Austria: First European "corona app" with 400,000 active users reviewed by noyb, epicenter.works and SBA resarch. Privacy friendly concept, that can still be improved.
- Download the English translation of the report (PDF) here
- Download the German original Report (PDF) here
- Download the press release (PDF, English) here
- Here you can find the video of the German media call (YouTube)
- Here you can find an audio recording of the German press conference (MP3)
First "Corona-App" in the EU. The Austrian Red Cross published an initial version of a "Contact Tracing App" very early on March 25th. After a fierce political debate about a possible duty to use the app - a view mainly held by the conservative Austrian People’s Party (Österreichische Volkspartei - ÖVP), it is now clear that the app will be voluntary.
The app is operated by the Austrian Red Cross (a non-profit organization) and developed by Accenture. Currently, about 400,000 people in Austria already use the app. After a heated public debate about contact tracing, the code was submitted to the privacy organisations noyb.eu, epicenter.works and the security experts at sba-research.org for a first review.
Austria relies on a "decentralised system". Many concepts for digital "contact tracing" are currently being pursued globally. There are massive data protection concerns by the public, especially in the case of central storage of this data. Approaches to completely decentralised communication from smartphone to smartphone sometimes struggle with the limitations of the Bluetooth standard and the iPhone operating system "iOS". Apple and Google have announced that they are working on a solution.
In Austria, a hybrid solution is currently being used, in which communication between the devices is still carried out centrally via servers, but all contact data is stored locally on each user's mobile phone.
Concept so far "state of the art" but DP-3T is knocking. This is exactly where the criticism of the report (link) comes in: Concepts like DP-3T allow a more privacy friendly approach that uses direct communication between phones. Only when an infection is reported, is data forwarded via a central notification server.
In a first reaction to the report, the Austrian Red Cross and Accenture have announced that they will switch to DP-3T or a similar decentralized system in a next step. Centralized tracking systems, as debated in other EU member states are therefore off the table in Austria.
Max Schrems, managing director of noyb.eu: "I think the app we have here in Austria is a pioneer in Europe with 400,000 active users. After a few weeks, the initial issues have now been identified and fixed. Once the Austrian Red Cross quickly changes to a standard like DP-3T, this app could also be used quickly in other countries. Compared to other concepts, they are already on the right track here in any case."
25 recommendations. The report also identified some weaknesses within the existing concept. 25 improvements were recommended, for 16 of these issue solutions were implemented by means of a "Hotfix". For another 7 issues a solution will be implemented in the next version of the app.
Contribution of NGOs. The organisations epicenter.works, noyb.eu and SBA Research have reviewed the app free of charge and independently. Schrems: "Especially in the current crisis trust in digital solutions is important. We hope that this review will help us to identify weaknesses, find solutions and thus increase the confidence of the users. " noyb.eu and epicenter.works are financed by supporting members.
