Are all Service Providers under legal obligations consistent with the needs of the App? This may particularly be an issue if a Service Provider is subject to a different jurisdiction than the App Creators or App Users, or if the Service Provider can be legally compelled in their jurisdiction to break their obligations to stakeholders of the App.

Not known.

Stated goals of the App

What are the stated goals of the App?: “The Corona-Warn-App is an app that helps trace infection chains of SARS-CoV-2 (which can cause COVID-19) in Germany. The app is based on technologies with a decentralized approach and notifies users if they have been exposed to SARS-CoV-2. Transparency is key to both protect the app’s end-users and to encourage adoption.” Source: [website], checked on 2020-07-26

Side effects of the App

Are there any others goals, not stated by the App Creators, that they are known to also accomplish with this App, or that they could also accomplish with this App in the future?

None known.

Are there any other goals that others (not App Creators) could also accomplish because this App exists, or is used by certain Users?

None known.

Are there notable side effects in the use of this App?

Reduced battery life of smart phones; assumed to be minor. Source: [technical-analysis], checked on 2020-07-26

App users

Who are the intended users for the App? Where are they located?: Smartphone users in Germany.
Are there technical, geographical, legal or other limits to who can use the App?: Download from app stores only possible in Germany and surrounding countries.

Social context of using the App

Is usage of the App required under some circumstances? If so, by whom? What are the consequences of not using it?

Not required. The German government explicitly discourages requiring the App for other purposes. Source: [govt-faq-pdf], checked on 2020-07-26

Are there non-trivial incentives (e.g. financial, access) for using the App? Are there social pressures to use the App?

None.

Is a minimum penetration of App usage required in some population before the App can start to be effective?

Presumably the number of concurrent App Users in a certain region must be a significant percentage of people in that area. This is true for all technical approaches to contact tracing.

Are there social pressures on the App User resulting from the use of the App, or from information shown by the App? (E.g. if the App indicates that the App User has likely been infected.)

None known.

Are there social pressures on anybody resulting from information shown by the App run by another App User? (e.g. pressures on an App User’s family or friends if the App identifies the App User as likely infected)

None known.

Is the App available in all languages and localizations most appropriate for the intended App User population?

Yes.

Operations

Describe the principle of operation

Each App Instance generates Rolling Proximity Identifiers (our term: Contact IDs), which change every 10-20 minutes and, due to the use of cryptographic techniques, cannot be predicted or correlated by anybody other than the generating smartphone itself. Source: [technical-solution-architecture], checked on 2020-07-26
These Contact IDs are being broadcast, and recorded by App Instances within Bluetooth Low Energy (BLE) transmission distance. In addition, the date (but not hour) and duration of exposure is being recorded, RSSI, bucketized into 5min intervals and cappped at 30min. Source: [technical-solution-architecture], checked on 2020-07-26
The Contact IDs of an App User are derived from a “Temporary Exposure Key” that is specific to the App User and automatically changes every 24 hours. “Temporary Exposure Keys” remain private on the App User’s smartphone until and unless the App User has tested positive, and chosen to upload them to the Cloud Component. Source: [technical-solution-architecture], checked on 2020-07-26
Labs testing for COVID-19 provide App Users who have tested positive with a verification code that represents them having tested positive. This code may be conveyed as a QR code. This QR code can be scanned by the App User in the App. Source: [technical-solution-architecture], checked on 2020-07-26
There is an alternative to the QR-code-based process by which public health authorities reach out to App Users with positive test results and provide the verification code over the phone. Source: [technical-solution-architecture], checked on 2020-07-26
Once the App Instance has been provided with the verification code for a positive test, the App offers to transmit up to 14 days of App Instance’s “Temporary Exposure Keys” (now called “Diagnosis Keys”) to the Cloud Component. Source: [technical-solution-architecture], checked on 2020-07-26
On a periodic basis, all App Instances download all uploaded “Temporary Exposure Keys” from all App Users that have tested positive and have chosen to upload their “Temporary Exposure Keys”, re-compute all Contact IDs the infected App User would have broadcast during the time span in question, and compare with the Contact ID that were recorded on their smartphone. Source: [technical-solution-architecture], checked on 2020-07-26
If there is a match, the App User is notified by the App that they were exposed. Source: [technical-solution-architecture], checked on 2020-07-26
The App calculates an individualized risk score based on data elements such as duration of exposure. Parameters for the calculation are provided (and can be updated) by the App Funder through a web services API. Source: [technical-solution-architecture], checked on 2020-07-26 Source: [epidemiological-motivation], checked on 2020-07-26

Usage metrics

How many App Users are currently using the App?: 16 million downloads. Source: [update-corona-war-app], checked on 2020-07-26

Effectiveness metrics against the disease

List information about the effectiveness of the App against the disease.: Not known.
How is the performance of the App with respect to effectiveness against the disease being monitored?: Not known.

Privacy

Can identities of App Users be tied to, or can they be correlated to specific individuals, and if so, by whom?

No. Source: [pruefsteine], checked on 2020-07-26

How are new App Users onboarded on the App? What information do they need to provide to be able to use the App?

The App User downloads the App from an App Store. When started for the first time, the App User needs to consent to the App’s terms. No other information needs to be provided by the App User. Source: [scoping], checked on 2020-07-26

How long is collected data retained, and where?

Received Contact IDs are retained for 2 weeks on the Smartphone Component and then deleted. Uploaded “Diagnosis Keys” are retained for 2 weeks on the Cloud Component and then deleted. Source: [technical-solution-architecture], checked on 2020-07-26

Test-related data is deleted after 12 days. Source: [privacy-policy], checked on 2020-07-26

Are any Backups being made whose retention is longer than the declared Data Retention Period? How is it guaranteed that Backups are deleted on time?

Not known.

Has a Privacy Impact Assessment been performed, and if so, where can it be obtained? Which recommendations have been implemented, and which not? If no such assessment has been performed, why not?

Yes (in German). Source: [cwa-datenschutz-folgenabschaetzung], checked on 2020-07-26

There is a separate security assessment. Source: [overview-security], checked on 2020-07-26

Is the App compliant with local regulations on privacy, in particular on privacy of health-related information?

Yes: complies with GDPR. Source: [privacy-policy], checked on 2020-07-26 Source: [cwa-datenschutz-folgenabschaetzung], checked on 2020-07-26

Is the App consistent with global best practices on privacy, in particular on privacy of health-related information?

Yes: the GDPR is currently global best practice on privacy, and the App complies with it.

What assurances exist that the App will be shut down promptly when appropriate (e.g. when the pandemic has passed, or better approaches for combating the disease have been found)?

The legal framework for the App requires that the functions of the App are necessary and proportionate. Source: [cwa-datenschutz-folgenabschaetzung], checked on 2020-07-26

Is any data collected by the App transmitted beyond the App? If so: Who is the receiver of the data? What is the data that is being transmitted? What are the terms under which the data is transmitted, and what are the safeguards that guarantee the terms are not being violated? Can the transmitted data be correlated by the received with other data they may have or may be able to obtain?

N/A: The data collected by the App is not meaningful beyond the App.

Is any data imported by the App from other sources? If so: What data is being imported, and from which sources? How does that increase the effectiveness of the App? Does it potentially increase risks or downsides of the App, and if so, how?

N/A

Is there a Privacy Policy, and if so, what type of privacy policy is it?

privacy-policy
privacy-policy-specific

If there is a privacy policy, where can it be found, and how loose/airtight is it?

The privacy policy is detailed and comprehensive. Source: [privacy-policy], checked on 2020-07-26

Retention

Is data not required any more for the stated goals promptly deleted?: N/A

Security

What technical approaches (e.g. cryptography) does the App use to protect all aspects of the App (e.g. confidential information, operational integrity) from Attackers?: On the Smartphone Component, the App uses the secure storage facilities provided by the Apple / Google Exposure Notification framework. On the Cloud Component, all data is stored in segregated services. No personal data is collected. Source: [solution-architecture], checked on 2020-07-26
How is Data At Rest being secured? Discuss all locations at which Data At Rest exists.: All Contact IDs that were recorded, as well as all Contact IDs that were broadcast together with all relevant key material is stored “in the secure storage of the framework provided by Apple and Google. The application cannot access this secure storage directly.” Source: [technical-solution-architecture], checked on 2020-07-26
How is Data In Motion being secured? Discuss all transfers between locations at which Data At Rest exists.: All communications use HTTPS. The App was engineered to avoid using a third-party notification framework for notifying App Users of test results, in order to not leak the information that a given App User has taken a test. Source: [technical-solution-architecture], checked on 2020-07-26
If an App User’s unlocked mobile phone is stolen, what is the maximum impact of the breach on the App User, other App Users, third parties including the App system itself, and effectiveness against the disease?: Owners of stolen phones cannot notify past contacts in case of a later infection, nor can they be notified that a contact was infected.
How are the operations of the App monitored with respect to attempted, or successful, Attacks?: Multi-level strategy. Source: [overview-security], checked on 2020-07-26
What operational approaches does the App use to protect all aspects of the App (e.g. requiring two-factor authentication, approval of commits by a second person) from Attackers?: Not needed for the Smartphone Component. Multi-level strategy for the Cloud Component. Source: [overview-security], checked on 2020-07-26
What are the operational procedures for access to highly privileged credentials (e.g. server or encryption root keys)?: Not known.
Can App Users verify their build of the App User (e.g. using technologies such as Reproducible Builds)?: No.
Has a process been defined for reporting and responding to a security breach? If not, why not?: None known.
Which entities are required to be trusted by App User to not cause or prevent adverse effects against them?: The App Creators, and the smartphone hardware/operating system providers.
Have there been any reports on attempted or successful attacks on the integrity of any aspect of the App? Do the App Creators report on such attempted or successful Attacks? If not, why not?: None known.
Are there any reports on attempted or successful correlation of any of the data handled by the App with data from outside the App, or any attempted or successful Re-identification of anonymized or pseudonomized data?: None known.
Are there any reports on attempted or successful Data Poisoning of some of the data handled by the App?: None known.
Has an independent security review been performed, and if so, where can it be obtained? Which recommendations have been implemented, and which not? If no such independent review has been performed, why not?: Various related activities have been performed by the App Creators themselves. Source: [overview-security], checked on 2020-007-26
What are the procedures and requirements for eligibility of any App Creator employees or contractors to participate in any aspect of the development, operations or governance of the App?: Not known.

User education, consent, support and agency

Can the App User deactivate and delete the App?

App Users can deactivate and delete their App Instance on the Smartphone Component.

If the source code is available, under which license is it available?

Apache 2.0

How do new App Users discover, and obtain access to the App?

The German government performed a marketing campaign to educate the public.

How is user support handled?

The App lists a support telephone number.

How is the user experience, user understanding, and technical performance of the App being monitored in the field?

User studies were performed prior to release. The App Operator performs technical monitoring.

Can App Users request a copy of the data that has been retained about them? Is the process simple and quick? Is the obtained data easy to understand, verify and use?

N/A. No identifiable data is retained by anybody beyond the data related to the COVID-19 testing process, which would exist regardless of the existence or usage of the App.

Can previous App Users request a permanent deletion of the data collected about them? Is the process simple and quick?

N/A

Can App Users request a correction of data about them? Is the process simple and quick?

N/A

Can parents or guardians act on behalf of their children in all aspects of the App?

The App makes no distinction between adult and minor users. No parental consent, or withdrawal of consent is supported. Source: [ui-screens], checked on 2020-07-26

The target user is at least 16 years old. Source: [privacy-policy], checked on 2020-07-26

Is there an effective complaint process by which App Users can raise issues with the App, or issues with the impact of the use of the App has on them? (not bugs, not technical issues; that is handled in the support question)

The entire development process is performed publicly on Github. The App Creators have publicly encouraged contributions. Raised issues have generally been responded to by the App Developers Source: [github-documentation-issues], checked on 2020-07-26

Are App Users being educated about what it means to use the App, and give their informed consent prior to using the App?

Yes. Source: [ui-screens], checked on 2020-07-26

If the App performs several distinct functions, can the App User opt-in to some and opt-out of others?

App Users can deactivate the Apple-Google Notification Framework, which disables contact tracing. App Users can opt out of electronic notification of their lab test results by not using the QR code provided by the lab. Source: [technical-solution-architecture], checked on 2020-07-26

Usability

Are the user-facing components of the App built in a way that minimizes potential user mistakes that could be detrimental towards effectiveness or avoidance of risks and harms for themselves and others?: The user interface appears straightforward and understandable. The App Creators report that “We conducted usability tests with representative user groups and … Apple and Google were involved to optimize the design for iOS and Android usage.” Source: [ui-screens], checked on 2020-07-26
Is the App accessible?: Default OS features for accessibility.

Managed or processed data

What data does the App handle? Where in the Architecture is which data stored or processed? Is all data handled by the App strictly required for the stated goals?

Permission to use the Exposure Notification framework Source: [pruefsteine], checked on 2020-07-26
QR Code scan during testing Source: [pruefsteine], checked on 2020-07-26
TeleTAN in case of hotline-based result verification Source: [pruefsteine], checked on 2020-07-26
Consent to upload daily diagnosis keys Source: [pruefsteine], checked on 2020-07-26

Federation with other Apps

Is the App a standalone system (“stovepipe”) or is it intended to be used in Federation with other Apps created by others? If so, what are the supported Federation technologies (e.g. protocols/standards), operations and governance?: Not available so far. Source: [solution-architecture], checked on 2020-07-26

Service Providers used with the App

What third-party Service Providers are used for the App?

No third party services are being used. Source: [backend-infrastructure], checked on 2020-07-26
App Creatorss' used hosting platform, software components and services and their configuration are documented. Source: [backend-infrastructure], checked on 2020-07-26
The App Developers also list 3rd-party software components used in the App as part of their documentation. Source: [android-architecture], checked on 2020-07-26 Source: [ios-architecture], checked on 2020-07-26

Protocols

What are the key non-standard communication protocols the App uses? Explain. (These are highly dependent on the App’s features.): Communication between Smartphone Component and Cloud Component is entirely via HTTPS without use a third-party services. Source: [solution-architecture], checked on 2020-07-26

Technology

What Architecture does the App use?

architecture-smartphone-cloud

Is source code of the App available?

source-licensing-open

What kind of Cloud Component does the App use?

cloud-only-operator

What approach does the App take to contact tracing? (If it does)

contact-tracing-apple-google

Is the App based on anonymous, pseudonymous, or fully identified App Users?

userid-anonymous

Governance

How are decisions made about technology and operations of the App?: Decisions are made by the App Creators and publicly documented. Source: [github-docs-issues], checked on 2020-07-26
How are decisions made about governance of the App?: Not known. . However, the past decisionmaking process has been documented. The names, roles and affiliations of key team members have been published. The privacy assessment will again be updated within 3 months. Source: [cwa-datenschutz-folgenabschaetzung], checked on 2020-07-26
Is there a public roadmap for the App, and if so, where can it be found?: The published roadmap appears to have been delivered on. A wishlist for future features is available; the public can contribute. Source: [wishlist], checked on 2020-07-26
Is there a whistleblower process for people involved in any aspect of the development, operation, or governance of the App? If not, why not?: None known.
Should assertions by App Creators prove to be false, or their behavior to be negligent, what are the remedies available to App Users?: Legal steps within the German legal system.
Is the entire process of App development and operations publicly documented?: Development: yes. Operations: partially.

Validation by third parties

Which third parties have researched the effectiveness of this App against the disease? Are their reports publicly available, and if so, where?: Not known.
Which third parties have researched the potential downsides or risks of this App? Are their reports publicly available, and if so, where?: Not known.
Has any third-party audit been performed of the App? Who performed the audit, are their reports publicly available, and if so, where?: Not known.
Are any major discrepancies known between self-assertions by the App Creators and Inference or Audits by third parties?: Not known.
Are all relevant technologies, processes, governance and their internal and public documentation periodically and timely updated?: The documentation of the App is extensive and appears comprehensive.

Audits

Is there an audit trail of what happens in the App? Can it be accessed by the App User or entities on their behalf?: The App reports when it last performed certain actions. There is no audit trail beyond the last time an action was performed.

Source code

If source code is available, where can it be found?

Source code for all components is on Github: https://github.com/corona-warn-app).

Other notes

Any other notes that may be of interest

The App Creators commissioned some experiments about actual transmission risk from which key parameters were derived. Source: [api-testing], checked on 2020-07-26

Disclaimer and open issues that do not fit into any of the other questions.

Please note the general disclaimer. We appreciate feedback and corrections.

Sources

List the information sources used for this assay, plus URL and whether they are self-asserted vs inferred vs from an Audit.

App website (self-assertion) [website]
Corona-Warn-App Frequently asked questions Website (self-assertion) [govt-faq-website]
Corona-Warn-App F.A.Q. PDF (self-assertion) [govt-faq-pdf]
Wie funktioniert und was kann die Corona-Warn-App (self-assertion) [govt-info]
Corona-Warn-App: der Baukasten für Unterstützerinnen und Unterstützer (self-assertion) [govt-mediakit]
App Assay: technical analysis (inference) [technical-analysis]
Pruefsteine (self-assertion) [pruefsteine]
UI Screens (self-assertion) [ui-screens]
Github Issues on Documentation (self-assertion) [github-documentation-issues]
Bericht zur Datenschutz-Folgenabschätzung für die Corona-Warn-App der Bundesrepublik Deutschland (self-assertion) [cwa-datenschutz-folgenabschaetzung]
Privacy notice Corona-Warn-App (self-assertion) [privacy-policy]
Technical Solution Architecture (self-assertion) [solution-architecture]
Epidemiological Motivation of the Transmission Risk Level (self-assertion) [epidemiological-motivation]
Architecture Corona Warn App Mobile Client - Android (self-assertion) [android-architecture]
Architecture Corona Warn App Mobile Client - iOS (self-assertion) [ios-architecture]
German Corona Warn App (CWA) Backend Infrastructure Architecture Overview (self-assertion) [backend-infrastructure]
How does the Corona-Warn-App identify an increased risk? (self-assertion) [increased-risk]
Google Exposure Notification API Testing (self-assertion) [api-testing]
Overview Security (self-assertion) [overview-security]
Scoping document (self-assertion) [scoping]
Community Wishlist (inference) [wishlist]
Corona-Warn-App has always worked (self-assertion) [update-corona-warn-app]

Rating

Ratings by self, third parties and any audit for the effectiveness of the App

self-green
others-green

Explanatory comments for the rating of the effectiveness of the App

The App implements global best practices as they are known today, specifically:

Use of operating-system level Bluetooth Low Energy (BLE) contact tracing, for 24x7 operation
Use of statistical techniques and continually updated model parameters for best-available risk score.

Ratings by self, third parties and any audits for the avoidance of potential risks and downsides of the App

self-green
others-green

Explanatory comments for the rating of the avoidance of potential risks and downsides of the App

The amount of information available about the App, its technology and operations follows global best practices. No significant downsides or risks for App Users are known.

Issue a recommendation to App Users

While the ultimate usefulness of electronic contact tracing to fight back the disease has not been established (yet?), we see no significant reasons not to use this App: in the best case it will make a significant difference against COVID-19; in the worst-case, it reduce battery life of smartphones by a small amount.

Recommendations to the App Creators

The documentation could be further improved on the following subjects:
- Day-to-day operations (e.g. backups, server maintenance, application-level disaster recovery)
- Vetting of the people (employees, contractors) involved (e.g. background checks)
Governance of all aspects of development and operations of the App could be further by establishing an independent oversight board with a significant number of members from civil society groups, minorities and like.
Publish metrics on a regular basis (e.g. number of users, contracts tracked, etc)