Closed MikeMcC399 closed 1 year ago
@MikeMcC399 Thanks. Internal Tracking ID: EXPOSUREAPP-10263
For Bavaria the question is answered on:
https://www.datenschutz-bayern.de/datenschutzreform2018/aki40.html "Aktuelle Kurz-Information 40: Auslesen und Prüfen digitaler Impfnachweise" Stand: 14. Dezember 2021
"Zur Prüfung kann die CovPassCheck-App verwendet werden. Die CovPass-App oder die Corona-WarnApp darf dafür nicht verwendet werden."
...
"Auch wenn es offensichtlich sein sollte: Für eine Prüfung ist ausschließlich eine Prüf-App zu nutzen (CovPassCheck) und nicht eine App, die zum Speichern der Zertifikate verwendet wird (CovPass- oder CoronaWarn-App), da ansonsten die Zertifikate nicht geprüft, sondern auf dem Mobiltelefon der prüfenden Person dauerhaft gespeichert werden."
If this is the legal position for all of Germany, then it should be added as an FAQ article on https://www.coronawarn.app.
Is there any update available on this issue? I'm uncertain how relevant it is, as, even if legally OK, the CWA team should refrain from stating that it is possible to use the CWA for verify another persons status, and instead suggest to use CovPassCheck.
The screen "Certificate Verification by Third Parties" should probably explicitly forbid (or at least discourage) the use of CWA by third parties to check a person's certificates. This would be an extension of the statement:
"A visual check of the certificates is not sufficient for third parties, however. They must use the CovPassCheck app in Germany."
I'm going to bring this up to our data security team for further processing. As we cannot prevent the scanning, a text change in the CWA might be acceptable. We already have implemented a hint during scanning of new certificates in case the number of scans indicates misuse of the CWA for scanning.
The app now says "Proof of status (3G, 3G+, 2G, 2G+) is not currently relevant and therefore not displayed in the app."
Similarly the FAQ https://www.coronawarn.app/en/faq/results/#admission_policy "General information about the status proof display" says:
"Update on September 28, 2022: The status proof (3G, 3G+, 2G, 2G+) is currently not relevant and therefore not shown by the app"
Since it is not possible to verify anybody's 2G/3G status any more, then the question about it being legal or not to verify another person's status becomes academic, because it is no longer practically possible. Closing this issue therefore.
Request for new FAQ article
Add an FAQ article to:
to answer the question:
Can I legally use CWA to verify another person's 2G/3G status?
Problem
The existing documents do not seem to answer the question "Can I legally use CWA to verify another person's 2G/3G status?":
Technically it is possible to use the Corona-Warn-App to scan any compatible digital COVID certificate and read the status and content of the certificate. It does say on the certificate screen of CWA "This QR code can be verified reliably with the CovPassCheck app.", however there is no text on the CWA screen which relates to scanning another person's certificate. This is covered on the "i" information screen "Certificate Verification by Third Parties", where it says "They must use the CovPassCheck app in Germany".
This has been brought up in https://github.com/corona-warn-app/cwa-wishlist/issues/666 also.
Another related question is:
"When I offer my digital COVID certificate QR code for scanning, how do I know that the data is not being saved by the other person?"
Comments
The question probably needs to be referred to datenschutz@rki.de.
The question is not specifically answered by the FAQ article How are certificates verified by third parties.
Internal Tracking ID: EXPOSUREAPP-10263