users.

A look at the data protection declaration of the Corona-Warn-App gives the all-clear:

Your smartphone’s location service must be enabled for your device to search for Bluetooth signals from other smartphones. Please note that no location data is collected in this process. (CWA Privacy Statement)

What Happens to Collected Data?

The random ID generated by the app is stored locally on the device that sent or received it. If a user receives a positive test result, the QR code provided with the test result can be read into the app. This doesn’t happen automatically and it’s not mandatory as well.

The app then transmits all the anonymous IDs it has sent over the last 14 days to the server – without allowing any conclusions to be drawn about the identities of infected persons. In this way, a list of IDs belonging to the devices of infected persons is created on the server. All Corona-Warn-Apps compare this list once a day with the locally stored IDs. In this way, each device determines whether it has had contact with a device in the past 14 days in which a positive test result was entered.

If contact with a positively tested ID is recognized, a warning – including a risk assessment – is issued within the Corona-Warn-App. The duration and estimated proximity of the contact are taken into account for the assessment. Particularly in the case of fleeting contacts (e.g. in a supermarket or train), it’s therefore neither possible nor necessary to assign the infection to a specific person.

Stefan Wollny, VP Engineering at Boxcryptor summarizes:

The architecture of the app is very smart, the developers get a lot out of it, but almost without collecting any data.

How Reliable is Bluetooth Low Energy?

The Corona-Warn-App does not rely on the classic Bluetooth standard for data transmission, but on the more modern Bluetooth Low Energy (BLE, for a more detailed report on the development of the technology we recommend this article over at The Verge).

BLE consumes significantly less power than conventional Bluetooth connections, which is why the Corona-Warn-App is particularly resource-saving. But there are two additional advantages from a data protection perspective: First, the amount of transferable data is significantly lower. Secondly, the range is 10 meters at most.

For distance measurement, which is part of the risk calculation, the distance between the devices is estimated by measuring the strength of the signals received. Although this technique allows anonymous distance measurement without GPS, it is dependent on many external factors and is therefore prone to error. In addition, the app doesn’t collect data permanently, but checks the environment at intervals to conserve the devices’ batteries. Overall, about 80 percent of the encounters are “correctly” recognized, as TechXplore reports.

Problems with the use of BLE also arise with older smartphones whose chips do not support the new standard. Does this make the app too error-prone to be effective? Probably not. Because the goal of the app is to capture enough positive cases and contacts – not all. The Corona-Warn-App supports the process of retroactive contact tracking, because in everyday life it is difficult to reliably remember all encounters of the past two weeks. Warnings can therefore be transmitted quickly, reliably and efficiently using the CWA.

Data Protection and Data Access

Data protection organizations warned that it would reduce the acceptance of the app if authorities such as health authorities were to be given access to the data. This concern is unfounded: Due to the decentralized storage of the anonymous IDs and contact information (duration and distance between the devices) on the respective end devices, there can be no access to the (already very few) data.

A sign for good data protection of the Corona-Warn-App is the lack of criticism from net-political organizations, among them the Chaos Computer Club (CCC). Usually, the CCC does not skimp on criticism, because their experts always uncover shortcomings. But not in this case: Although the CCC does not make any recommendations for certain programs, no reservations were expressed to the CWA. This is synonymous to high praise.

IDs that have been “positively tested” are only made available anonymously with the consent and active, voluntary assistance of the tested person. The comparison of IDs is again carried out by the individual devices. The feared follow-up of a “positive contact” by authorities therefore neither takes place nor is it technically possible.

What Should I Do if the Corona-Warn-App Issues a Warning?

First of all, you should again consider what the warning actually means: You have been within Bluetooth range of a person who has been tested positive for the corona virus within the last 14 days. The duration and (estimated) distance of the contact are displayed and help you to better assess your personal risk.
On this basis, you now have the opportunity to decide for yourself whether you wish to be tested. However, a warning in the app is neither a positive result nor a commitment to a test. In fact, the probability of an infection is very low for most of the contacts displayed.

Important: Please do not go to a test site without being asked – even if the Corona-Warn-App should indicate an increased risk level. The first contact should always be calling a doctor’s practice or the medical on-call service. During this first contact they will provide you with detailed information about the test, procedure, and duration.

The Corona-Warn-App Is Voluntary, But Important

The two central pillars of the Corona-Warn-App are:

1. voluntariness
2. appeal to conscientious behavior

The strength of the app depends mainly on its distribution. The aim is not to detect all infections, but to facilitate the tracing of individual infection chains. The app also simplifies personal risk assessment.

Secure to Use, But Not Perfect

To sum it up, it can be said that the Corona-Warn-App is secure and safe to use from a data protection point of view. All important data protection measures have been taken and no more information than absolutely necessary is transmitted.
However, the app is not perfect: technical problems such as the lack of support for older operating systems and difficult to understand error messages are still annoying users. How they can deal with them is explained in this article from Stern magazine (German).

Our Recommendation

This is what Christian Olbrich, expert for data security at Boxcryptor, thinks about the Corona-Warn-App:

Here we have a way to control the spread of the coronavirus even better, with virtually no extra effort. This is unique in history.

At this point, Boxcryptor’s data security experts give the green light to use the German Corona-Warn-App.

Please consider sharing this article. Every additional user makes the Corona-Warn-App even more effective.

We wish you all the best and hope that you stay healthy during the corona time.

Download the app directly:

• App Store (Apple, iOS)
• Google Play Store (Android)