Is the German Covid-19 Tracing App a Hidden Self-Sovereign Identity?

Martin Schäffner

16 June 2020

Today, the long-awaited Covid-19 tracing app will be released in Germany, which should help to detect infection chains and warn potentially infected people that they were in contact with someone infected with the virus at some point recently. The decentralized approach of the app raises some questions: Are there parallels to the concept of Self-Sovereign Identity? And if so, are we witnessing the first broadly useable application for SSI in Germany? I will face these questions in this blog post. 

Even though the app is already delayed, as it was promised to be released almost two months earlier, it still comes at the right time since life in Germany is getting back to normal again. The app was released in Germany so long after other countries due to many reasons,  one of them being privacy. There should be no possibility that this app holds any form of personal information for anything beyond its actual purpose. In fact, the developed app is overall pretty solid. It respects the users’ privacy, it is simple to use, and no central institution has too much control over the data. Let’s analyze some criteria from an SSI point of view to determine if it is a self-sovereign identity:

Control

To begin with, we need to look at who has control over the identifiers. These are designed to be self-creating on the user’s device and frequently automatically changing. The user doesn’t have to create and register them manually. In fact, the user has no control over how the identifiers are being created or exchanged with others. Therefore, randomly created ids violate the principle of control over the identifier since the user does not influence it.

Forming of Connections

As the next criteria, I want to take a look at how connections are established. In the SSI ecosystem, connections with others are formed via the DID Auth protocol, which verifies that the user holds valid keys for a DID. In the tracing app, this is done via Bluetooth. The device automatically recognizes other devices in Bluetooth-range and stores their ID, timestamp, and signal-strength for 14 days. If an infected person was later identified, all the IDs would be sent to a central server from which the user’s devices are frequently polling. If the IDs match up, the app warns the user that he or she might be infected. This is also contrary to an SSI approach were connections are formed with explicit consent, and exists for as long as one party terminates the connection. 

Even though more criteria help to determine if the tracing app is a Self-Sovereign Identity, it is already clear that it is not a Self-Sovereign Identity, even if it is much closer than a centralized approach. However, it would be possible to align it more with SSI principles. 

Tracing App with Blockchain Integration?

Let’s say the user downloads an app that has the functionality of creating compatible key pairs for an underlying blockchain or DLT. These would also not be human-readable and would further allow interactions with the underlying blockchain. If a person was diagnosed with Covid-19, the device could perform a transaction to the ledger and its IDs would be stored in a central revocation registry that the devices pull from. Therefore, there would be no need for a centralized server that is run by a single institution. Using a blockchain here would bring some benefits as well as it could work across borders and probably for less than what SAP and T-Systems, a subsidiary from the Deutsche Telekom, charge. 

In short, I hope that this app has the most success and that people will use it to combat this pandemic and end it as soon as possible. I further hope that decentralized approaches, where the privacy of the user is the main priority, are becoming more popular and allows people to see that we don’t always have to provide sensitive personal information to anyone that offers an online service. And last but not least, I hope to see more people are aware of the benefits of Self-Sovereign Identity so that its public adoption is achieved earlier than expected. The concept of this app is a step in the right direction, and I hope there will be more to come!

Do you want to know more about Self-Sovereign Identity? Read my series, watch a webinar I held recently, or contact me!