Stated goals of the App
“The Corona-Warn-App is an app that helps trace infection chains of SARS-CoV-2 (which can cause COVID-19) in Germany. The app is based on technologies with a decentralized approach and notifies users if they have been exposed to SARS-CoV-2. Transparency is key to both protect the app’s end-users and to encourage adoption.” Source: [website], checked on 2020-07-26
Side effects of the App
- Are there notable side effects in the use of this App?
- Reduced battery life of smart phones; assumed to be minor. Source: [technical-analysis], checked on 2020-07-26
Social context of using the App
Is usage of the App required under some circumstances? If so, by whom? What are the consequences of not using it?
- Presumably the number of concurrent App Users in a certain region must be a significant percentage of people in that area. This is true for all technical approaches to contact tracing.
Are there social pressures on anybody resulting from information shown by the App run by another App User? (e.g. pressures on an App User's family or friends if the App identifies the App User as likely infected)
Each App Instance generates Rolling Proximity Identifiers (our term: Contact IDs), which change every 10-20 minutes and, due to the use of cryptographic techniques, cannot be predicted or correlated by anybody other than the generating smartphone itself. Source: [technical-solution-architecture], checked on 2020-07-26
These Contact IDs are being broadcast, and recorded by App Instances within Bluetooth Low Energy (BLE) transmission distance. In addition, the date (but not hour) and duration of exposure is being recorded, RSSI, bucketized into 5min intervals and cappped at 30min. Source: [technical-solution-architecture], checked on 2020-07-26
The Contact IDs of an App User are derived from a “Temporary Exposure Key” that is specific to the App User and automatically changes every 24 hours. “Temporary Exposure Keys” remain private on the App User's smartphone until and unless the App User has tested positive, and chosen to upload them to the Cloud Component. Source: [technical-solution-architecture], checked on 2020-07-26
Labs testing for COVID-19 provide App Users who have tested positive with a verification code that represents them having tested positive. This code may be conveyed as a QR code. This QR code can be scanned by the App User in the App. Source: [technical-solution-architecture], checked on 2020-07-26
There is an alternative to the QR-code-based process by which public health authorities reach out to App Users with positive test results and provide the verification code over the phone. Source: [technical-solution-architecture], checked on 2020-07-26
Once the App Instance has been provided with the verification code for a positive test, the App offers to transmit up to 14 days of App Instance's “Temporary Exposure Keys” (now called “Diagnosis Keys”) to the Cloud Component. Source: [technical-solution-architecture], checked on 2020-07-26
On a periodic basis, all App Instances download all uploaded “Temporary Exposure Keys” from all App Users that have tested positive and have chosen to upload their “Temporary Exposure Keys”, re-compute all Contact IDs the infected App User would have broadcast during the time span in question, and compare with the Contact ID that were recorded on their smartphone. Source: [technical-solution-architecture], checked on 2020-07-26
If there is a match, the App User is notified by the App that they were exposed. Source: [technical-solution-architecture], checked on 2020-07-26
The App calculates an individualized risk score based on data elements such as duration of exposure. Parameters for the calculation are provided (and can be updated) by the App Funder through a web services API. Source: [technical-solution-architecture], checked on 2020-07-26 Source: [epidemiological-motivation], checked on 2020-07-26
16 million downloads. Source: [update-corona-war-app], checked on 2020-07-26
Effectiveness metrics against the disease
The App User downloads the App from an App Store. When started for the first time, the App User needs to consent to the App's terms. No other information needs to be provided by the App User. Source: [scoping], checked on 2020-07-26
Received Contact IDs are retained for 2 weeks on the Smartphone Component and then deleted. Uploaded “Diagnosis Keys” are retained for 2 weeks on the Cloud Component and then deleted. Source: [technical-solution-architecture], checked on 2020-07-26
Test-related data is deleted after 12 days. Source: [privacy-policy], checked on 2020-07-26
Has a Privacy Impact Assessment been performed, and if so, where can it be obtained? Which recommendations have been implemented, and which not? If no such assessment has been performed, why not?
Yes (in German). Source: [cwa-datenschutz-folgenabschaetzung], checked on 2020-07-26
There is a separate security assessment. Source: [overview-security], checked on 2020-07-26
Is the App compliant with local regulations on privacy, in particular on privacy of health-related information?
Is the App consistent with global best practices on privacy, in particular on privacy of health-related information?
Yes: the GDPR is currently global best practice on privacy, and the App complies with it.
What assurances exist that the App will be shut down promptly when appropriate (e.g. when the pandemic has passed, or better approaches for combating the disease have been found)?
The legal framework for the App requires that the functions of the App are necessary and proportionate. Source: [cwa-datenschutz-folgenabschaetzung], checked on 2020-07-26
- Who is the receiver of the data?
- What is the data that is being transmitted?
- What are the terms under which the data is transmitted, and what are the safeguards that guarantee the terms are not being violated?
- Can the transmitted data be correlated by the received with other data they may have or may be able to obtain?
Is any data imported by the App from other sources? If so:
Can identities of App Users be tied to, or can they be correlated to specific individuals, and if so, by whom?
User education, consent, support and agency
The German government performed a marketing campaign to educate the public.
App Users can deactivate the Apple-Google Notification Framework, which disables contact tracing. App Users can opt out of electronic notification of their lab test results by not using the QR code provided by the lab. Source: [technical-solution-architecture], checked on 2020-07-26
The App lists a support telephone number.
How is the user experience, user understanding, and technical performance of the App being monitored in the field?
User studies were performed prior to release. The App Operator performs technical monitoring.
Can App Users request a copy of the data that has been retained about them? Is the process simple and quick? Is the obtained data easy to understand, verify and use?
N/A. No identifiable data is retained by anybody beyond the data related to the COVID-19 testing process, which would exist regardless of the existence or usage of the App.
Can previous App Users request a permanent deletion of the data collected about them? Is the process simple and quick?
the process simple and quick? N/A
The target user is at least 16 years old. Source: [privacy-policy], checked on 2020-07-26
Is there an effective complaint process by which App Users can raise issues with the App, or issues with the impact of the use of the App has on them? (not bugs, not technical issues; that is handled in the support question)
The entire development process is performed publicly on Github. The App Creators have publicly encouraged contributions. Raised issues have generally been responded to by the App Developers Source: [github-documentation-issues], checked on 2020-07-26
Are the user-facing components of the App built in a way that minimizes potential user mistakes that could be detrimental towards effectiveness or avoidance of risks and harms for themselves and others?
The user interface appears straightforward and understandable. The App Creators report that “We conducted usability tests with representative user groups and … Apple and Google were involved to optimize the design for iOS and Android usage.” Source: [ui-screens], checked on 2020-07-26
Default OS features for accessibility.
Managed or processed data
Permission to use the Exposure Notification framework Source: [pruefsteine], checked on 2020-07-26
QR Code scan during testing Source: [pruefsteine], checked on 2020-07-26
TeleTAN in case of hotline-based result verification Source: [pruefsteine], checked on 2020-07-26
Consent to upload daily diagnosis keys Source: [pruefsteine], checked on 2020-07-26
Federation with other Apps
Is the App a standalone system (“stovepipe”) or is it intended to be used in Federation with other Apps created by others? If so, what are the supported Federation technologies (e.g. protocols/standards), operations and governance?
Not available so far. Source: [solution-architecture], checked on 2020-07-26
Service Providers used with the App
No third party services are being used. Source: [backend-infrastructure], checked on 2020-07-26
App Creatorss’ used hosting platform, software components and services and their configuration are documented. Source: [backend-infrastructure], checked on 2020-07-26
The App Developers also list 3rd-party software components used in the App as part of their documentation. Source: [android-architecture], checked on 2020-07-26 Source: [ios-architecture], checked on 2020-07-26
Are all Service Providers under legal obligations consistent with the needs of the App? This may particularly be an issue if a Service Provider is subject to a different jurisdiction than the App Creators or App Users, or if the Service Provider can be legally compelled in their jurisdiction to break their obligations to stakeholders of the App.
N/A: there are no service providers other than the App Creators themselves.
Communication between Smartphone Component and Cloud Component is entirely via HTTPS without use a third-party services. Source: [solution-architecture], checked on 2020-07-26
Decisions are made by the App Creators and publicly documented. Source: [github-docs-issues], checked on 2020-07-26
Not known. . However, the past decisionmaking process has been documented. The names, roles and affiliations of key team members have been published. The privacy assessment will again be updated within 3 months. Source: [cwa-datenschutz-folgenabschaetzung], checked on 2020-07-26
The published roadmap appears to have been delivered on. A wishlist for future features is available; the public can contribute. Source: [wishlist], checked on 2020-07-26
Is there a whistleblower process for people involved in any aspect of the development, operation, or governance of the App? If not, why not?
Legal steps within the German legal system.
Validation by third parties
Which third parties have researched the effectiveness of this App against the disease? Are their reports publicly available, and if so, where?
Which third parties have researched the potential downsides or risks of this App? Are their reports publicly available, and if so, where?
Has any third-party audit been performed of the App? Who performed the audit, are their reports publicly available, and if so, where?
Are all relevant technologies, processes, governance and their internal and public documentation periodically and timely updated?
The documentation of the App is extensive and appears comprehensive.
The App reports when it last performed certain actions. There is no audit trail beyond the last time an action was performed.
Validation by third parties
Source code for all components are on Github.