Owners of an Apple smartphone or with the Android operating system receive information when updating the system software that Apple and Google want to make the function of official Corona warning apps possible. This leads to confusion for users, because the app is still a long time coming.
The claim: Google has secretly expanded its Android smartphones without the update to include the interface for the planned Corona warning apps, through which governments can spy on their citizens.
But the claims are wrong. The technical preparation of Android and iOS was not done “secretly”, but was publicly announced by both companies on April 10th. In addition, you cannot spy on users via the app. A comprehensive data protection concept was implemented, in which no geodata or contact details are recorded or transmitted. The app is programmed transparently as “Open Source” and can be checked.
The facts are clear
In order to contain infection chains, apps are being developed in many countries that technically record the contacts of smartphone users in order to be able to contact them later if one should have been infected with the corona virus. The functions and data protection concept have been discussed in Germany since February. Initial considerations to use geodata via GPS or mobile radio to determine such encounters were quickly rejected, also because data protection experts expressed considerable concerns.
Then there were three concepts to choose from (PEPP-PT, D3-PT and TCN), which basically pursue the same goal, namely to use Bluetooth radio to determine the proximity and the duration of the meeting when there is contact. This is how it should work: If two smartphones with an installed app come closer than about one and a half meters, they exchange anonymized number codes, which expire every 15 or 20 minutes and are replaced by a short-term code.
The storage concept has long been the subject of controversy among scientists, data protection experts and IT entrepreneurs. PEPP-PT preferred a central storage of the anonymized contact data. D3-PT and TCN spoke in favor of a decentralized concept in which the contact details remain on the smartphones and only the anonymized list of infected people ends up on a central server. The conflict was decided by the initiative of Apple and Google, which only allow their program interfaces (APIs) to be used for a Corona warning app if the contact details are stored decentrally.
Apple and Google with Corona software updates
In the case of the iPhone in particular, a tracing app relies on these APIs in order to be able to continuously send and receive Bluetooth signals when the app is active in the background and not only in the foreground on an unlocked iPhone. Apple has so far prohibited such intensive Bluetooth radio operations for data protection reasons. On May 21, Apple released the iOS 13.5 operating system update, which also introduced a “COVID-19 contact protocol”. The protocol is initially switched off and can only be activated if an authorized application such as the planned Corona warning app from the federal government is installed.
Google delivered the function for the Android smartphones on the same day, but not in the form of a classic Android update, but via an update of the “Google Play Services”. With this approach, Google is not dependent on cooperation between smartphone manufacturers such as Samsung or Lenovo, some of which can take months to provide an Android update. With older devices, the hardware manufacturers often only distribute the software updates at larger intervals or no longer at all. The method chosen by Google for the Covid 19 update also ensures that Android smartphones without “Google Play Services” such as the latest Huawei smartphones or the Fairphone 3 with the Android variant “/ e / OS” are new Cannot use APIs.
As with the iPhone, the “COVID-19 contact notifications” can only be activated on Android if an authorized app is installed and accesses the technology. By updating the “Google Play Services” alone, no anonymized contact IDs are sent or received via Bluetooth.
The claim that with the update of iOS or the “Google Play Services” the government can track exactly where and with whom you meet is wrong in several ways. Through the updates without installing a suitable app alone, nothing happens at first. And even after installing an authorized Corona warning app that takes advantage of the new technical possibilities in iOS or the “Google Play Services”, this claim is not correct. No location information is recorded or transmitted by the Corona warning app. The contact details are not on a server that the government could reach theoretically or in practice, but only on the smartphones of the users. And the contact data transmitted via Bluetooth will go through a two-step anonymization process, so that the owner of the smartphone cannot be inferred from the transmitted short-term keys.