In these days of the corona pandemic, visits to hair salons and restaurants generally involve filling out forms. Along with the conventional pen-and-paper method, the first digital solutions are now available. These require users to scan QR codes or to complete online forms. “In both cases, unauthorized persons can access personal data, which may have serious consequences especially in connection with a critical issue such as an infection,” says Georg Carle, Professor of Network Architectures and Services at TUM.
Still, effective contact tracing is important for successfully limiting the spread of pandemics, says Prof. Carle. In search of a solution, he worked with his former doctoral candidate Johann Schlamp to develop QRONITON. This service, which uses QR codes that can be scanned with a mobile phone, will enable organizations to meet their documentation obligations and help public health authorities to identify endangered individuals quickly. Any location – whether it's at a restaurant table or an seat in a lecture hall – can be provided with an individual QR code. When scanned by a user, the code is captured along with a time stamp and contact data. What sets this solution apart from similar approaches is a sophisticated, multi-stage encryption system that protects the data.
“The data are stored centrally on a server,” says Georg Carle. “However, they are encrypted in a form that cannot be read by the server operator, and which the authorities can access only in the form of subsets – and even then, only with the consent of the concerned parties.” If an infection with the novel coronavirus SARS-CoV-2 is reported to a public health authority, it will provide a personal authorization code to the infected individual. The authority can access data on the places visited and the direct contact persons only if the infected person enters the code in QRONITON. “The principle of data minimization was very important to us,” says Johann Schlamp. “The system captures only a telephone number and a postal code. The latter is used to determine which authority can access the data in case of a concrete infection risk.”
QRONITON is a browser-based tool, which means that the user does not need to install an app. It also means that users can be sure that data are not being collected in the background. They can decide themselves whether or how often they wish to scan QR codes. The developers also had users without smartphones in mind: These users can print out a personal QR code to be scanned by restaurants and other places they visit.
Test run at TUM
In recent weeks, the system was tested and optimized at TUM. QRONITON QR codes are already posted at numerous locations in the Mathematics and Computer Science Building. “During this test phase we found out which features are useful and were able to optimize the system to run on as many smartphones as possible,” says Schlamp. The project was closely monitored by researchers at the TUM Munich Center for Technology in Society (MCTS), who focused in particular on issues surrounding the acceptance of such systems. They also helped to ensure that QRONITON is compatible with the German General Data Protection Regulation.
“The system is now ready to be rolled out for everyday use,” says Prof. Carle. “We're also in touch with the public health authorities and the Robert Koch Institute. The Munich District Administration Office, along with the public health authority responsible for Garching, already has access to the system. I would like to see our proposal taken up by politicians to create the conditions for widespread adoption. Implementation would be useful in any location where large numbers of people gather and where there is a chance of a coronavirus infection. Along with restaurants and hair salons, this would include fitness studios, cinemas, public spaces and churches.”
Complementing the Bluetooth-based corona app
Jens Spahn, the German federal health minister, will soon introduce an official coronavirus warning app. It will use Bluetooth technology to determine when app users come within a certain distance of each other. “A decentralized Bluetooth-based solution like that one and our QR code system both have individual strengths,” says Georg Carle. “The Bluetooth app makes sense for sending out individual warnings and will work without users having to actively scan codes. What we want to do is make contact tracing easier for public health authorities while offering restaurants and other facilities as well as their guests an easy way of meeting their documentation obligations, while complying with data protection regulations – and perhaps to encourage others to offer a voluntary tracing tool.”
- The IT service is being provided to TUM by Leitwert GmbH under a contract data processing agreement.
- An interdisciplinary research team at TUM presented a model for a Bluetooth-based contact tracing app that meets data protection requirements in April.
- High-resolution images.