New feature of the Corona warning app: experts with serious doubts about data protection

The Corona-Warn-App recently received a new feature that is currently raising concerns among privacy advocates. There are legitimate doubts that user privacy is maintained here.

Unless you’re going to a supermarket or other convenience store, you need to make time. Because then the Corona Protection Ordinance requires that you show both a 2G proof and an ID card at the shop entrance. Further measures will soon be added in many areas of life, because then citizens will sometimes also need a rapid test that is updated daily. The Corona app wants to simplify various scenarios and offers a new function that bypasses the waiting time on site. The problem: It could be at the expense of privacy.

In the Corona-App Everything can be deposited with the federal government: the rapid test, proof that you have recovered, or the vaccination certificate. All of this is necessary in order to participate in social life at all. A new function (from version 2.15) now makes it possible to identify yourself as vaccinated or recovered in advance. If you buy a ticket for a flight or a concert, for example, you can have yourself verified directly at the time of purchase.

Corona warning app: Doubts about data protection with the new check-in function

Corona warning app: Is user privacy still protected?
Corona warning app: Is user privacy still protected?

CHIP/Marcus Kampf

However, the Corona app itself does not check the status. Instead, an external online verification tool steps in to check the identity. And this is exactly where data protection officials are sounding the alarm: How is the anonymous use of the Corona app supposed to work? Because the app promises not to pass on any personal data. The validation services are not supposed to store data in the long term either, but details could still be clearly linked to people.

The professor for IT security and identity management at the Hasso Plattner Institute, Anja Lehmann, is concerned. Opposite to Netzpolitik.org She says: “Here, in my opinion, T-Systems exploited a pandemic-fighting infrastructure for its own commercial interests and benefited from the advantage of being involved in the development of the CWA.” Because companies should be able to offer the test tool against payment, which creates competition and thus accelerates the spread of the tool. At least in theory. It is not yet clear which companies are explicitly working on and offering the tool.

However, Lehmann sees this step as damaging the reputation of the Corona app, which to date has primarily been characterized by its anonymity.

Downloads: CovPass for Android and iOS

This is how the new feature works

The verification does not work automatically, but requires the active consent of the user. Once this has been done, you will receive a suitable QR code when you buy the ticket. You can either scan it with the Corona app or upload it directly. Based on this, the app recognizes which proof is required in order to be able to take part in the flight, concert and the like.

You can then send the appropriate proof to the organizer or the tool. If you have given your consent, the validation tool checks the evidence and gives the green light. You and the organizer will then receive confirmation of this afterwards.

Im FAQ der Warn-App one emphasizes: “The check itself takes place on-the-fly in the main memory of the server of the validation service. The memory areas involved are cleaned automatically. The log files involved also do not store any personal data or information about the certificates. For billing purposes, the technology only documents that a Check was carried out for the ticket provider. No personal data is processed here either. The only remaining storage location for a certificate is the user’s smartphone.”

The original of this post appeared first at Inside Digital.

Leave a Comment