„Simply. Sure. Paperless.”- Doomed?
By Dr. Christian Schläger, CEO of Build38
Germany longs for a reopening, which is noticeable and understandable. The digital proof of vaccination is intended to help these efforts to break through and is expected to do much – possibly too much – in a very short time. The CovPass app is designed to provide reliable evidence for vaccinated people while tracking contacts.
However, the combination of highly personalized information such as proof of vaccination and anonymous tracking of encounters is doomed from the very conception. Here we try to combine two basic and contrary requirements in one medium. According to the RKI data protection declaration, personal data is only collected pseudonymised and deleted or replaced by new data after 30 days at the latest. This procedure, which is a central argument for the trust of the app, is now counteracted.
In addition, there are problems with the authenticity of the uploaded vaccination certificates. The fact that any vaccination certificate can be stored in the Corona Warn app and fraud is already actively happening with certificates of other people was predictable in view of the half-baked validity checks. The task of combining identity and proof must be carried out in the warning app by a controlling person-i.e. name and identity card displayed in comparison. This is fraught with errors and shifts the responsibility from the app back to already burdened people at ticket offices, restaurant tables, entrance barriers and theater doors.
The Corona Warning app must not become a collection container for all possible app functions, just because they offer a supposed additional benefit. It should be limited to its core function in order to provide as little attack surface as possible for misuse and to be able to guarantee data security. Because secure data processing also means choosing the right vehicle for user processes and data.
To ensure that the digital proof of vaccination does not cause more damage than it provides benefit, reliable protection of the uploaded certificate is just as crucial as the data security of the identity of the user, issuing authority, the device used and ensuring the integrity of the app itself.
High-performance technologies – also Made in Germany-are already available on the market. These have been tested and successfully used for years. So why is the consortium around Telekom and SAP inclined to develop everything new (and possibly faulty), as well as to build additional functions without respect for the appropriate software architecture? One possible explanation for this is the desire to produce and account for additional development costs. This is short-sighted, uneconomic and disadvantages the young companies in Germany that already have proven SaaS solutions on offer. The interest and willingness of German start-ups to develop and offer optimized solutions was already present before the pandemic and has only grown further in the face of the new challenges. It’s time to trust the innovativeness of the domestic tech industry instead of relying on the unrealistic promises of the tech giants.