"No matter how many infection chains we break, we save lives," was the guiding principle of Prof. Dr. Cas Cremers, senior scientist at CISPA, when he embarked on work on the DP-3T (Decentralized Privacy-Preserving Proximity Tracing) project just over a year ago. Based on this project, the German Corona warning app was created a few weeks later. The effort has more than paid off, as an initial assessment of the effectiveness of the Corona Warning App by the Robert Koch Institute and the German Federal Ministry of Health shows: More than 110,000 users tested positive after receiving a warning from the app and were able to use this knowledge to protect themselves and others. Voluntary data donations and an online survey make this first interim assessment possible, despite anonymous contact tracking.
Over 31 million times (as of August), the Corona Warn App has now been downloaded from German app stores. Voluntary data donations from users of the app and an online survey provide the RKI, the app's publisher, with new data on its effectiveness. A comprehensive evaluation is still pending, but a first interim conclusion is positive: more than one hundred thousand infection chains have been broken with its help, according to the RKI. To achieve the difficult balancing act between usability and data security, almost 40 researchers at CISPA worked on the app. During the development process, they advised on security aspects to T-Systems and SAP, the companies commissioned by the German government to develop the app.
But from the beginning: When Cas Cremers joined the DP-3T project, the core idea of a so-called proximity-tracing app that could be used to trace contacts in the pandemic was already in place. Within DP-3T, researchers from across Europe worked together at full speed to turn this idea into an effective tool. Since almost everyone now carries a smartphone with them every day, the decision was made quickly. The choice of the instrument also defined the technological framework. "In the end, two candidate technologies remained that could be used to track contacts: GPS and Bluetooth," Cremers explains. Since GPS is very coarse, and doesn't work indoors, Bluetooth was the final choice. Wireless technology is used to transmit signals from device to device over short distances - but this is very battery-intensive. Another problem for the researchers was that Bluetooth is not actually made for measuring distances," he said. "But they play a big role in the question of infection risk," Cremers says. The signal strength allows conclusions to be drawn about distances, but this varies from device to device. In addition, an app that wants to use Bluetooth usually has to be open in the foreground - that would also be user-unfriendly and stand in the way of effective contact tracking. These were all challenges that the researchers had to deal with under enormous time pressure.
DP-3T took a decentralized and open-source approach from the beginning, storing personal data only on the devices and not on a central server. This decision was not without controversy in the research community. Some members of the Pan-European Privacy-Preserving Proximity Tracing consortium, PEPP-PT for short, under whose umbrella several research projects had joined together at the start, tended toward a central solution., However, in the view of many scientists, including those from the DP-3T team, this would lead to unnecessary and risky storage of private data, and reduce trust in the solution.
DP-3T researchers developed a privacy-compliant Bluetooth protocol that addresses all of these issues. Using low-power Bluetooth, the smartphone sends out a regularly changing code, searches for the codes of other smartphones, and stores them locally on the device. The users' codes are only valid for ten to 20 minutes at a time and are cryptographically derived from keys that change every 24 hours. Only when users test positive do they upload the list of temporary keys from the last 14 days to the server. The server adds the keys of this person, which are then labeled as positive, to a list, which in turn is retrieved by all apps for matching. The exposure notification system checks locally whether codes match those on the alert list. If a person has had contact, a recommendation for action is given after a risk assessment, depending on the duration and proximity of the contact. Throughout all of this, users remain anonymous and only data of users who tested positive and gave their consent is ever uploaded.
For Cremers, the complicated balancing act between effectiveness, user-friendliness, and data protection compliance, as well as the enormous time pressure, characterize the intensive development process of DP-3T and the Corona Warn App. He is more than satisfied with the result and still pleased that Germany opted for a privacy-by-design approach, where privacy is virtually built-in from the bottom up. In the meantime, the exposure notification system from Google and Apple, which is based on the work of DP-3T, is in use in 41 countries and states worldwide.
translated by Oliver Schedler