Data privacy fears emerge as German contact-tracing app downloaded 6.5 million times in first day

After what is thought by many to have been an excessive time lag in appearing, after reports of technical hitches and changes in development strategy, one of Europe’s leading economies has at last launched its Covid-19 contact-tracing app, but has almost immediately sparked privacy fears – not the UK, as should have been the case, but instead Germany.

Yet for all of the concerns, what cannot be denied, and very much putting the UK app development programme to shame, is the app is very much out there in the country, with reports from the Reuters news agency saying it was downloaded 6.5 million times within 24 hours of its launch on 15 June.

The Corona-Warn-App was developed in close cooperation between SAP and Deutsche Telekom, as well as other partners. The app is based on technologies with a decentralised approach and development of the program code was continuously visible on the GitHub development platform so that experts and the public alike were able to track the state of development at any time.

The Coronavirus warning app is the largest open source project ever implemented in Germany on behalf of the federal government, and the German authorities have spent a long time developing the app. Its development path, however, has been every bit as convoluted as the situation in the UK, among other countries. Up until late April 2020, the German government supported the Pan-European Privacy-Preserving Proximity Tracing (Pepp-PT) protocol developed by organisations including German health agency the Robert Koch Institute.

Yet controversially, in May 2020, the government of Angela Merkel announced that it would abandon its previous plan to launch an app based on the Pepp-PT protocol in favour of a solution based on the application programming interface (API) of Google and Apple, which was first publicised in April 2020. The move is said to be partly attributable to worries about privacy of the Pepp-PT approach which uses a centralised data model – as favoured by European health agencies, in particular the NHS in the UK and those in France – and the American companies’ decentralised model of operation. The German authorities added that going down the Apple and Google route would lead to a quicker launch.

Fundamentally, the app notifies users if they have been exposed to Covid-19 by alerting them if they have been within less than two metres for more than 15 minutes of someone registering as being infected. In practice, the Corona-Warn-App uses an exposure notification framework based on the Apple and Google technology on a mobile device, broadcasting a rolling proximity identifier, while also regularly scanning for identifiers of other phones using Bluetooth Low Energy technology and storing the identifiers locally. The identifiers are only valid for 10-20 minutes and are derived cryptographically from temporary keys which change every 24 hours.

Users with Covid-19 symptoms can communicate test results, retrieved by using a QR code offered by some but not all German health providers, and in the case of a positive test result, users are asked to voluntarily upload their temporary keys from up to the past 14 days to the server. To prevent misuse, the Corona-Warn-App back end first verifies the positive test result. If confirmed, the server adds the user’s keys to the Covid-19 confirmed list, which is regularly broadcasted to all apps.

After a mobile device has downloaded the list of all available keys of users that have tested positive, the app’s exposure notification framework derives the corresponding identifiers and checks locally if any of these match the locally collected rolling proximity identifiers. In case of exposure, the risk is assessed, and the user receives corresponding instructions.

“With the Corona warning app, we are showing how digital solutions ‘Made in Germany’ can be developed in partnership, even under challenging conditions – and at the same time quickly and safely for millions of private users,” commented Adel al-Saleh, Deutsche Telekom board member and CEO of T-Systems.

“In the closest collaboration, the project team has developed an app in record time that will help us break through coronavirus infection chains,” added Jürgen Müller, chief technology officer and board member of SAP. “The commitment to the open source platform GitHub is outstanding and bears a clear witness to a vibrant software engineering culture in Germany. Now it’s important that as many people as possible use the app.”

Yet already there have been concerns about data privacy. The Financial Times has reported that Germany’s data commissioner, Ulrich Kelber, who supervised the development of the technology, said that while he saw no reason to advise against downloading the Bluetooth-based app, adjustments must be made “as quickly as possible”.

Of particular concern, he added, was the requirement for many users to call a hotline to confirm a positive Covid-19 test, or to request help with using the app, thus compromising their anonymity.