Possible trends in data protection (May 08, 2020 report).
The Tracing App follows a decentralized approach, which means that the keys used for the encryption of user data are centrally accessible (DP-3T concept or Decentralized Privacy-Preserving Proximity Tracing).
If people test positive for COVID-19, they receive a COVID-19 code from the involved laboratory, which they can enter in their app, but do not have to. Also voluntary is the notification of persons with whom the infected person has had contact for more than 15 minutes and at a distance of less than 2m within the infection period. The notification is made on the basis of the keys on the mobile phone of the person concerned of those persons with whom the person concerned had contact within the critical period in the sense of the Tracing App.
The proximity tracing app works as follows:
When the app is installed, a random and secret key (256 bit) is generated. The key is only stored locally on the smartphone and does not contain any private data. The secret key is therefore temporary and is regularly renewed, so that no conclusions can be drawn from the temporary secret key about the user, even if there are several activities.
If another device with the tracing app is nearby, a cryptographic function (HMAC) is used to generate a checksum using a time stamp and the key. This checksum is stored in the local memory of both devices. Entries older than 14 days are automatically deleted by the apps.
A user can use the app to report if he or she has tested positive for COVID-19. When such a report is received, the user’s secret key with which the checksums were generated is sent to a central server. All other devices with Tracing App are automatically connected to the central server and periodically download the keys of users who tested positive for COVID-19. The data must be deleted immediately upon notification by the positively tested user (Art. 60a para. 4 lit. d EpG)
The app now compares the dish with the stored checksum. If there is a match, the tracing app informs the user about the contact and the duration. However, it is up to the user to take appropriate measures after a possible contact.
Other challenges for the traicing app
Two central points of the legislator’s requirements for tracing solutions from a data protection point of view are the decentralized approach, encryption and the voluntary nature of tracing (Art. 60a para. 3 EpG). The Federal Data Protection Commissioner (FDPIC) has therefore explicitly examined and explicitly approved the various points of the solution: according to the press release of 12 June 2020, the decentralised tracing app was granted the placet in accordance with data protection law: Decentrality, i.e. the sovereignty over the use and the data of the tracing app by the user, was seen by the FDPIC as one of the cornerstones of the solution [1].
The FDPIC considered the use of Amazon Web Services (AWS) to be “justifiable”, according to which the use is “justifiable” due to the decentralised approach and the encryption [2].
1] Cf. report of the Federal Data Protection Commissioner of 12 June 2020 (https://www.edoeb.admin.ch/edoeb/de/home/aktuell/aktuell_news.html#-796881893 ).
2] Cf. FN2.
Other challenges for the tracing app
With the use of the app and thus the large number of encounters to be determined, it will become clear whether the Tracing App can meet the requirements. Due to the planned decentralized storage of the keys, the constant renewal of the keys and the deletion of the codes for the identification of the COVID-19 patients, the app has a high security standard.
The challenge will be to maintain this high standard despite a large number of similar encounters between people in the same environment (same mobility habits, same habits for lunch or dinner or sports, etc.). It cannot be ruled out that, with increased routine procedures, there will no longer be any real anonymity – provided the app is used effectively.
At present, the app has a high security standard and is based on a corresponding legal basis (Art. 60a ff. EpG).
UPDATE June 16, 2020:
The tracing app follows a decentralized approach, which means that the keys used to encrypt the user data are centrally accessible (DP-3T concept or Decentralized Privacy-Preserving Proximity Tracing).
If people test positive for COVID-19, they receive a COVID-19 code from the laboratory involved, which they can enter in their app, but do not have to. The notification of those persons with whom the infected person has had contact for longer than 15 minutes and at a distance of less than 2m within the infection period is also voluntary. The notification is made on the basis of the keys on the cell phone of the persons with whom the infected person had contact during the critical period in the sense of the tracing app.
Data protection
Two central points of the legislator’s requirements for tracing solutions from a data protection perspective are the decentralized approach, encryption and voluntary nature (Art. 60a para. 3 EpG). The Federal Data Protection Commissioner (FDPIC) has explicitly examined the various points of the solution and also explicitly approved them: according to the press release of June 12, 2020, the decentralized tracing app was given the go-ahead under data protection law: The decentralization, i.e. the sovereignty over the use as well as the data of the tracing app by the user, was seen by the FDPIC as one of the cornerstones of the solution.[1]
In this context, the FDPIC judged the use of Amazon Web Services (AWS) to be “justifiable” due to the decentralized approach and encryption.[2]
Big Data
With the use of the app and thus the large number of encounters to be elicited, it will become clear whether the tracing app can meet the requirements. Due to the planned decentralized storage of the keys, the constant renewal of the keys as well as the deletion of the codes to detect COVID-19 sufferers, the app has a high security standard.
The challenge will be to maintain this high standard despite very many identical encounters of people in the same environment (same mobility habits, same residence habits for lunch or dinner or sports, etc.). It cannot be ruled out that with increased routine processes, actual anonymity will no longer be there – provided that the app is used effectively.
At the present time, the app has a high security standard and is based on a corresponding legal foundation (Art. 60a ff. EpG).
Epidemics Act
The legal basis for the proximity tracing system (PT system) for the coronavirus is created by Art. 60a EpG. The proximity tracing system records proximities betweenmobile phones of persons using the app and notifies users in the event of a potential contact situation. The data may only be used for notifying concerned persons and keeping statistics; any other purposes are not allowed. Use of the tracing app remains voluntary. Anyone who intentionally disadvantages a person because they do not want to use the app will be fined. The DPA remains applicable and serves as the basis for data protection.
The PT system is designed as follows:
All reasonable technical and organizational measures must be taken to prevent the participating persons from being identifiable.
As far as possible, data is processed on decentralized components on the users’ cell phones). Data collected on a cell phone about another person may only be processed and stored on that cell phone.
Only data necessary to determine the distance and time of approach and to issue notifications is obtained or processed. Location data is deliberately not obtained or processed.
Data is destroyed as soon as it is no longer required for notification purposes.
The source code and technical specifications of all components of the PT system are public.
Once the PT system is no longer necessary, the Federal Council envisions discontinuing the system.
The system may also be linked to foreign systems, provided that adequate protection of privacy can be guaranteed. After two years, the legal basis loses its validity again.
Despite various tests, it cannot be guaranteed that the app will not issue false reports due to possible technological uncertainties. Thus, even the app is not a 100% guarantor for (k)an approach of an infected person.
Conclusion
The tracing app, which is managed by the FOPH, has a legal basis and is in the starting blocks to be deployed in Switzerland. With the decentralized approach and the high technical and organizational measures, the data protection requirements are met as well as possible. The FDPIC has confirmed this accordingly in various opinions, most recently on June 12, 2020.
The chosen, decentralized approaches are still interesting to pursue for other problem areas that affect larger numbers of individuals. It remains to be seen to what extent the selected approaches will also be practical.