Germany Introduces Corona Virus Tracing-App: Why aren't people more sceptical?

IMG_17061125×1253 357 KB

What is the Corona-Warn App?
As Germany’s lockdowns and restriction measures quickly ease amidst the slowing spread of the novel corona virus, the government has been hard pressed to balance a careful reopening with measures to ensure the containment of the virus. On Tuesday, the German government introduced the Corona Warn App, designed to identify and quickly “break chains of infection” (Lothar Wieler of the Robert Koch Institute). The App, which is being marketed as a voluntary download, alerts users when and for how long they have been in contact with someone who has tested positive for the virus.

In a recent EdgeRyder Community Call, we talked to experts across Europe about the risks that contact tracing Apps pose for data security. Many agreed that these Apps and similar technologies force an unnecessary trade-off in which civil liberties may be sacrificed in the interest of fighting the virus. Experts warned of three major risks: a) we don’t have a clear privacy-friendly solution for the development of these technologies and it is therefore unclear where the data will be sourced from (and by whom) and how it will be regulated, b) there is an unequal distribution of risk as this may lead to the disproportionate targeting of vulnerable communities, and c) there is an absence of the counterfactual, meaning we don’t yet know enough about the effectiveness of allowing ‘normal life’ to resume and it is therefore risky to develop strategies without clear, counterfactual knowledge to work with. More on our discussions here, here and here.

In light of these discussions, I was curious to learn more about Germany’s App. I am from and currently live in Berlin, where many restrictions have already been lifted and where the summer months have brought more and more people out to public parks, restaurants and bars.

How can Germany feasibly guarantee users’ data privacy, hem further surveillance and effectively contain the spread of the virus?

The App – developed by the German government in collaboration with Apple, Google (using their “privacy-focused” technology) and Deutsche Telekom AG (Germany’s largest telecommunication company) – has received quite a lot of praise for its seemingly data-friendly solution (even Chaos Computer Club (CCC) has not issued any critiques thus far):

Users have been assured that their data privacy will not be compromised and that contact data will not be saved centrally (though this was the original plan), but will instead be stored on the smartphones themselves. According to its developers, the App also does not log users’ location, but uses Bluetooth to allow users to share information. Users are also guaranteed anonymity while using the app, whereby each device is allocated an identification number, which is then visible to all other app users when in the same vicinity. During a span of two weeks, all user IDs are stored in your app, and, if one of those users tests positive during that two week span, your App alerts you. After two weeks, the data is erased.

It seems that the effectiveness of this App is largely based upon the people using it. According to virologists at the University of Oxford, such Apps are only effective if around 60% of the population uses them. In the German case, the effectiveness of the App also depends on users uploading their test results to the app: if a person tests positive for the virus, they receive a unique QR code which they then have to scan into their smartphone/the App. Only then can other users, who have been in contact with that person, be notified. Users are notified anonymously, meaning they don’t find out who the infected individual is, but they are informed about their personal risk level of infection and are urged to seek testing.

The App – which cost 20m Euro to develop and will require 3m Euro a month to operate – has an open source program code, meaning it can theoretically be copied and updated by other countries. The German government hopes that other European countries will follow suit and that a system will quickly be built that works across Europe.

Within the first day of its launch, the App was downloaded close to 1m times, however many remain sceptical about what this means for their data privacy and how these technologies might feed in to further surveillance. According to a recent poll, around 42% of those surveyed, feel comfortable using the App, as opposed to 39% who said they wouldn’t and 19% who either did not own a smart phone or felt they needed more information.

I talked to a handful of family members and friends about their views of the App (most around the age of 30). Their reactions split across two main groups: Most (group 1) felt that they did not have enough information about the App, its aims and functions and its implications for data security, and are sceptical of downloading it. Many said, they will ‘wait and see’ how useful and secure the App is before they consider downloading it. The second, much smaller group was optimistic about the App; several had already downloaded it, others were strongly considering it. Many in this group cited their trust in the government and that, since the data is not stored centrally, they felt comfortable using it. This group also believes the App is the best way to contain the spread of the virus.

This is just a cursory glance at the recent developments in Germany’s contact-tracing App technology, but I am curious to hear from the rest of the EdgeRyders community. What are your thoughts?

Dear All

Well, here my (= 65y, STEM education, first contact with IT was when we used TTYs and punch cards) short comment:

(1) I dislike the App because I do not run around with an open Bluetooth connection and location services switched on .
(2) I downloaded the App and noticed that it is easy to switch it on/off.
(3) I plan to use the App in circumstances when I have to trade off ‘close distance to many unknown persons’ against ‘(1)’
(4) Condition ‘(3)’ will be met seldom considering my current place of living & style of life.

Hence, the App is like my bicycle helmet. It is to use when meaningful - neither in bed nor at a dinner table; may be in public transport.

best regards,
Martin

Yes, that is also my impression of the more IT-literate folks. Italy has its own version, called Immuni. It uses the same Bluetooth-based Google-Apple approach and protocol as the German one. After some complaints, the developer released the source code. Reputable bloggers like Salvatore Aranzulla have given a cautious thumbs-up.

So why are people like, er, me, still dragging our feet? In my case, it’s because of the Manning-Snowden revelation. Everything looks good on the surface, but we now know there is a depth of backdoors, shadowy deals and gigadatabases watched over by three-letter agencies (and their private sector partners).

In other words: I cannot fully trust Immuni because I cannot fully trust anything. That makes me feel a mild irritation, an itch that I cannot scratch. There is really no way out. No hiding from Sauron’s Eye. So, I might as well download the app… but my motivation is low, I would be serving even more data on a silver platter (and willingly, ticking the “I accept the T&C” box) to a system I cannot believe in. I will still do it… but I need to see a large and immediate gain. Which is now – as per our conversation – not clear is there.

I would also like to share a notion that one of my friends shared as a behaviour she observed in herself: “Fitness app wants access to my information? No problem. Government Corona app? I better read and research carefully, one never knows…”

Great summary, @martin!

I do not do that, Maria. Fitness app definitely does not get my data.

Absolutely, but this was just to add that for many it does and it is also interesting that we are having this conversation now with the corona app on this scale when it should probably have been had already way before.

Belgian version: as I write, there’s a bit of an uproar against the Belgian COVID tracking app.

Technically, the solution adopted is centralized, unlike in Germany and Italy, with Sciensano, the public health institute, acting as the center. Legally, we appear to be on very shaky grounds. Because:

• The agency authorized to push the data onto the central repository, the Information Security Committee, is in a legal gray zone: it was instituted by Parliament in 2018, against the advice of the European Commission and the Belgian Council of State. This advice argued that the ISC is not GDPR-compliant. A recent inquiry by the magazine Wilfried also claims that parliament’s procedures, and the constitution itself, were violated in instituting it.
• Frank Robben, a high-achiever computer scientist and civil servant, is accused of standing at the intersection of multiple conflicts of interest around health data. He (by request of the government) is the material author of the bill framing Belgium’s COVID app, as well as the creator of of the ISC itself. Additionally, he occupies a position in the Belgian Data Protection Authority, and this is allegedly illegal, because appointees to the DPA are not supposed to occupy public office.

Notice how this lack of trust – both the one originating in America and the Five Eyes and the homegrown Belgian one – has nothing to do with COVID. It comes from a generalized loss of trust in the robustness of institutions, a vague but pervasive idea that we are screwed, and will always be screwed, and anything new that comes around will just lead to more ways for us to get screwed. It’s sad, really.

attention is selective

At first this seemed high considering the amount of work already done by Google/Apple, but I remembered that the German government must also put together the infrastructure that temporarily houses all the matching data (between those infected and those who they contacted).

Of course we can see the cognitive dissonance between those who do not trust the app but feel comfortable sharing deeply personal information on social media networks. I’m sure there are even those who do not trust this app but have volunteered their genetic information to 23andme.

On one hand, that’s frustrating. On the other, I’m not sure how we can expect anything different. There is absolutely no formal education on this subject for children or adults in the United States. Congress has been passing digital privacy legislation for over a half century and it seems largely ineffective. Most likely because lawmakers also don’t understand the issue very well.

Your informal survey is pretty interesting. On your first group, I’ve found even when I try and educate friends and family who trust me on this issue, they still don’t feel like they have enough information. It seems like it’s not a one-shot fix. The education problem is broad; the app is a symptom.

Really enjoying reading the comments here! I find the point that @MariaEuler and @schmudde are making quite interesting. Of course, many of us don’t think twice about giving apps/social media our personal information, so the scepticism around Covid apps might seem odd. I wonder if our perceptions of personal agency play a role here? Isn’t there a relevant difference between individually deciding to download, say, a fitness app and our government asking us to download an app they designed? When I took my small survey sample, a decisive distinguishing factor between those willing to use the app and those unwilling was their trust in the government: the friends and family members that were using the app explicitly cited their trust in the German government. Those sceptical or unwilling, similarly talked about distrust or wariness around how data was actually going to be used.

Good point. This highlights two important differences.

1. The feeling of pulling software based on your choice vs. the feeling of software being pushed upon you. The pull/push metaphor doesn’t completely align, but I think it captures the salient difference.
2. Governments can legitimize detention and violence. They must always be held to the highest standard. History has shown the countless failures of all forms of governance so skepticism is healthy.

The thread title asks why more people aren’t more skeptical - but I wonder how this observation squares with our “post-truth” society and erosion of institutional trust. Or perhaps I’m overstating the latter?

Yeah, while there is a perception that the private sector can be modified by the public sector through law and regulation, once something is in the government’s hands, where is the oversight? What I find in the US is a vastly diminished willingness of government to provide that oversight and self-correct. Maybe European governments do better on that front. It’s the oversight, the accountability, that is key.

I have a similar sense regarding a lack of enforcement. Antitrust is an easy example. As I understand the analysis, Congress empirically no longer enforces this as it once did.

The law does not cover the practices of powerful tech companies as it is written. But it does not prevent Congress from writing new laws.

Barlow’s Declaration of Independence is a double-edged sword. Governments are not welcome here, but a corporation with over a billion users have a different kind of power - one that even the US Congress seems shy to engage directly.

I’m curious about the political science research here. Is the lack of action unique in the context of Standard Oil and AT&T? If so, have legislators changed because of money, a different international landscape, or a technological shift? Or is it more of the same - and AT&T overdue breakup and reemergence just and example of how it has always been?

I think toppling a monopoly must be one of the harder tasks for a government. I remember when the AT&T decision came down wondering who would be next…and of course nobody was next. I think since then large corporations have much more political power than they even had back then, esp since the Citizens United decision that allows them to make unlimited donations to elected officials for their reelection campaigns. And, since the 80s, there have been more lobbyists in DC than legislators. All that influence makes trust busting way harder than it already was. Until a whole new group gets into Congress who are devoted to anti-monopolistic practices, I don’t see anything meaningful happening in this area.

As for how they deal with tech - always going to be hard because they rely on their staff to use it and understand it. And again those lobbyists…sometimes it is they who write the legislation.