Corona tracking apps with PEPP-PT: "It is crucial for us that data protection is guaranteed"


Based on the PEPP-PT (Pan European Privacy Protecting Proximity Tracing) project, there will be one or more apps in Germany from mid-April with which users can use Bluetooth technology to determine whether they are in the vicinity of a proven corona infected person who is also using the system. PEPP-PT provides a reference implementation, on the basis of which various apps can then be set up quickly. The source code of the solution is to be published under the open source license of the Mozilla Foundation.

Don't miss any news! With our daily newsletter you will receive all heise online news from the past 24 hours every morning.

The project group originally wanted to present its platform to the press in detail at the beginning of the week. But the appointment was postponed for the time being because the ongoing penetration tests are to be completed beforehand, said Chris Boos heise online With. He is co-initiator of PEPP-PT and founder of the Frankfurt company Aarago. The basics of the project are now known, but numerous details are still unclear.

Heise online was able to clarify some questions in advance with Boos. Boos therefore assumes that there will be several apps in Germany: "One will come from the Robert Koch Institute, another from the 'Healthy Together' initiative, but there could also be others." Boos nevertheless assumes that there will be a central solution in Germany because the legal requirements provide for coordination through a central body. Every app must be certified by the PEPP-PT consortium.

Depending on the country, the Corona warning apps based on the PEPP-PT platform can contain different functionalities, such as contact with the health authorities. "Each country will decide for itself how this will be structured in accordance with its legal regulations," explains Boos. It is crucial that no data is transmitted without the voluntary consent of the user. However, he also points out that in Germany Covid-19 is a notifiable disease. Those affected are therefore obliged to report personally to their health department. "This can possibly be mapped using an app," says Boos.

The distance data are recorded on a Bluetooth basis and evaluated locally on the device. This data is not stored on a server, but is linked to the user's ID number. The ID number is not linked to other data such as the email address or the cell phone number. "It is an anonymization, not a pseudonymization of the data," emphasizes Boos. The system currently exchanges the ID number that is stored in the cell phones at least every 30 minutes. With this information, the cell phone owner cannot track his infection chain and identify others. In the event of a positive test, the recorded distance data can be used to inform other users of their ID number.

How this information process takes place is not yet clear, different solutions are conceivable. For example, the health department could provide information in several steps, while anonymization is retained. "Applications that use the PEPP-PT platform cannot contact the user directly, but can virtually store messages for the user, which the user can then call up," explains Boos. This ensures anonymity. These messages go through the PEPP platform, and it is never known who is behind the ID number.

. (tagsToTranslate) Bluetooth (t) Corona apps (t) Corona warning app (t) Corona virus (t) Digital Courage (t) Geodata (t) Google (t) PEPP-PT (t) Pandemic tracking (t ) Sars-CoV-2 (t) tracking