From Peter Schaar, 23.11.2020
In the discussion on measures to contain the corona pandemic, data protection is increasingly coming under scrutiny. Is the second wave of corona and the continuing sharp rise in the number of infections due to the fact that in Germany – unlike in some Southeast Asian countries – not all available personal data is collected and used?
Let me send a warning in advance: Electronic tools like WarningApps can only be one piece of the puzzle in the fight against the pandemic, regardless of how they work in detail. What is decisive is the overall concept in which they are embedded: This includes rules for avoiding contact as well as sensible testing strategies and hygiene measures.
Voluntariness and anonymity
The German Corona-WarningApp is at the center of the criticism. Germany relies on the voluntary nature of electronic contact tracing. The WarningApp is designed in such a way that it records the contacts determined by means of bluetooth low energy (BLE) anonymously and only decentrally on the smartphone and warns users in the case of „high risk“ contacts with positively tested persons that are assessed as dangerous. It is the responsibility of smartphone users to be tested. The test labs should transmit the test results electronically to WarningApp, provided the users agree.
So far, about 23 million smartphone users have downloaded the German WarningApp. Although this is only just under half of the owners of appropriately equipped smartphones, it is significantly more than in all other European countries. The French Stop-Covid app, which is based on centralized storage, only had 2.5 million downloads between June and mid-October, despite much more alarming infection figures there. The second version of the French app (“TousAntiCovid”), which is more privacy-friendly, was downloaded 4.5 million times within a month. In Norway, the “SmitteStop” recommended by the government with the collection of location data was initially loaded 1.5 million times, but was hardly used at all. Due to the low acceptance and data protection concerns, the Norwegian government decided to withdraw SmitteStop at the end of September and has since relied on decentralized anonymous contact tracing. Since most EU countries now use this technology, contact data can also be recorded and evaluated during stays abroad.
These experiences show that the demands to fight the pandemic effectively are not met by centralized, mandatory and data protection-invasive approaches, at least in western societies. In addition, a closer look at the Asia-Pacific model leads to sobering results: The rigorous Chinese approach of seamless behavioural surveillance through the interconnection of credit card use, electronic payment and tracking procedures, biometrical facial recognition with video cameras and access control systems of buildings and their enforcement by military and police means would not be compatible with our ideas of a democratic society based on the rule of law. This also applies to the somewhat less drastic South Korean variant. But the reference to other Pacific states is also misleading, because it ignores the special characteristics of these states: In Asia, the willingness of the people to wear masks at all times and to bow to official directives is much more pronounced than in the Western states. New Zealand and Australia owe their successes above all to a rigorous entry ban and extremely strict quarantine rules. This also applies to Taiwan and Japan. Unlike these states, Germany has a multitude of (permeable) external borders.
Finally, a switch to a centralized, surveillance-oriented technology would mean that the contact tracing technology on BLE basis provided by the smartphone manufacturers would have to be abandoned. This would have the consequence that effective contact tracing with Apple devices would no longer be possible, since the contact information on iPhones would only be determined sporadically.
What has to be done?
In view of the demands for the restriction of an “excessive” data protection, it should not be ignored that there are a number of useful additions to the CoronaWarningApp that could be realized without significant restriction of data protection.
These include, for example, the detection of infection clusters and the sending of corresponding warnings to users who have been in the vicinity of a positively tested person at the time of contact (without having to be a “high-risk contact”). To implement such a feature, it would only be necessary to more intelligently evaluate the existing data stored on smartphones based on the contact information’s timestamps.
It would be completely unproblematic and very useful to better integrate WarningApps into test infrastructures. One of these is that all test labs can finally send test results to WarningApp automatically. In addition, users who test positive could be provided with information on where and when they can be tested. Ideally, this would be coupled with web-based appointment management.
Contact diaries kept on a voluntary basis, including whereabouts recorded by means of a QR code, would facilitate contact tracing in the event of a positive test.
The information provided via the WarningApp and the consents requested from users could be better structured. In particular, duplicate consent to the same matter should be avoided.
Finally, work should be intensified on developing special electronic wristbands that provide the basic functions of the WarningApp so that those who do not have an expensive and modern smartphone could participate in electronic Corona contact tracing and be informed about high-risk contacts.