Halfway point for the Corona Warn App developers

The next few days represent roughly the halfway point in the development of the Corona Warning App. Since the end of April, T-Systems, SAP, and other partners, have been working on the technical solution for Germany. With the new app, citizens can help break up the virus’ chains of infection quicker and more effectively. Our development efforts have been publicly available for almost two weeks: architecture and code are available on the Internet.

With the Corona Warning App, smartphones within a radius of less than 2 meters exchange pseudonymous data keys with each other and store them locally on the owners' smartphones. If a user voluntarily reports themselves as infected, their pseudonymous keys are transmitted via a server – operated in Germany. The app on individual users’ phones then compare infected citizens’ keys from the server to those with which they have come into contact over the previous 14 days. If a match is found, a contact warning is sent to the relevant users. At no time will the identity of a user be revealed.

New open-source release on GitHub

This functionality depends on an automated verification process that ensures that existing test results are correctly assigned to a pseudonymous app user. For this verification process we have published today the "Verification Server Repository" as another milestone of our overall project: https://github.com/corona-warn-app/cwa-verification-server

An important part of breaking chains of infection is making sure that the results of laboratory tests are made available to the user directly through the Corona Warn App. In this way, the user is notified faster and a contact warning can be sent earlier. This reduces the risk of passing the virus to more people. This process reduces the manual effort required by laboratories, doctors and health authorities to inform people who contract the virus.

After notification of a positive test result, an app user can voluntarily publish the pseudonymous data keys stored in their app. This way, other people who have been in contact with the app user are notified of a possible infection through their own app.

Description of the automatic verification process

The starting point is to test for COVID-19. The user has this test performed by a doctor or a test centre. The app user receives a personal, pseudonymous QR code with a GUID (Globally Unique Identifier) from their doctor or test centre. The GUID contains no personal data from the testing process. The user can voluntarily scan this code into the app. Only then is the app’s automatic notification function is enabled. Then the app on the smartphone regularly requests status changes from a special verification server. If there is a test result available for the user, the app notifies them locally and the user can retrieve their test result.

Important: For security reasons, the notification does not contain any information about the actual test result. The test result is not displayed to the user until his app is opened.

Preventing misuse

If the test result is positive, the app user can voluntarily transfer the pseudonymous data keys to the Corona Warning App server. These are the pseudonymous keys under which they are visible to other app users. This way, other users who have come into contact with the infected person are warned via the app. This function is only available to the app user when a positive test result is received and can only be triggered once for each positive test result. Misuse through false reporting of an infection is prevented by the double confirmation.

This process involves a great deal of system integration, i.e. digitization of interfaces including laboratories, test centres and health authorities. This goes to the core of what T-Systems is about.

Protection of personal rights

Naturally, users demand full protection of their personal rights for the sensitive verification process. We have the BSI and the BfDI as partners for this. We have developed a common understanding of the security concept. Approximately half of it has already been documented at this halfway point. After all, by voluntarily warning their fellow citizens, users are ultimately giving away a positive test result. This is and remains a personal decision - even in an automated process. And for this, every user must have the guarantee that their identity is protected at all times, even when the pseudonymous data keys are exchanged.

Voluntary principle

The entire system is based on a voluntary principle. No one has to use this app. But millions of citizens should participate in order to reliably stop chains of infection and thus better protect each other. We have heard from other countries that comparable apps are available but are no longer downloaded and used to the necessary extent. For me this means: We must earn citizens’ trust. And that's why we work very thoroughly and transparently, in accordance with the open-source principle. Everyone can see the current state of development and make suggestions for improvement. This week, our publications on GitHub reached number one on the development platform’s Trending Topics. About 40,000 views were reached in a single day. We are very happy with the fruitful discussions on the platform and take them very seriously. I am convinced that the community’s insights and suggestions will play an important part in securing the trust of the entire population.

Free service hotline

However, technical work alone does not lead to acceptance from citizens. We are making thorough preparations for the app’s launch in mid-June, including user support. Even before the app gets off the ground, we are setting up a free service hotline for the Robert Koch Institute, the official publisher of the app. The telephone support will then offer immediate help, for example, with downloading the app, with settings on the smartphone and with the verification process.

There is still a lot to be done before the app is launched in a few weeks’ time. If you have any questions or suggestions, I would love to hear your feedback here, on LinkedIn, or on GitHub.

Stay healthy!

Adel Al-Saleh