Deletion of App and Data Retention

[TomTeeJay]

This image gives an schematic overview how the app is working.

The last step in the app lifecycle "Deinstallation" says "ggf. Löschen sämtlicher Daten auf dem Gerät". This means "eventually" or "maybe" and is quite unspecific. When deleting the app the user expects all data is deleted. This includes system logs, crash reports, browser history and all system-wide locations that could be used to track and trace a user.

In addition to this User Story ID # E03.02 says that

Die App kann über eine Einstellung in den Auslieferungszustand zurückgesetzt werden, die gespeicherten Traces der letzten Tage bleiben aber erhalten.

This means that data won't be deleted entirely even when a user is requesting a reset to the delivery status of the App.

The documentation is not clear in this matter. How will the App guarantee, that all data is removed entirely from a device?

[KevinRiedelsheimer]

Dear @TomTeeJay ,

thank you for your question, I will communicate the opened issue with the respective team.

Best,

KM

[danielburkard]

Hi,

just regarding the iOS Framework (https://developer.apple.com/documentation/exposurenotification): it seems that it's not possible for the app to delete exposure keys already generated.

Kind Regards, Daniel

[wuerzebesser]

Also I don't understand the use case for such a reset-function when not deleting the sent and collected IDs. According to the documentation (E03.02) the user can then reconfigure the app, but what configurations are we talking about? I'd assume that changing language, toggling push-notifications and bluetooth, etc. can be done in a typical 'settings' menu item.

[TomTeeJay]

Observed from a legal point of view: When a users deletes an app, this can be interpreted as clear will not to use it anymore and as a clear withdrawal of any previously given consent. I refer to 3.4.1 of the audit of the Austrian Corona-Tracing App created by noyb.eu, epicenter.works and SBA Research gGmbH:

https://noyb.eu/sites/default/files/2020-04/report_stopp_corona_app_english_v1.0_0.pdf

Since the majority of data processing is based on the consent of the user, a withdrawal of consent must lead to the deletion of these data, unless there is another legal basis on which the data are processed (see Article 17(1)(b) GDPR). According to the information available, this must concern the UUID, the User IDs and the asymmetric key pair, but not the data generated or disclosed in the course of a notification.

Further the audit discovered problems in 3.4.2. Data deletions apart from withdrawal / retention periods where multiple and opposing retention periods were quite unclear.

This app and documentation should take these issues into account.

[TomTeeJay]

Just changed the title to reflect the concept of data withdrawal. In my understanding this app should be absolutely clear in its statements.

[lukasmasuch]

I added some more technical information in https://github.com/corona-warn-app/cwa-documentation/issues/36#issuecomment-628536276 about the deletion of the observed identifiers. To summarize: we are still waiting for more clarity on key deletion from Apple/Google.

[danielburkard]

I think it’s pretty clear that Apple won’t allow apps to delete the ids or to change any permissions. Since the user can do this (securely) in the main iOS settings.

[MalteJ]

Regarding the introducing text to this issue: This has been fixed in the documentation. "Ggf." has been removed.

When you delete the app, all data that is held by the app is deleted. All uploaded exposure keys will be deleted from our servers within 14-15 days. The exposure keys are held by the OS (iOS, Android). Keys older than 14 days are constantly deleted from the phone. After deactivating the Exposure Logging in the OS settings (see screenshot above) no new keys are created. For details regarding the deletion of keys within this timeframe please contact Apple/Google.