USA

[charlesvestal]

Please release the iOS and Android apps in the US store.

---

Internal Tracking ID: EXPOSUREAPP-2041

[Ein-Tim]

Adding here: And why other EU countries are able to do so.

[yspreen]

As far as I can tell, it's a decision to limit exposure to international law. Legal counsel might warn of higher bills and more exposure when opening to the international market. It's the decision to be safe from potential financial risk, making the people paying taxes for it unable to use the service in the process. That's the only reason I can think of because the decision-makers have been pretty quiet on explanations here.

Again, just speculation. It's sad that we have to turn to GitHub to discuss this political issue.

---

edit: seems like my suspicion is confirmed in the FAQ:

"Legal consultations have shown that in the case of publication in international App Stores, the law of the respective country must be considered and applied to the Corona-Warn-App".

[TheTravelGeek]

My solution as an American living in Germany who knows other Americans living in and visiting Germany: use any neighboring country’s notification app (they are literally all available in the US Apple App Store. I checked. Even Poland.) SwissCovid is my current pick, as it’s specifically integrated with Germany’s system.

And doesn’t this interoperability and data sharing completely circumvent the protection that the German law is supposed to provide (and causes the German app to be unavailable)?

[yspreen]

This is not about data protection. If I want to have access to the app for malicious reasons, I can simply create a new apple account with an address in whatever country I want. This would only be security by obscurity at best. If they truly cared about the geolocation of users, they could instead ask for GPS data or check the IP of the user. Both are better ways to ensure the user, not the account, belongs to the correct country.

[TheTravelGeek]

Yannick, how would checking GPS and IP data help (both can be spoofed/changed anyway, I think). Isn't the concern, as posted above:

https://github.com/corona-warn-app/cwa-wishlist/issues/41#issuecomment-843032246

It's very simple. The German court ruled in July 2020 that no German data could be sent to US servers. That's the core issue.

You've got data about German people's phones that you've come into contact with on your US phone. If you carry that phone back to the US within the 2-week window or sync with iCloud, you've possibly carried German citizen data to US servers.

This breaks the law, so obviously the Germans have to be wary about the data-sharing & the legal ramifications.

So if I install the interoperable Swiss app from the US app store, walk around Germany with it and collect data about German citizens, and then "carry that phone back to the US within the 2-week window or sync with iCloud", isn't that violating the rules that prevent the German app from being available in the US app store? And isn't the RKI itself part of the circumvention of German law by exposing German residents' data to the Swiss app that doesn't adhere to the strict(er) German standards?

(now, none of this is going to convince lawyers, I assume, and I will happily walk around Germany next week with my F-Droid-supplied forked app and collect German data... but I think it illustrates how silly - or complex - this is and how it just doesn't work in the real world of humans and a global internet)

[yspreen]

Well, iCloud doesn't have servers in Germany, and I'm pretty sure their Denmark servers aren't the only ones used for iCloud Backups. So there we go, German people's data has long been stored on US servers. We can open the gates now 🎉

On a more serious note, yes. The two methods I listed can easily be spoofed. But so can the current limitation. I'm just saying: If you want to add protection to check if users are in Germany, the method you've chosen is not the most secure one, but definitely the most limiting and frustrating one for legitimate users.

[yspreen]

Also, I know many people who are running around with foreign apps in Germany because they have no other option. And using a foreign DB is still better than no collection at all. So maybe the path chosen has actually caused way more IDs to be transmitted all over the globe than if this limitation wouldn't have been put into place from the get-go.

[Ein-Tim]

Reg. the iCloud, this is not important here since the Exposure Notification API doesn't back up anything, neither local nor into the Cloud, all the data stays on your phone unless you warn others.

[Ein-Tim]

So IHMO the only case where the law would be violated if I travel back to the USA in the 14 days window and then report an infection & warn others with the app. Only then your and the data of other leave your phone, in all other cases your phone only download things, thanks to the decentralized approach...

For sure there's also the contact journal that could be exported in the USA and send to anybody, but who prevents me from sharing the contact journal here from inside of Germany to a US resident? Nobody.

But I guess all this discussion here won't change anything so I guess I'll just monitor wether something in the legal situation changes, and if I'm sure somebody will tell us here...

[melancholyaeon]

@Tim

Yes I agree the current clear text contact journal is likely an issue. Der Spiegel gave me the impression from reading its articles about this that the journal had to be added quickly under political pressure after the Luca app scandal.

And while Luca does appear to a security nightmare - I won't use it & strenuously object to the government expenditure - it does at least avoid much clear text, which could be abused.

Have a great day.

On Mon, Jun 14, 2021 at 06:54 Tim @.***> wrote:

So IHMO the only case where the law would be violated if I travel back to the USA in the 14 days window and then report an infection & warn others with the app. Only then your and the data of other leave your phones, in all other cases your phone only download things, thanks to the decentralized approach...

For sure there's also the contact journal that could be exported in the USA and send to anybody, but who prevents me from sharing the contact journal here from inside of Germany to a US resident? Nobody.

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/corona-warn-app/cwa-wishlist/issues/41#issuecomment-860361015, or unsubscribe https://github.com/notifications/unsubscribe-auth/APY2ILS7LDPQREK7XWPK3FLTSWDR7ANCNFSM4OGR4ALA .

[yspreen]

I have to say: I never used the CWA. (Since I couldn't.) So I don't know about all its features and legal applications. The concept of contact journals is new to me. That being said, to me, it looks more and more like the CovPass app should be the one made available globally. This is maybe not the right place for that discussion. Is there anywhere we can turn to?

[MikeMcC399]

@yspreen

This is maybe not the right place for that discussion. Is there anywhere we can turn to?

If you are looking for contact information of the CovPass-App, they advertise a hotline on https://digitaler-impfnachweis-app.de/faq/ "Bei allen Fragen rund um den Impfnachweis wenden Sie sich gern telefonisch an uns: 0800-4747-001 für die CovPass-App, 0800-4747-002 für die CovPassCheck-App, 0800-4747-003 für den Impfzertifikatsservice" and the Google Play Store entry for CovPass gives an e-mail address impfnachweis@rki.de.

[jucktnich]

@Ein-Tim the whole system (iOS) is encrypted

[Ein-Tim]

@jucktnich This does not help here, I can still send the contact journal to somebody in the USA.

[jucktnich]

But that's your problem

[Ein-Tim]

@jucktnich Sure about that? I though the RKI has to prevent that the data from German users can be transferred to US servers in any way (so they block the app in the US App Store) but you still you can send your contact journal to anyone. This is a contradiction, IHMO.

[jucktnich]

You can write a text file with the persons you met, the same like the CWA contact journal does. But the IDs are different

[jucktnich]

But that's all guessed...

[Ein-Tim]

@jucktnich TBH I don't really understand the whole legal part here. Why am I able to use zoom without any problems (which even shows that I'm connected to a US server) but it is not possible to make CWA available in the US.

But as said above, I'll just monitor wether something change, because we don't even know why exactly they are not willing to publish the app on the US store...

[jucktnich]

I try to explaine what I think is the problem. If you use the CWA you're receiving the RPIs from positive tested persons. That may be classified by the dsgvo as extremely worthy of protection because it contains health data. This would prohibit transfer to the US. In your contact journal on the other hand, is only data you typed in there, so it's not the responsibility of the CWA to protect this data.

[TheTravelGeek]

But that's your problem

I think that’s what it ultimately boils down to. The RKI can’t (or won’t) do anything that can be seen as actively contributing to the exposure of data in violation of German law. What you do to work around restrictions is your problem. CYA by RKI and their lawyers.

(and as I mentioned yesterday, where I think this CYA approach fails is when they share the data with apps and servers that themselves don’t impose the same restrictions (other European apps from the US app stores)

it looks more and more like the CovPass app should be the one made available globally

Does the digital vaccine passport feature in the warn app or CovPass actually do anything but scan the QR code and display it again on demand? In other words, could you you take a photo of the QR code with your phone and show that?

[yspreen]

I think the problem here is the notion of "servers". Allowing downloads from accounts with an address in another country is simply unrelated to the servers the data is hosted on or sent to. To 100%. If there was a need to make sure only people in the right country can use an app, as explained above, the GPS or IP data would be far more telling, more reliable, and less limiting. Maybe circumventing them is as easy, but less actual users would suffer.

[Ein-Tim]

@yspreen

The problem with the GPS location is that Google & Apple aren't allowing apps using their exposure notification api to request the GPS location of the user... I assume they would also reject IP based location checks, but this is not outlined in https://developer.apple.com/contact/request/download/Exposure_Notification_Addendum.pdf

[yspreen]

Does the digital vaccine passport feature in the warn app or CovPass actually do anything but scan the QR code and display it again on demand? In other words, could you you take a photo of the QR code with your phone and show that?

That's actually a very good point. Because while – for the time being – the wallet app is pretty limited in its functionality, it definitely offers more security to the user than a regular camera roll. The CovPass app is not open source, but if they took our DGCA implementations as an example, all user data is securely encrypted on the secure hardware component of the phone. That alone warrants using this app for health data.

Secondly, an extension of this entire digital vaccine cert protocol will surely come. Allowing people to possibly verify their vaccination status online, or add non-covid vaccines to the wallet as well.

[jmehnle]

I second @amandadebler's comment.

I'm a German citizen and live in the US. I'm traveling to Germany to visit my elderly mother in Germany today, who will be undergoing surgery this week. I've been fully vaccinated for over a month, but as we all know this protects mostly against severe illness and not against infection per se. So obviously I want to do the right thing and protect everyone involved by installing the CWA. Yet I can't because my Google App Store account is set to the US, and I can't practically pretend a move to Germany just for my two-weeks visit.

I'm very technical, so I happened to be able to figure out how to create a second Google account, set it up on my phone, put a German credit card on it (who in my position would even have one??), and then switch my Play Store app to that account and install the CWA. But to be honest, I couldn't explain this procedure successfully to any of my non-technical family, so I doubt too many people can pull this off or even manage to figure out that there is a way.

From having grown up and lived in Germany for 32 years and then having lived in the US for 10 years I can say this is one of those things the reasoning for which only Germans will ever be able to remotely understand. No offense, but you guys need to go beat some common sense into your lawyers.

[rugk]

I'm very technical, so I happened to be able to figure out how to create a second Google account, set it up on my phone, put a German credit card on it (who in my position would even have one??), and then switch my Play Store app to that account and install the CWA.

As said, it would likely have been easier top just install the fork from F-Droid: https://f-droid.org/de/packages/de.corona.tracing/

[treysis]

It's all failing to address that the country setting when publishing is just a marketing tool. It has no legal significance. I wonder which **** at RKI came up with "hey, let's just set this to Germany, I don't know why, but let's do it". And then later on "wait, if we now change this to all countries...will this be a problem???".

Btw.: CovPass is even worse. It's not even available in other EU countries (like the CWA in the beginning). Again, use the Swiss version. Since today it's connected to the EU-system and is able to verify German certificates as well.

But nothing's gonna change. The RKI decided this way and they will not change their mind until a judge tells them to. Nobody wants to risk being left out in the next pay raise.

[yspreen]

The covpass app has an email inbox for their support. Their reply:

German: (English translation below)

Nach eingehender Prüfung der Sachlage wurde festgestellt, dass aus rechtlichen Gründen eine Veröffentlichung der CovPass-App in App Stores außerhalb Deutschlands derzeit nur nach einer Einzelfallprüfung möglich ist. Rechtliche Beratungen haben ergeben, dass bei einer Veröffentlichung in internationalen App Stores das Recht des jeweiligen Landes zu beachten und auf die CovPass-App anzuwenden ist. Dies gilt insbesondere für den Datenschutz, etwaige notwendige Auskunftsansprüche der dortigen Behörden und sonstige vertrags- und verbraucherschutzrechtliche Regelungen.

Die Nutzung der App wird freiwillig sein. Sollten technische Probleme auftreten, können Sie alternativ Ihren Gelben Impfpass vorzeigen.

Die Entwicklung der Apps orientiert sich an der in der Bevölkerung mehrheitlich genutzten Systeme. Eine Weiterentwicklung für ältere Versionen wird anschließend geplant.

English: (DeepL)

After a thorough review of the situation, it was determined that, for legal reasons, publication of the CovPass app in app stores outside Germany is currently only possible after a case-by-case review. Legal consultations have shown that in the case of publication in international app stores, the law of the respective country must be observed and applied to the CovPass app. This applies in particular to data protection, any necessary claims for information by the authorities there, and other regulations under contract and consumer protection law.

Use of the app will be voluntary. Should technical problems arise, you can alternatively show your Yellow Vaccination Card.

The development of the apps is based on the systems used by the majority of the population. Further development for older versions will be planned subsequently.

Translated with www.DeepL.com/Translator (free version)

[Ein-Tim]

@yspreen

Thats nearly the same text as https://www.coronawarn.app/de/faq/#international. Seems like for both apps the lawyers of the RKI are seeing the same problem there...

[treysis]

Again, it's just a marketing setting. I'd really like to see the justification of the legal counsel as to why in their view the app store setting has any legal meaning. Also I'd like to know how they explain that lawyers of other EU members see no such problems. Because IF it's a problem, the CWA would have to opt out of the cross-country compatibility.

[GisoSchroederSAP]

@All, you may either want to challenge this question again and again and again and again and again with the same well-known and already-mentioned-multiple-times reasoning. You might be the better experts compared to the attorneys/lawyers and decision maker on the customer side, I cannot judge here.

Or, at some point of time you may think about accepting the situation: Meanwhile, we addressed this topic four (4) times already to the BMG and to the German government. Besides the fact, that there is no further communication of details about the decision (other than what was already mentioned and what was documented in the other issue that @Ein-Tim referred to [thanks!]), please note: Currently, this is neither a topic of evaluation nor in the focus of other discussions - not for the CWA and not for CovPass.

Yes, we are all aware of all the consequences for each and every single human being with an US store account. No, we are not happy with the decision. Yes, we understand, this is not acceptable for some (or many?) of you. No, currently, I am firmly believe:

1. This topic is not subject of change
2. This discussion will not come to an end where we can satisfy your concerns or can answer your questions. We simply can't.
3. With any further comment we go round in circles, but make no progress in that matter.

So thanks again for your ongoing engagement. I still kindly ask you to accept, what we can't explain in a satisfying way, and what we cannot change. Thank you.

[treysis]

Can't this be reevaluated? It's not only US accounts. It's every account outside Europe.

[yspreen]

Thank you for the extensive answer @GisoSchroederSAP

I think some people here might follow the thinking of: "At some point, the annoyance grows to a point new measures are taken by someone to remove the cause of users' frustration."

It's an important insight that the stone wall we're running against is actually in German politics. Can you tell us which teams of the BMG and the German government are responsible for this decision? Or the individuals involved with this? It seems like these questions might be better directed at them.

Of course, their answer will also be "there's nothing we can do", but sometimes miraculous ways can be found once somebody is actually determined to silence all the annoying people at their doorstep. Truly a great system we live in

[GisoSchroederSAP]

All good points:

• The decision could be re-evaluated - but it won't be re-evaluated.
• There is no someone to remove the users' frustration. There is nobody who actually can achieve this.
• Yes, there is a bunch of not-supported country App store world-wide - still no longer in focus, sorry
• Please understand, we will not and must not disclose teams, departments or names here, never ever. You already know the big players, regardless of specific persons.

If somebody has the energy and really want to go the hard way of a follow-up, I recommend using the upcoming elections: Urge your preferred local politician to bring up this important topic to the necessary level of attention. You may even try this from the US side of the ocean, @jmehnle, if you personally don't accept the "German" way here - this would be absolutely plausible.

Thx and good night.

[rugk]

I also see this is just a political issue. So maybe do a petition if you feel this feature is important… or get some media to report about the fact (ARD Faktenfinder or so?)… Also, before doing that, someone who really knows about law (attorney etc.) would likely be useful to contact to make sure there are really no legal strings attached that could be the show-stopper here. I guess we're in this issue tracker rather have a technical bias.

In any case, thanks for your honest and good answer @GisoSchroederSAP and good night y'all if you're in a UTC+01 timezone. :wink:

[jucktnich]

@treysis Germany has its own privacy law, and the thing with the other eu member states is, that they have a comparable (it does not have to be equal) privacy law, so you can send data to other eu member states.

[treysis]

@jucktnich But since the data is shared now between the countries, the other countries will also get the German data and than do the same with it like with its own data.

[jucktnich]

@treysis yeah but that's the law afaik.

[jmehnle]

Funny that we're being asked to use a national election to beat a rogue team of lawyers into submission over an issue that has no political significance whatsoever. Only in Germany.

[jucktnich]

@jmehnle if you vote, you can change the privacy law

[treysis]

I'm pretty sure the law isn't that different from other EU countries. Again, if we share the data, and other countries can share the data internationally, I'm pretty sure that sharing would be illegal as well in that case.

[jmehnle]

@jmehnle if you vote, you can change the privacy law

Are you saying that if I, a German citizen living in the US, visit Germany for two weeks and install — through unofficial means, as I've done — the CWA on my phone and walk through Germany for two weeks with Bluetooth enabled, then I'm violating German privacy laws? And conversely, a German resident, having the CWA installed on their phone, visiting, say, the US for two weeks with the CWA installed and enabled on their phone isn't? Sorry, but I'm actually pretty familiar with German and EU privacy law (having been a privacy law political activist in years past), and this just isn't very convincing.

[jucktnich]

@treysis Note: I'm not a lawyer I think it's illegal to share health data to other countries under German law. (Seems this is not the case for RPIs under the DSGVO). There's one exception: countries with comparable privacy laws (f.e. other EU member states). What then happens in the other country is not under German privacy law.

[melancholyaeon]

@jmehnle https://github.com/jmehnle if you vote, you can change the privacy law

I'm not clear what you mean here, sorry.

The laws at issue here are EU-wide laws resulting from a judgement of the EU's highest court & duly implemented by regulations in each of the 16 German states.

The only way to "change the privacy law" now is for Germany to repudiate the EU legal framework & refuse to recognize the decisions of the EU court.

Just to understand: Is this what you are advocating? It would require that like certain countries Germany should exit the EU rule of law. And that Germany repudiate the entire EU privacy framework.

This app achieved public acceptance only after the German public was assured of its privacy. Apple & Google built a private framework. The app is focused on data privacy.

Fears about privacy caused a very slow uptake in the app at the start, which has only gradually been overcome. Linus of the CCC himself had to publicly vouch for it, as well as many other privacy & security professionals.

The German electorate cares deeply about privacy rights & data protection. Please don't think otherwise.

Best wishes! Have a great day.

[jucktnich]

@jmehnle When privacy law was written, nobody thought about this special case. I'm not sure about both of your assumptions, but I think the first isn't true, but the RKI needs to do their best preventing the data going to the US. If you're in Germany as an American it's completely ok (if you delete CWA before entering the US) to use the CWA, but the RKI hasn't a chance to know, that you're in Germany, so they have to treat you like an American.

[jucktnich]

@melancholyaeon the Bundesdatenschutzgesetz is an implementation of the DSGVO, but also an extension, and these extensions can be changed by the German Bundestag as they want. Since this only affects Germany, I guess that the problematic things are one of these extensions, so they could be changed.

[melancholyaeon]

On Sat, Jul 10, 2021 at 12:53 Julian Mehnle @.***> wrote:

I'm going to assume you are asking in good faith & I'm going then attempt to answer in good faith in a spirit of good will. Because we're all friends here & we all wish for the same thing.

Are you saying that if I, a German citizen living in the US, visit Germany for two weeks and install — through unofficial means, as I've done — the CWA on my phone and walk through Germany for two weeks with Bluetooth enabled, then I'm violating German privacy laws?

CASE A: Do you sync to a US server or a German one? Is any German data processed on a US server without the consent of German citizens & in violation of the data-sharing restrictions under Schrems II & other EU law? Finally do the data flows from your phone in any way violate the implementing regulations of each German state you may visit? Then maybe.

But I think Giso has answered this question for us previously. These issues have gone to the international level of diplomatic & legal discussions, and the answer was that sadly the law makes it impossible.

And conversely, a German resident, having the CWA installed on their phone,

visiting, say, the US for two weeks with the CWA installed and enabled on their phone isn't?

Case B: Look it takes a PhD in law apparently & a habilitation :) to untangle these legal issues. It's really hard, as Giso has stated. No one's happy with the result. I accept what Giso says because he has the real information.

But, prima facie, yes, this could seem to violate the German law. German citizen data is being carried to the US without proper consent. It could possibly be processed on US servers & even fall into the hands of the US government, either through random border phone checks or standard US mass surveillance.

The implementing regulations ( I'm thinking particularly of BaWu here) requires that German data cannot under any circumstances fall into US government hands without a proper legal procedure. No one can guarantee this, not even Apple or Google.

It's a difficult area & very complex. I'm not an international privacy lawyer, but Giso says he has heard their answer.

Facebook & other companies such as banks have EU data centers particularly for the purposes of adhering to these laws by assuring EU citizen data is processed & held inside the EU regime.

Sorry, but I'm actually pretty familiar with German and EU privacy law

(having been a privacy law political activist in years past), and this just isn't very convincing.

I still think personally the situation is fascinating as a unique case in privacy. It would make an incredible habilitation in the intersection of business, data privacy, international legal frameworks & German state vs. Federal sovereign interests, as well as international intelligence agreements.

Definitely I hope someone here does this work! It would definitely be prize-winning. The basic privacy & surveillance question alone would be perfect for Bellingcat!

Have a great weekend.

[treysis]

@treysis Note: I'm not a lawyer I think it's illegal to share health data to other countries under German law. (Seems this is not the case for RPIs under the DSGVO). There's one exception: countries with comparable privacy laws (f.e. other EU member states). What then happens in the other country is not under German privacy law.

Those countries share the data with other 3rd parties. So - if the interpretation by RKI is right - it would also be illegal under German law to share the data with the other EU members in the first place.

@jmehnle When privacy law was written, nobody thought about this special case. I'm not sure about both of your assumptions, but I think the first isn't true, but the RKI needs to do their best preventing the data going to the US. If you're in Germany as an American it's completely ok (if you delete CWA before entering the US) to use the CWA, but the RKI hasn't a chance to know, that you're in Germany, so they have to treat you like an American.

They don't know anything about where you are. They just see that you set your store-country to a specific country. It doesn't have any meaning. It's like asking on specific sites "Are you over 18?".

Furthermore, if it were illegal to carry the data to the US*, they would have to add a notice in the app saying that you have to delete the data in CWA before entering US.

*US is just a proxy here. It affects every country outside the EU/EEA/CH. You can easily check the availability on Google Play for different countries: https://github.com/treysis/playstore-country-check

[jucktnich]

@treysis yeah for sure they don't know where you are, but maybe it's enough to do what the RKI does, cause they can't do more.

[treysis]

They would at least have to add a note that the use of the app outside the specific countries is in violation of German privacy law.