Corona Apps: Data Protection and Data Minimisation Increase Level of Acceptance and Use

Smartphone apps are a key component for reining in the Corona pandemic: they can warn us when we are at risk and thus contain the spread of the disease. How can we increase the level of acceptance of these apps so that more people use them? This is a question investigated by Christine Utz at the Ruhr-University Bochum in the NRW Research College SecHuman – Security for People in Cyberspace.

Ms. Utz, what aspects of user behaviour do we need to take into account in order for apps to be accepted by society as a whole?

Utz:In the summer of 2020, we presented fictitious app scenarios in an international study and then examined their evaluation and acceptance. We were able to identify that German respondents are mainly concerned about data protection and state surveillance: in particular, about the utilisation of Corona apps beyond the period of the pandemic.

Regardless of how an app is technically configured, we found that, in each country, a certain percentage of people were against using Corona apps one way or another. This “baseline” must be taken into account when assessing the potential distribution of an app. The heterogeneity of smartphone ecosystems, especially under Android, must also be taken into account. Older devices do not provide the necessary interface for bluetooth-based digital contact tracing, meaning that contact tracing apps such as the German “Corona-Warn-App” can’t be used.

What’s also important is that Corona apps are used as intended – for example, that positive test results are also entered into a contact tracing app in order to warn at-risk contacts from the previous few days that have been identified via the app.

What are the minimum data protection and privacy requirements for apps that help fight the pandemic?

Utz:In the scenarios presented by us, data minimisation led to an increased willingness to use apps in Germany. This was the case, for example, with apps that only store data concerning which other users of the app have recently had critical encounters – but not when and where these encounters took place. A further positive assessment was given if an app only collects data from which no conclusions can be drawn about the identity of the person.

It was also important to the respondents that only certain actors have access to the data. Apps that send data to private companies, the police or the public were rated more negatively than those that make their data available to research institutions or health authorities.

How can communication contribute to the acceptance of the apps and how can users be better targeted?

Utz: Digital contact tracing is a complex issue due to the invisibility of the technical processes running in the background. Communicating these technical details, such as sending constantly changing identification numbers, is a challenge. Evaluations by the RKI on the success of the Corona-Warn-App have shown that positive tests often do not find their way into the app. This is because users must explicitly tick a box with their consent to have the positive test result transferred to the app. Those responsible in test centres and health authorities should again inform the tested persons that they agree to the data being transferred to the Corona-Warn-App. They must sensitise those tested to the fact that their contact persons will receive a notification, but that it is not possible to deduce their identity. Better communication can thus increase the willingness to give consent.

Data Protection and Data Minimisation Increase Level of Acceptance and Use of Apps for Reining In the Pandemic