SebastianWolf-SAP
commented
4 years ago Dear @strufepub,
we published RKI's privacy notice (German, English) already last week and it has seen several improvements since then, also because of valuable feedback by the community. Moreover, as you wrote this issue, we published the data protection impact assessment along with the corresponding annexes. You can find all the links in the README.
Moreover, thank you for your understanding that we can't comment on project plans here.
The responsible entity for the data privacy notice is the Robert Koch Institute. You can find the contact information in the notice itself. For infrastructure/app-related questions/issues etc., feel free to open issues here, but please be concise and avoid speculative, derogatory or speculative statements as "PR stunt" or "they probably aren't that much interested in user privacy".
Thank you very much and happy reading!
Mit freundlichen Grüßen/Best regards, SW Corona Warn-App Open Source Team
strufepub
Thanks everybody for doing a great job, and really important work.
I guess that you'll have plenty of other stuff to do, given that the app was advertised to be in the stores tonight, already, and should be publicly presented tomorrow. I also appreciate the great statements about implementation security and the colorful claims regarding GDPR compliance. But I'm wondering about a few things. First of all there still doesn't seem to be the promised data privacy 'data privacy concept', and I also haven't found the "comprehensive privacy statement to be as transparent and clear as possible" for review and commenting, anywhere in the repo. I'd be really interested, as it seems to me that the app does what it can, but it conveniently leans on the Apple/Google-API without mentioning any of the well-known privacy issues that are due to the protocol. I wonder how this project can claim GDPR compliance, given that users that have tested positive can be identified using the app, and that their whereabouts can even be traced throughout all the days for which diagnose keys are published. The problems have been discussed extensively (and even by the DP3T team, well before the project started), yet, you seem to promise the users that using your app (which in turn uses the Apple/Google API) cannot cause them any harm, or privacy loss, which clearly seems to be wrong. I would have liked to comment on the privacy statement ahead of publication time of the app, as I believe that this information definitely has to be part of it (probably to nobody's advantage or disadvantage, as nobody ever reads privacy statements, these days -- but it would probably have been a sensible safety measure for the developing companies, which otherwise may face charges under the GDPR, right). In the same vein I'm wondering if there's already a project plan for the time after launch, to develop a more privacy-preserving version (I know that there are several people that will be happy to help, although I doubt that Apple or Google will be interested in improving their parts, as the PR stunt has worked, and they probably aren't that much interested in user privacy, after all...).
Summarizing: when can we comment on the privacy statement, when will the data privacy concept be available for commenting, and when will the project for the second version be kicked off?
PS: https://tracing-risks.com/ gives a great first overview of privacy risks, that should either be mentioned in the privacy statement, or, even better, be dealt with in the system!