This post is part of a series on contact tracing apps. You can read our introduction to the series and get links to the other entries here.
In March 2020, the Austrian Red Cross, in co-operation with Accenture Austria and the Uniqa private foundation, introduced an app called Stopp Corona to trace contacts for preventing the spread of COVID-19. This app has been endorsed by the Austrian government.
By storing all contacts a user has had within two metres of another user over the previous 54 hours that lasted longer than 15 minutes, infection chains are being tracked and users warned if they have had contact with a user who issued a warning via the app that they have tested positive for the coronavirus (or are at least suspected of having it). Users will also be notified about false positives.
Will Austrian citizens without the app be excluded from attending public events?
Although the app has been downloaded more than 400,000 times so far, this number is way too low for the purposes of the app. An Oxford university study shows approximately 60 per cent of the population would have to use a contact tracing app for it to be effective.
To increase the number of users, the Austrian government considered providing key fobs with a similar functionality of the Stopp Corona app so that people without smartphones can use the functionality too.
The president of the Austrian parliament issued public statements for the app to be made mandatory, which led to a lot of emotional public discussions and was also the subject of debates this week on further amendments to the Austrian Epidemic Act. The opposing parties were concerned that the government may require its citizens to have the contact tracing app installed before being allowed to attend certain (public) events.
The government later clarified in its suggested amendments to the Austrian Epidemic Act that having a contact tracing app installed may not be used as a way of controlling access to (public) events. For the time being at least, the government does not plan to make the use of a contact tracing app mandatory.
From manual to automatic handshakes
The first published version of the Stopp Corona app required users to log their contacts via a 'manual' handshake. In the current version, however, the app already allows contacts to be traced automatically, depending on the device and its configuration.
The automatic handshake functionality is based on the discovery and messaging functionality of the p2pkit developed by the Swiss company Uepaa, which uses Bluetooth and Wifi-direct techniques to determine the distance between the users.
Devices will not pair via Bluetooth, but instead compare each other's signal strengths (discovery function). If they are similar, the app draws the conclusion that the two phones are in close proximity to each other.
For communicating with each other, the devices will share pseudonymous tokens, which are renewed at regular intervals (messaging function).
The server is hosted by the Austrian Red Cross, the data being stored on a cloud server in Germany. To trace the user’s contacts, the Stopp Corona app processes personal data like time stamp, app ID (unique key of service of p2pkit), user ID (unique user pseudonym, only uses for handshakes), operating system (OS) and OS version, device mode and p2pkit version.
Transparency increased by publishing source code and data protection assessments
Before the app was published, a comprehensive data protection impact assessment was conducted and regularly updated due to new versions of the Stopp Corona app being developed and published. Data protection audits by universities and non-profit organisations (including Max Schrems’ NYOB) have assessed the app as being 'data protection friendly' to a large extent.
Features that were criticised in these data protection assessments (eg the statistic functionality) either were quickly eliminated via hotfix updates or are currently under development and should soon be fixed.
On 24 April 2020, the Austrian Red Cross also published Stopp Corona's source code to enhance further development of the app.
Other posts in this series:
- Round 1: What’s happening?
- Round 2: Legal considerations for companies that want to use contact tracing
- Round 3: Are companies required to use contact tracing?