SARS-CoV-2/COVID-19 tracing apps – at least one is Open Source …

**dcurtisfra** · 13-Jun-2020, 08:48

The Federal German Corona-Warn-App – “COVID-19 exposure notification app” – is Open Source – it's in GitHub …

Looking at New Zealand, for example, the government information with respect to their “COVID Tracer App” doesn't seem to mention if it's Open Source, or not …

Does anyone else have information on the Open/Closed Source status of these tracking apps?

My personal opinion is that, everything that looks or smells like a citizen's interface to their democratic government should transparent and, if it's a computing and/or electronic data interface then, all the software associated with that interface between the citizens and their government should be Open Source.

Where possible the databases should be Open Source but, let's face it, when it gets really heavy with large amounts of data then, Oracle and IBM products will be needed to reliably handle the data volume …

**tsu2** · 13-Jun-2020, 20:18

I haven't see anyone describe those apps as open source or not (or for that matter how licensed),
To date I've only observed descriptions how they work which would generally mean that it'd be very easy to reverse engineer or guess how the code works...
It's not the same as making the code open for inspection but enough to make educated guesses where there might be security vulnerabilities.

To date,
IIRC those apps appear to use BT scanning to look for any other identifiable devices within range of the scanning.
All data appears to be stored mainly on the local device and not uploaded to the cloud, although of course in order to actually do the analysis, you'd need network connections and a way to transport data to where it can be analyzed.

At least on Android devices, it's debatable how much this design compromises privacy since data is mainly stored on the local device and device names used by BT aren't usually tied to personally identifiable data. On the other hand, I wonder if problematic 30' BT scans is a desirable or reliable way to discover other devices... It's better than nothing and might help contact tracing but have serious questions whether it can replace old fashioned human detective work.

TSU

**dcurtisfra** · 14-Jun-2020, 04:39

Originally Posted by tsu2

To date I've only observed descriptions how they work which would generally mean that it'd be very easy to reverse engineer or guess how the code works...

For the German App, the project overview, general documentation, and white papers is here: <https://github.com/corona-warn-app/cwa-documentation>.

We are building this application for Germany. We want to be as open and transparent as possible, also to interested parties in the global developer community who do not speak German. Consequently, all content will be made available primarily in English.

The solution architecture is here: <https://github.com/corona-warn-app/c...rchitecture.md>.

This document is intended for a technical audience. It represents the most recent state of the architecture and is still subject to change as external dependencies (e.g. the framework provided by Apple/Google) are also still changing.

**tsu2** · 14-Jun-2020, 08:40

based only on a hyper-skim of the solution architecture,
3 items I generally look for jump out at me...

1. Like the other apps you asked about, the solution relies on BT broadcasts. You have to understand how crude this is when the WHO recommended standard for separation is 1-2 meters... BT scanning generally has a range of 10 meters, so in a crowded situation (the documentation suggests public transit) imagine how many devices are unnecessarily picked up.... approx 25x the coverage area, and that's only on average. I've personally tested BT range and have easily tripled the radius (range) in optimum conditions.

I understand BT scanning is commonly used because it's convenient, but although it would encounter significant privacy issues I would opt for common commercial GPS which would be accurate to 2 meters(but all concerns can be addressed, just requires more work and possibly longer regulatory authorization). I don't remember for sure, but IIRC early tracking apps in China were supposed to be using GPS which wouldn't be a problem there due to lack of privacy concerns.

2. The BT scan identifiers are ephemeral and not persistent. This would mean nearly real time analysis to use the identifier before it expires. I hadn't read this level of technical description of other apps so don't know if this is unique or not. Bottom line is that using ephemeral data has pros and cons... First it puts a burden on timely analysis which requires always on, reliable network connections and plenty of data flying back and forth. Is this more of a data risk or efficacy than using more persistent identifiers? I don't know. If identifiers are more persistent, it also means that analysis which might have missed initially might later reveal something new and important. An example scenario which is commonly given is when someone is pre-symptomatic. Once identified, Contact Tracing usually investigates up to 5 days before results or onset of symptoms, but that won't be possible if data has gone stale. If the interactions are preserved somewhere (ie Ephemeral identifiers used to create persistent identifiers), then there are possible data privacy issues.

3. Unless I'm missing something, the BT scans rely on people signing up and installing the app on their mobile devices... aka requiring "opt-in." I don't know how effective an opt-in can be when success relies on a very high, perhaps 100% participation. I hope this won't mean like many other approaches to the pandemic (like non-medical face coverings) that "something is better than nothing."

TSU

**dcurtisfra** · 15-Jun-2020, 02:20

Originally Posted by tsu2

but IIRC early tracking apps in China were supposed to be using GPS

Ahhh … The difference between “Tracking” and “Tracing”:

“Tracking” means “where and when” – meaning, government authorities can check if infected people are breaking the quarantine regulations …
“Tracing” means “I was near someone who has been medically tested as being positive” – I can make a decision to visit a medical facility to test if I am infected, or not …
“Tracing” also means, a central database is recording if suddenly large numbers of people have been in the proximity of people who have been medically tested as being positive.
“Tracing” does not record where the proximity occurred – only when the proximity occurred. Meaning that, it's easier for health authorities to approximately determine who has possibly been infected and, on questioning the person with the App installed when they arrive for their test, roughly where the proximity happened …

**Kuffy** · 06-Oct-2020, 04:47

The whole track and trace thing seems to be shambolic in the UK. I use the WiFi in suoermarket cafes quite a lot, and I may stay at my table fir 4 or 5 hours. The forms that I complete don't have any space for thre duration of my stay. I don't install apps on my phone, and I wouldn't enable location services anyway, si I'm not sure how they can check for proximity while I am sat in a corner of the restaurant. It also appears that the software isn't working. I'm 78, and I've lived through 4 pandemics with little more than the odd sniffle, so I probably have long term immunity, especially as I haven'y been vaccinated fior around 60 years, and I don't take any pharmaceuticals. I'm not really concerned about the Kung 'flu virus, after all it is at no 36 in the severity ranking I believe, but I am concerned about the government actions such as track and trace. It appears to have no benefit in controlling the spread of immunity ( some call it infection ), but it does provide a gateway to location tracking of the population.

Apologies if this post is approaching a political statement.