You have probably already read or heard it: The Corona app should finally help you get back to more normal life and still contain COVID-19 infections. For this purpose, Apple and Google have provided an interface with the latest system updates, enabling the corresponding apps because these should not access the conventional interfaces for Bluetooth or locations.
Exactly these updates, which are delivered with Android directly via the Google Play services without a system update in the background, have already caused conspiracy theories or, let’s assume the better case, confusion, and panic.
Now it is the case that each country is tinkering with its solution using an app. So far, however, the principle has almost always been the same: the apps record who is in the vicinity for how long. For this purpose, the Corona tracking app uses Bluetooth and is dependent on the cell phones in the area, also having the app installed. So far, so easy. To ensure that everything works by European data protection standards, parts of the technology required for this have been completely redeveloped in recent weeks, and various approaches have been followed.
More than 130 researchers from eight European countries have the so-called Pan European Privacy-Preserving Proximity Tracing Process, short PEPP-PT, developed. ETH Zurich and EPFL in Lausanne were at the forefront here. It is essential to the researchers from Switzerland that apps based on PEPP-PT should also work internationally. Otherwise, it makes little sense if the borders are opened again, but we cannot receive cross-border warnings. PEPP-PT proceeds as follows:
Every smartphone has a continually changing ID. Neither IMEI nor Bluetooth MAC addresses or other unchangeable identification patterns are used for this. Ultimately, that would endanger anonymity if a person or their smartphone with the COVID19 app installed is at a certain distance from me for a more extended period. My smartphone stores its ID. With time and date, of course. If it later turns out that the other person or I have contracted the Coronavirus and, according to the current state of science, could have been infectious at this point, it continues.
The infected person enters this information into the app to contact a central server, mostly per country, marks the corresponding IDs. The other devices can receive the data from there. Then you know that you have had contact with an infected person and should be tested.
The competition principle, also developed by EPFL, in which Apple and Google are heavily involved, is very similar. The Decentralized privacy-preserving proximity was tracing code, the process called DP3T does the same as PEPP-PT. However, as the name suggests, the information is stored locally. In addition, the Source code for DP-3T opens on Github Visible, which of course, brings enormous advantages in terms of transparency and creates trust that a tracking instead of a tracing app is not distributed through the back door.
However, there are also central servers at DP-3T. However, only to save the self-confession that SARS-CoV-2 was tested positive. Those who mark themselves as infected transmit the last 14 day keys with which the 10-minute changing AES-encrypted IDs were generated to the server. The server thus knows which ID row was infectious and distributes this to all connected apps. However, this does not allow any conclusions to be drawn about the person or the smartphone, nor what the next ID will look like or what it was before the 14 days. Encryption takes care of that. Also, in their interface documentation, Apple and Google say that the servers in the countries that receive the app data must not store any metadata about the device that uploads keys. So no IP address, no MAC or other numbers. Nothing but the 14 so-called Temporary Exposure Keys, which are then called Diagnosis Keys. And with this diagnosis key, other smartphones can now decrypt the locally stored data packets that they have received in the last 14 days. In these, the ID, time, and distance can only be read by the smartphones marked as infected. Non-infected are not decrypted. Titus, the app knows that and when there was contact with a smartphone that belongs to an infected person. This is then displayed, and you can be tested.
The keys, which are so complexly nested, are intended to guarantee that it is impossible to track individual app installations from the outside by merely collecting as much data as possible. This also prevents central servers from identifying individual users, regardless of whether they are infected or not. That’s why tracing instead of tracking apps.
France, Germany, Switzerland, and Austria
France relies on PEPP-PT and thus on centralized servers and has already been able to place the app in the corresponding stores.
Even the tech giants Apple and Google, which are not positive in terms of data protection and privacy, see PEPP-PT critically. Likewise, the team behind DP-3T, many people from science, data protection, and cryptanalysis. That is why Cupertino and Mountain View are also developing the DP-3T.
Switzerland, therefore, relies on DP-3T. The Swiss company Ubique, which produces both the Meteo Swiss app and the SBB app, has named the corona tracing app for Switzerland Next step develops and offers them as a trial version. There are the app and the code for Next Step iOS and Next Step Android available.
The Austrian Red Cross has published the Stopp Corona app for Austria. It is compatible with DP-3T and is also already available in the corresponding stores.
Initially, the app could only register and inform manually entered contact persons, but since mid-April, this has also been done automatically using Bluetooth or an acoustic signal. The Code for the Austrian Stop Corona App is also open source and freely available.
Even if some seem to have misunderstood the HUAWEI press release, it is not a separate app, but the interface that should enable apps. This supports in-house devices with or without Google services and is based on toggle and Apple interfaces or contact measurement. It is therefore compatible with DP-3T and allows you to communicate with the apps mentioned above. HUAWEI does this to ensure that its devices are not suddenly out of order, since not all of the Chinese giant’s current smartphones are allowed to be delivered with Google services and would therefore receive the update from Google.