So it works, after all! Why I installed the German coronavirus tracing app

Commentary

Open-source software, transparent communication, and public-private cooperation with both large and small companies—the development of the German contact tracing app could be a model for future government IT projects.

Teaser Image Caption
Corona-Warn-App: Transparency through open-source software

I did it. Like millions of Germans, I downloaded and installed the coronavirus contact-tracing app on my smartphone. And so far, I have no major bones to pick with it.

For me, this is very unusual. I have been dealing with the issue of data protection in the digital age for more than 15 years now. I've sued companies for my data, and I fight for constitutional and human rights on a daily basis. And yet, I made a conscious decision to install and use this app that collects my data.

Its decentralized architecture ensures that my smartphone can communicate with other users’ phones without my personal information leaving my device. The app runs silently in the background. Even the initial concern that the app would drain the phone battery turned out to be unfounded. With well over 14 million downloads from the app stores by the end of June and no known security gaps worth mentioning so far, the German app really hit it out of the park.

SAP and Deutsche Telekom have created an open-source product, demonstrating that high levels of data protection, proper IT security, and open-source software don’t have to compromise user-friendliness. At the same time, the development process of this app may become a blueprint for many future government IT projects.

A pragmatic decision in favor of decentralized data processing

It was not a foregone conclusion that the app would be a success. Initially, during March and April, the German government was zigzagging. First, it wanted to evaluate radio cell data to track infection paths. After this met with public resistance and massive concerns about the usefulness of this data, the government backpedaled and opted for a Bluetooth-based contact-tracing approach with central data storage and evaluation.

The latest shift, away from central data storage and in favor of the current approach to calculate infection risks locally on individual user devices, was a pragmatic decision. After Apple and Google, the manufacturers of the dominant mobile operating systems on the market, announced that they would make a new Bluetooth interface available only for apps that distribute and store data in a decentralized manner, it became clear that any app without this interface (the API) would be severely limited. Without API-enabled access, data could only be exchanged if the app remained open in the foreground at all times, which would quickly drain batteries and require users to reopen the app after each restart. It remains to be seen whether a tracing app without this interface can also work, for example, in countries that opted for centralized systems such as France. So far, however, the numbers are sobering and downloads are sluggish.

The German government made the right decision when it opted for a decentralized approach and thus for compatibility with the new API. And once this decision was made at the end of April, implementation got off the ground quickly. The Chancellor’s Office and the Federal Ministry of Health required the involved companies to be consistently open and transparent about the process – earning both praise from champions of data protection and the public’s trust. The publication of the source code was a breakthrough, because open-source software is a rarity in government IT projects.

Startups were involved in the process

SAP and Deutsche Telekom, the two largest German companies in the field, were contracted to implement the project. The fact that the government went with the big players rather than smaller technology companies comes with a hefty price tag: the app will cost 68 million euros over two years. But – and this is also a novelty – the two corporations developed the app in collaboration with a network of startups that had rallied under the slogan “Gesundzusammen” (healthy together). The startups improved the app’s user-friendliness by contributing their experience in direct customer contact. SAP is a business-software manufacturer that does not normally deal with end customers, and Deutsche Telekom is not exactly renowned for stellar customer service.

These are the lessons learned from three months of discussion, testing, and now the roll-out:

1. Transparency creates trust

The confusing dispute among experts on whether to opt for a centralized or decentralized approach initially sowed skepticism among the general public. In addition, the German population generally does not have much confidence in the state when it comes to IT projects. Major billion-dollar projects such as the electronic patient file are stalled and most citizens don’t see the point of an electronic ID. In addition, although Germany is paying lip service to data protection and IT security, it is also torpedoing these very values with an unconstitutional security policy, the most recent example being a proposal to allow domestic intelligence services to engage in hacking.

With the “Corona-Warn-App,” as it is dubbed, the German government is setting a counterexample -- focusing on maximum transparency, data protection, and IT security. Its success proves that this approach pays off. Civil society and experts were involved in the process, facilitating an earnest dialog. The companies’ commitment to an open-source code was the right decision and must serve as a model for all future government IT projects. The decision to make the data protection impact assessment, which is required under the GDPR, fully available to the public, should also become a standard practice; that is the only way interested users can form their own opinions on technical solutions.

When large companies and startups collaborate, institutionalized experience meets innovative courage, creating synergies and boosting user-friendliness. In addition, there was a great sense of accountability among the majority of the involved parties, both on the part of the developers and on the part of the parliamentary opposition as well as digital civil society. The project has been critically monitored, but it is not being attacked just for the sake of criticism.

2. Global crises require uniform solutions

Another important – and more ambiguous – insight is that crises of the scale of Covid-19 require solutions across national borders. While apps that are based on the Apple/Google interface lay the foundation for a uniform approach, they lack democratic legitimacy.

US legal scholar Lawrence Lessig wrote “Code is Law” as early as 20 years ago. The corporations’ unilateral decision to only allow the interface to work with apps that process data locally makes it difficult for alternative approaches to fully use the technical possibilities of Bluetooth Low Energy in a user-friendly way. The fact that international corporations unilaterally impose technological standards was effective in the short term in this case, but in the long term, it will create a question of the legitimation of such a technologically imposed solution.

Democracies should not leave standard-setting up to corporations alone

The development of the German coronavirus contact-tracing app highlighted the gatekeeper role of large technology companies. The decentralized approach was the lowest common denominator, and companies justified their cautious choice by claiming it was for protection from the state. After all, states that pursue a centralized approach to data storage could misuse this data for other purposes.

The role of Apple and Google in setting standards should be debated in the future, especially since numerous democratic states – such as France, but also initially the United Kingdom – had pleaded for opening the interface to centralized approaches. With the current design, users and app developers are forced to blindly trust Google and Apple. It is unclear to what extent the corporations could potentially access the data.

It would be wrong to leave the decision-making authority over technology design entirely to corporations in times of global crisis. But neither should states simply dictate their terms into the program code. In the future, at the very least, we will need a serious dialogue process, perhaps even extensive agreements under international law.

But one thing is certain: It takes a uniform solution to effectively control a pandemic. Since so many nations created their own coronavirus contact-tracing apps, especially in Europe, it remains unclear whether any effective pan-European contact tracing will be possible. The European Commission strongly supports sharing infection data across borders, at least for decentralized apps. This is especially important now as millions of people are getting ready to travel across Europe during the holiday months.

But it is also clear that apps that are based on different concepts, especially decentralized-versus-centralized data processing, will not be able to communicate with each other in the future. If we don’t want to bring home the virus from our summer holidays, we need a pan-European solution.

This article originally appeared in German on boell.de.