The SwissCovid app – many strengths, some weaknesses
From 25 June, Swiss citizens will be able to use the SwissCovid app, which complements classic contact tracing in the containment of coronavirus. Our researchers took a close look at the app before its release – a statement.
The Chaos Computer Club (CCC) has presented ten criteria for assessing contact tracing apps. Six of these criteria are met by the SwissCovid app, four are partially met. The chart summarises the assessment based on the CCC criteria. It shows that the app’s developers have successfully made an effort to achieve the quality goals required by civil society. However, it also shows that the use of the app cannot be recommended without reservation from the point of view of security and privacy protection. However, the SwissCovid app protects privacy much better than other apps that are used intensively by large parts of the population. The only regrettable thing is that you have to use either the Apple or the Google app stores to install it.
Fig.: Annett Laube-Rosenpflanzer, Tutorial of the Swiss Informatics Society, 19.6.2020
There is room for improvement, especially in terms of transparency. The implementation of the app is open source, but the Apple API and Google API used are not open source. Their implementation is not disclosed. Therefore, some questions remain open, for example, whether the identification keys used are really randomly generated and whether there is really no link at all to the corresponding user account of the smartphone. The distribution of the information to the app users is also done via Amazon’s CDN Cloudfront. Here, there is the possibility that the app users are identified and their paths are tracked. More verifiable transparency would also be desirable with regard to the “distance measurement” and its reliability. It is unclear how accurately and reliably the use of Bluetooth technology can estimate the likelihood that a contagion has occurred. Bluetooth itself does not measure distances. With the help of wireless technology, a contact that has taken place can only be determined by measuring the signal strength over a certain period of time. Estimates of how well this works currently differ greatly. In any case, many false positives and many false negatives are to be expected. Users should be aware of this fact. An open question at the moment is what the actual impact of using the app will be. Will app users behave more carelessly (Peltzman effect, among other things known but also controversial, for buckling up seat belts in cars)? How will people deal with the information that they have probably been infected? Will organisers measure how many participants have installed and activated the app and possibly exert pressure to use it? These and other questions cannot be answered at the moment. An interesting alternative to the SwissCovid app is the deliberate exchange of QR codes at meetings or in certain public places(example: zwaai.app in the Netherlands). This requires more effort and does not capture chance encounters, but the risk assessment that takes place is likely to be more reliable. It therefore makes sense to practice this code exchange at longer meetings as a supplement to the SwissCovid app. In summary, we see the SwissCovid app as a useful digital tool for combating Covid-19, which fulfils the quality requirements in terms of privacy protection much more extensively than many other popular apps. The goal should be to create even more transparency and enable use without the Apple App Store and Google Play Store. However, whoever uses the SwissCovid app should not see this as a substitute for compliance with the Covid 19 protection measures, but as a supplement. Furthermore, it is possible to combine the SwissCovid app with other apps that assess specific risk situations more accurately, or to expand it accordingly. Cooperation with neighbouring European countries would also be very important in order to be able to use the app across borders, e.g. for cross-border commuters in Basel or Geneva.
Background and Acknowledgement
In addition to her work at the BFH, Annett-Laube Rosenpflanzer is also a member of the Ethics Committee of the Swiss Informatics Society (SI). Reinhard Riedl is president of the SI in addition to his work at BFH. The paper resulted from an SI tutorial by Annett Laube-Rosenpflanzer and the subsequent discussion with all participants. The event was initiated by Andreas Geppert, who is president of the SI specialist group “Informatics and Society”. Thanks are due to all who contributed to the event.