SwissCovid App Facts

What are your questions or worries in regards to the SwissCovid App?

Together with an alliance of civic organisations, answers have been compiled to the most common questions at swisscovid-app-facts.ch, starting a campaign today for an aware and informed citizenry which coincides with the public launch of Switzerland’s contact tracing app.

We have had an active discussion on some of these topics in our community for weeks, and are happy to dig into the facts and figures. Please check out the site + spread the word (e.g. tweet @coronaappfacts) + ask anything on your mind!

Here is a translation in English, with help from DeepL and redacted by me:


Here you will find answers to the most common questions

Will the app get me targeted by tech companies?

Yes.

Apple and Google provide operating systems for the majority of Swiss mobile phones. The app runs on this operating system without revealing your location data, name, contact list, fingerprint or face recognition imprint to Google or Apple. On the other hand, tech companies can collect a lot of information about your person through other apps on your device.

The cloud services provider Amazon provides servers through which encrypted codes are passed from the app. These servers are only used to transfer the codes, activated after a positive test on Covid-19, to other mobile phones. Amazon does not have any information about your movements, your phone content, or your contacts.

Over 95 percent of smartphones in Switzerland use iOS (from Apple) and Android (from Google) as their operating system, which make it imperative to work with these two companies for developing the app. The special interfaces can only be used for official (government approved) tracing apps that function on a decentralized basis. This means that they only store the traced contacts on the users’ mobile phones, and not on external servers.

To estimate the distance between two mobile phones, the app uses Bluetooth Low Energy signals. To ensure that these signals are sent and received efficiently when the app is not open or the display is locked, this function must be an integral part of the mobile phone’s operating system.

When you use the SwissCovid app, you leave less data traces than when using many other apps.

What happens inside iOS and Android is difficult to check from the outside. Even the authorization function on the device does not provide clarity. This also applies to the parts that send and process the recognition codes required for the app via Bluetooth. In order to meet the transparency requirements, these parts would also have to be verifiable by external experts.

Every communication possibility of your mobile phone - including the use of normal telephony, of WLAN or Bluetooth - inherently carries the risk for an attack to be carried out.

Amazon Cloudservices

Amazon, known primarily as an online shop, is one of the largest providers of digital infrastructure worldwide. For the fail-safe distribution of keys to the recognition codes, which are made available to all users, the Swiss government uses the infrastructure of Amazon in Frankfurt. This location is subject to EU Data Protection laws.

The above-mentioned keys do not give any indication of where you have been, when, or with whom. The keys, which are sent via the Amazon Cloud, are only used to compare positively tested contacts on your own mobile phone. This matching can only be done on your own mobile phone.

Does the government app scan my mobile phone?

No.

The government has no data about your movements, contacts, other apps, or any other information from your mobile phone. Only a code that changes daily and from which the recognition codes are derived is stored. Nobody knows who you are through this code - but the app can still use it to inform people who have had contact with you. All recognition codes stored on your phone will delete themselves after 14 days.

The SwissCovid app does not register location data or any other information about the behaviour of the users. A list is kept in which data is entered from another mobile phone - which also has the app installed, and was in the vicinity long enough to be infected: a distance of about two meters or less. These entries do not provide any information about the identity of the persons with whose mobile phone a contact was registered, nor about the location of where the contact took place.

These data are stored decentrally, i.e. on the mobile phones of the users, and are deleted after 21 days.

The new amendments to the Epidemics Act adopted for this purpose also stipulate that the collected contact data may only be used to trace possible Covid-19 infection and not for any other tasks or diseases. When the Coronavirus epidemic is over, the app is finished, according to the law.

It is also important to note that the use of the app is always voluntary, and may not be used as a pre-condition of access, such as to restaurants or the workplace.

Does the app clog up my Bluetooth?

No.

The app uses a kind of „Bluetooth light“ (Bluetooth Low Energy), which only sends the smallest amount of data - the recognition codes. This has no effect on your other Bluetooth usage. You can continue to listen to music without quality disruptions or bandwidth limitations.

You can still use Bluetooth to connect headphones or speakers to your phone. The signal the app uses will not interfere with the usual Bluetooth functions. Your Bluetooth must always be activated for the app to work.

By using Bluetooth Low Energy, and thanks to the new interfaces in Apple and Google operating systems, the SwissCovid app is as energy efficient as possible. The power consumption is slightly increased by its use. Tests carried out by the developers showed that the app consumes between 0.01% and 5% of the daily output.

Since Bluetooth is a form of radio technology, other devices with appropriate antennas and evaluation software can also receive the signals belonging to the app. For example, someone could build a device that can determine whether you have the app or not. Scientists and hackers all over the world will try to find out whether this can be used to do harm or mischief.

To give a demonstrated example: with the right equipment, your recognition code can be forwarded to another location, so that other contact tracing apps would think you were in several places at once.

Does the app drain my battery?

No.

The app uses a minimal version of the Bluetooth signal. In addition, it does not require any noticeable amount of memory or computing power. You should not notice additional energy consumption in daily use.

By using Bluetooth Low Energy and thanks to the extension and interfaces in the operating systems of Apple and Google, the SwissCovid app is designed to be as energy efficient as possible. Power consumption is nominally increased using the SwissCovid app. However, if you have normally turned off Bluetooth, the continuous use of the Bluetooth function can take up to 5% of your battery life.

You can still use Bluetooth to connect headphones or speakers to your phone. The signal the app uses does not interfere with your usual Bluetooth functions. Your Bluetooth must always be activated for the app to work.

Since Bluetooth is a form of radio technology, other devices with appropriate antennas and analysis software can also receive the signals associated with the app. For example, someone could build a device that can determine whether you have the app or not. Scientists and hackers all over the world will try to find out whether this can be used to do harm or mischief.

To give a demonstrated example: with the right equipment, your recognition code can be forwarded to another location, so that other corona apps would think you were in several places at once.

Does the app slow down my mobile phone?

Kind of.

The app uses a minimal version of the Bluetooth signal and does not require any noticeable memory or processing power. Your other apps, games, phone calls or internet access are not limited by this.

However, on older iPhone models, the need to install the latest iOS 13.5 operating system may cause the device to slow down. For Android devices, no issues of this type are known so far.

By using Bluetooth Low Energy, the app has no noticeable effect on the computing speed of the hardware. Even the permanent activation of the Bluetooth signal hardly affects the performance of your mobile phone.

However, on older iPhone models, the necessary installation of the latest operating system (iOS 13.5) may slow down the device, as Apple has built in a processor slowdown in favour of battery performance. However, this feature can be adjusted in the settings. Devices older than the iPhone 6S (before 2015) do not support the new operating system, so they cannot use the SwissCovid app.

With the Android operating system, only an update of the Google Play Services system app is required. Due to the wider ecosystem of different Android devices (Samsung, LG, Huawei, Fairphone…) the system is more agile and the issue is reduced.

Can other people see if I have the Coronavirus?

No.

The app keeps you anonymous, and does not give any instant alerts. Other users of the app cannot see whether you have installed the app or whether you are infected - and you cannot see that, either. Only if you have been for long enough near to someone who tested positive for Covid-19, will you be afterwards notified by the app. Through this notification, no one will know the contact or the exact time. But the message serves to warn you, and gives you information about possible next steps.

Neither you nor others can find out who might have infected whom just with the app. The app notifies you via notifications if you have been exposed to an increased risk of infection. An increased risk of infection means that you have been less than 1.5 metres away from one or more people who have tested positive for more than 15 minutes over 24 hours. You will not be told which of your contacts have tested positive for Covid-19. Neither will your identity be revealed to the people you have been in contact with if you register as infected in the app.

If your phone was long enough in the vicinity of another phone with the app for you to be infected, the two phones will store each other’s current recognition codes. With these codes, the mobile phones can remember that contact has taken place. The recognition code does not contain any other information, such as name, phone number or address. If someone is known to be infected with the app, your phone can then check its internal list, which is synchronized with servers, to see if there are any infectious contacts - and warn them.

The app does not use GPS data, cell phone antennas or other geolocation methods. The app only uses Bluetooth Low Energy and registers contacts between phones that have been close to each other for a certain amount of time. This kind of signal extends to several meters.

Do I need to install the app?

No.

Installing the app is completely voluntary, and you can remove it completely at any time. So you can download it for free from your Apple or Google store to test and view it, and you can delete it if you’re unsure. However, the impact of the app grows with every person who installs it.

The law on the SwissCovid app states clearly that the App is voluntary for everyone. Additionally, noone may be discriminated against - treated better or worse - depending on whether he or she has the app or not. Not by the authorities, not by companies, not by individuals. Every contract, every agreement that contradicts this is automatically invalid.

Furthermore, the Data Protection law applies: A company, for example, may not record which of its employees has the app, and who doesn’t. Accordingly, bosses may recommend the app, but enforcement would be illegal. If someone tries to put you under pressure: refer them here.

Does the app run on my old phone?

Kind of.

In order for the app to work, Apple (iPhone) and Google (Android devices) have added an extension that only works with an update on the device.

As long as you have a device that runs with the latest update from your manufacturer, the app will work. These updates are usually offered to you regularly with a notification, or even installed automatically in the background.

The SwissCovid app currently only works on phones that have the latest update installed. For iPhones, at least version 13.5 of iOS must be installed, for mobile phones running Android, version 6 is required, with the latest update from Google Play Services. The mobile phone must also be able to access Apple and Google App Stores to download the SwissCovid app.

For Apple devices, smartphones with the iOS 13.5 operating system are supported. This can be installed on iPhones back to generation 6S and SE.

To install the app, 10 MB of free memory is required, which corresponds to the data volume of three medium-sized photos. Once installed, the app requires an Internet connection and activated Bluetooth function. By 2013 at the latest, practically all mobile phones were equipped with Bluetooth Low Energy. With older mobile phones, the question of battery life arises - but there is only one thing that helps: try it out!

Do I need to keep the app open all the time?

No.

Once you have installed the app and your Bluetooth connection is active, the app will run in the background. In order for it to receive information about currently reported Covid infections, your phone must be connected to the Internet from time to time. Once a day should be enough.

Once you have installed the app, all it needs is an active Bluetooth connection to register contacts. You do not need to open the app to do this. For the app to work, you also need to be connected to the Internet regularly - but not all the time.

An Internet connection is necessary, so that the app can check whether you have come into contact with any people who have been reported to the app as infected. In order to receive indication of any contact with Covid-19, your app must regularly download these reports.

Do hackers get into my phone?

Kind of.

Unfortunately, there is no absolute security in the realm of digital communication: if your phone has Bluetooth enabled, it becomes less secure per se. Your phone is safest in airplane mode…and also least useful. With some technical effort, the signal that the app exchanges can be intercepted or forwarded. For example, you could build a device that checks if someone walks by with the app, and automatically takes a picture of the person. In this way, the person and the recognition code could be linked and, for instance, put on the 'Net.

Since Bluetooth Low Energy is radio technology, other devices with corresponding antennas and evaluation software can also receive the signals belonging to the app. For example, someone could build a device that can determine whether you have the app or not. Scientists and hackers all over the world will try to find out if this can be used to do harm or mischief.

To give a demonstrated example: with the right equipment, your recognition code can be forwarded to another location, so that other corona apps would think you were in several places at once.

The first statistics on SwissCovid app usage are now available, published by the FSO here from a daily count of active apps.

"The number of active SwissCovid apps is measured based on the automatic contacts made by apps with the proximity tracing system to update the configuration data. These automatic contacts takes place several times a day and are used to calculate the number of active apps per day. The resulting number corresponds to the number of app users. The monitoring includes all persons who have downloaded the SwissCovid app to a mobile phone from 25 June 2020 onwards.

I’ve used the current population estimate to put together a quick chart:

:chart_with_upwards_trend: https://datawrapper.dwcdn.net/4rhGH/1/
:clipboard: https://morph.io/schoolofdata-ch/swisscovid-stats
:hammer_and_wrench: https://github.com/schoolofdata-ch/swisscovid-stats

Bonus: a screenshot of the website into poster format is here in case you want to do some promotion for the campaign in a physical location - :printer: Print at Home (PDF, SVG)

In a call yesterday with colleagues from the Open Knowledge network, I was asked what lessons were learned from the SwissCovid app, as other countries grapple with the virus and seek to implement their own solutions. The main points, in my off the cuff opinion:

  • It began as an open source, non-commercial, and otherwise reasonably unbiased endeavor.
  • The app was heavily beta tested, vocally, and publicly, by civil society, the government, the military, …
  • With a decentralized cryptographic design, it protects our privacy - something we are carefully watching.

It’s no miracle cure: we do not know whether it will be „successful“, or even reach it’s target deployment goals. We do believe it is an important instrument for public health with the potential to save lives. Through grassroots action, like this campaign - and by keeping the conversation going in our communities, we can help make the most of it.

If you are interested in putting together the whole story in a blog post, please reach out. Here are a couple of initial references:

https://blogs.ethz.ch/id/2020/06/26/swisscovid-app/
SwissCovid-App
Ein Einblick in die Pilotphase von den Informatikdiensten. Die Swiss Proximity-Tracing App steht seit Donnerstag, 25. Juni 2020 allen interessierten Nutzerinnen und Nutzern zum Download zur Verfügung.

We’re en route to hitting a million users in the days ahead, as the stats show. That’s a rather amazing result for any app - including ones of the online dancing and dating variety - and here we are talking about a public health initiative. Wow!

Developer Ubique has, by the way, updated an inspiring piece on their blog, which you should read (if in a public space, then of course while wearing a mask :mask: #maskenpflicht) about the hackathon roots of their app’s design:

It all started in the last week of March: the idea of proximity tracing and first approaches from Asia were discussed in the media. Inspired by Marcel Salathé’s concept „One Step Ahead“ we wanted to show that … proximity tracing can also be implemented while respecting privacy. Anything else would not have been acceptable to Switzerland from our point of view and it was important for us to be able to present a solution before there were copies of the surveillance state approaches.

That is how it came about that we worked day and night on the implementation of an open source project in the hackathon „#CodeVsCOVID19“ at the end of March. Within a few days we developed a working prototype for decentralized proximity tracing: The Next Step app.

What we held in our hands after this short but intensive time made us quite proud. We were among the first to implement the idea of a privacy-protecting proximity tracing app. However, we didn’t know how our development would later play a role in containing the virus. And whether our project would meet with approval.

To express our approval, we could do (much) worse than follow the example of Felix, and decorate our social media profiles…

And Klaus, lieber Klaus, that’s a very tight-fitting cap, and you really ought to be wearing a mask - but you’re on the right track too!..

Roughly translated: this is Klaus. Klaus wants to in the future go to sport events, concerts and parties, so he downloaded the app. Klaus is smart. Be like Klaus. The tweet is from a local hockey club.

On a more serious note, with all those downloads there are surprisingly few questions or criticisms, at least on a cursory glance at social media. I have overheard generally positive comments while getting about my day. A common misunderstanding seems to be around the fact that the App is not a replacement for registering visitor data in public spaces:

One more tweet that made me smile:

I’ve had the SwissCovid App installed for a week and have still not mastered a new Level or at least encountered any Others. Nothing. Nothing at all. (Pokémon-related discussion follows…)

Stay tuned.