Get a push message when you see an infected person? An app could soon make this possible – without endangering user privacy.

When the draft to amend the Infection Protection Act recently stated that the authorities wanted “to use technical means to track contacts”, there was great excitement. Cell phone tracking in the fight against Corona sounded suspiciously like trying to use the grace of the crisis to undermine a surveillance tool. It didn’t take long for the passage to disappear from the bill.


However, the topic is not settled. Because the first phase of the restrictions on freedom will be followed by a second phase in which the virus has to be hit exactly where it rages. Large-scale tests are aimed at finding more and more infected people who have never been on the screen, for example because they show no symptoms. If this succeeds, the next step is to trace the path of the infection in order to find the suspected infected. Not an easy task, who will remember who they approached within the two-meter zone in five days of incubation.

This is where the smartphone comes in, which more than two thirds of Germans have. It could provide valuable services as a contact person – if it weren’t for data protection: the Federal Constitutional Court classifies movement profiles that could be useful to epidemiologists as extremely sensitive to fundamental rights.

Corona virus updates – twice a day via email or push message


All reports on the current situation in Germany and worldwide as well as the most important news of the day – twice a day with SZ Espresso. Our Newsletter brings you up to date in the morning and evening. Free registration: In our News app (download here) you can also subscribe to the espresso or breaking news as a push message.

However, the Heinrich Hertz Institute (HHI) is currently working together with the Robert Koch Institute (RKI) on a solution that is supposed to be epidemiologically precise and clean under data protection law – the crux of the matter, if you will. The result will be published in the next few days.

As an example – with improvements, of course – there is an app that Singapore uses to trace infection routes. Bluetooth radio technology transforms every cell phone into a transmitter and a receiver at the same time. This allows the app to scan which other cell phones are nearby. If it turns out that the cell phone owner is infected, all mobile devices that he has previously encountered can be warned by a push message.


The random ID protects user privacy

After installation, the app generates a random identification number that does not allow any conclusions to be drawn about the individual user and changes at regular intervals. As soon as two cell phone owners meet, the IDs are initially only stored locally on the smartphone. Anyone who receives a positive diagnosis transmits this data to a central and secure server that only RKI or HHI could access.

This information still does not provide any information about the identity of the user. Only the unique but anonymous ID of the mobile phone lands on the server, which makes it possible to communicate with the app that is installed on the device. The data is then decrypted on the smartphone and the list of IDs that were previously within range are transferred. Subsequently, possible contact persons can be notified – this would be done anonymously again: only the ID would be visible, not the name. These individuals would then be asked to undergo testing and remain in quarantine until diagnosis.

The Bluetooth Low Energy radio standard could be used, which is particularly energy-saving and only extends a few meters. This would be an advantage in this case, since only smartphones would be recorded whose owners actually had a risk of infection. Only devices that come close enough to the cell phone of the infected person are to be saved so that the virus could skip between the owners. Older data that have no epidemiological value should be deleted automatically.


“Protection against infection and data protection can be reconciled”

What makes things attractive for data protection experts: The app should do completely without personal data and in particular without the sensitive position data of the users. That says Ulf Buermeyer, chairman of the Society for Freedom Rights and therefore not suspected of trivializing anything; his association would probably be the first to support lawsuits against a solution that could be attacked by data protection law.

Together with the Mainz professor Matthias B├Ącker he has on analyzed such a solution, which should come close to the plans of the Heinrich Hertz Institute. Her conclusion is positive – because only the contact persons learn that they have approached an infected person in the past few days. “This allows infection protection and data protection to be brought together,” says Buermeyer.

However, this will only work if as many cell phone owners as possible install the anti-corona tool – on a voluntary basis, because a forced distribution of the app is currently not conceivable. In a country that invented data protection, it should be a real communication challenge.


Whether digital virus control will ultimately be successful will depend on another factor. The test capacities must be large enough so that every suspicious transaction report can be checked immediately. Because if the push message “Contact an unknown person” really goes into quarantine for two weeks voluntarily and on suspicion to wait for a test, it would be better not to trust that.