
Germany's Covid contact tracing app is Open Source - fredrb
https://github.com/corona-warn-app/cwa-documentation
======
barbegal
I really question whether these apps will be effective. The limitation section
[https://github.com/corona-warn-app/cwa-
documentation/blob/ma...](https://github.com/corona-warn-app/cwa-
documentation/blob/master/solution_architecture.md#limitations) of their
architecture document shows that people in close proximity for a few minutes
may not even get picked up.

Anyone who has dealt with trying to work out distance from Bluetooth signal
strength will know that it is virtually impossible once you factor in, the
orientation of two devices (signal polarization), their locations (in a
pocket, bag, case...) and the local environment (reflections and attenuation
from walls, floors ceilings, furniture).

Additionally, without knowing exactly how transmission is occurring the risk
score calculation [https://github.com/corona-warn-app/cwa-
documentation/blob/ma...](https://github.com/corona-warn-app/cwa-
documentation/blob/master/solution_architecture.md#risk-score-calculation) may
be wildly inaccurate too resulting in the wrong people being notified.

And even assuming perfect ability to deduce the risk of infection of two
people using the app, will that help in the bigger context. If the people most
at risk don't install this app and the least at risk do then you may be
drawing resources away from the people that most need help.

~~~
fabian2k
The biggest risk are longer contacts, not very short ones. You don't want to
notify everyone that passed that person on the street, but you do want to
notify everyone that was reasonably close in the same train for half an hour.

This is pretty much just an extension to classic contact tracing. And there
you also have to work with very rough categories of risk, this isn't so much
different.

~~~
Someone
I don’t see why N S-second contacts would be lower risk than one N×S-second
one. This isn’t a matter of ‘small doses can’t harm you’, is it?

~~~
CaptainZapp
Actually it makes a huge difference.

You need to absorb a certain amount of payload in oder to get infected.

I found this article[1] on the subject extremely enlightening.

[1] [https://www.erinbromage.com/post/the-risks-know-them-
avoid-t...](https://www.erinbromage.com/post/the-risks-know-them-avoid-them)

~~~
tzs
One thing unclear from that is how how fast, if at all, accumulated viruses
clear out.

Say you need to inhale 1000 of a particular virus to get its disease, and
talking normally with an infected person gives you 200/minute, so it takes you
5 minutes to get the disease.

You can get that 1000 by talking 5 minutes with one infected person, or you
can get it by talking 3 minutes with one infected person and then shortly
afterwards 2 minutes with another.

But what if the gap between those two is longer?

I'd guess that the first 600 you got get into cells quickly and start
reproducing, but there are few enough that your immune system is able to
handle them. The reason you need 1000 is that is the tipping point where the
viruses can reproduce faster than your immune system can handle.

If that's the case, then after you get that first 600, how many you need to
get on the next exposure would be 400 shortly after the first, but as the time
between exposures increases that would increase.

The model here would be that you have a virus accumulator (you), being filled
by exposure events and drained by your immune system, and you get sick if the
accumulator reaches some threshold.

This makes me wonder if my approach to shopping during this pandemic is wrong.
I've been doing a big shopping trip every 3 or 4 weeks, as opposed to before
the pandemic when I'd pop in to the store 3 or 4 times a week and only buy a
few things.

Those big trips involve being in the store for an hour or more (and it's not
linear--the time to fill my cart is linear in the number of things I'm buying,
but checkout time goes up faster because organizing my stuff at the self-
checkout becomes harder). If someone else in the store is infected, I could
potentially be around them enough to also get infected.

The old small trips only involve a few minutes in the store. If someone else
is infected I'm not going to be in there long enough to get an infectious dose
from them unless they do something like cough near me. With my mask, and care
to avoid other people who are not wearing masks, my realistic risk from an
infected person is less than an infectious dose.

If my immune system can clear that out in a few days, then I should be good to
go for the next short trip. As long as the prevalence of infected people in my
community is low enough that I'm not going to get an infectious dose in a
single short trip, this should be a safe approach.

Another question: suppose I get that 600 dose, and no more, so my immune
system handles it fine and I don't get sick. Am I spreading the virus during
this time, or do I only start spreading after I get an infectious dose worth
of accumulated exposure?

Edit: how does acquiring immunity fit in? If I get 60% of an infectious dose
and then no further exposure until my body has dealt with that, do I get any
immunity or does that only happen if I accumulate enough virus at one time to
actually get sick?

~~~
smichel17
> Edit: how does acquiring immunity fit in? If I get 60% of an infectious dose
> and then no further exposure until my body has dealt with that, do I get any
> immunity or does that only happen if I accumulate enough virus at one time
> to actually get sick?

Not an expert but I think I can handle this one.

> The model here would be that you have a virus accumulator (you), being
> filled by exposure events and drained by your immune system, and you get
> sick if the accumulator reaches some threshold.

This is a simplified model of the immune system, and in order to answer the
above question we need to make it a little less simplified.

First, let's talk about the accumulator. It's not only being filled by sars-
cov-2, but also by other viruses, foreign bacteria, etc. I don't understand
well enough to say how that affects the threshold in our model so I'll ignore
that for now. Let's represent all these as javascript objects.

As I understand it, your immune system has two main responses to infections:
white blood cells and T cells[0]. They both work essentially by duck typing --
in our model, that's the shape of the js objects; irl it's the protiens
exposed on the surface of the virus[1]. White blood cells match a much more
general pattern, but are not very efficient compared to T cells. Your model
only considers white blood cells.

T cells work a little differently. Your body constantly generates T cells that
match random virus shapes. The newly-made T cells take a look through the
accumulator and see if they match any of the objects. If not, they self-
destruct. This is what hapoens most of the time, since the accumulator is
cleaned out fairly quickly. But if they do -- say, when the accumulator has
overflowed and now the virus is reproducing freely, so it stays around for a
long time -- they start to clone themselves. Eventually, they clone themselves
enough that they, with their higher efficiency, are able to remove all of the
virus from the accumulator. When this happens, a few of them stick around for
a while. This is immunity: even if you get hit with a big dose of sars-cov-2,
you've got some T<sars-cov-2>cells hanging around from last time, which can
handle the virus with increased efficiency (multiplying themselves[2] as
necessary).

That is to say, a small amount of exposure over a long period of time is
unlikely to generate immunity, since you never generate T cells to fight the
virus.

[0] These are not the only parts, but they play a big role and generalize well
to the two main parts of our immune system.

[1] Aside, you could, with a little fudging, extend this analogy to how
viruses infect cells -- cells each have api endpoints, and the virus takes the
shape of the regular payload enough to pass validation checking, but also has
malicious parts to trigger remote code execution once inside the cell, so the
cell turns around and starts spitting out viruses instead of its normal
responses.

[2] Actually I do not remember what the mechanism is for this -- whether they
multiply themselves or send a message back to the T cell factory to "produce
more like me", at which point the T cell factory caches the blueprint, and
that's the immunity, rather than any T cells themselves sticking around. Maybe
someone with a deeper understanding of the biology can correct any nuances I'm

------
metachris
Some context:

> The German government has asked SAP and Deutsche Telekom to develop the
> Corona-Warn-App for Germany as open source software. Deutsche Telekom is
> providing the network and mobile technology and will operate and run the
> backend for the app in a safe, scalable and stable manner. SAP is
> responsible for the app development, its framework and the underlying
> platform. Therefore, development teams of SAP and Deutsche Telekom are
> contributing to this project. At the same time our commitment to open source
> means that we are enabling -in fact encouraging- all interested parties to
> contribute and become part of its developer community.

[https://github.com/corona-warn-app/cwa-app-
android#contribut...](https://github.com/corona-warn-app/cwa-app-
android#contributors)

~~~
tpmx
Wow, those are not two companies that come to mind when "moving fast" is a
priority. (I've only worked in a supplier role to Deutsche Telekom, but I
can't imagine SAP is any less ... specific about rules and processes.)

I guess they probably have some "experimental" departments for recruitment
purposes, they must have used those.

~~~
cheschire
They probably are funding external "startup" style companies which are outside
of the corporate HR and union boundaries.

------
mikece
I wonder how quickly contact tracing applications will be leveraged for other
uses. If a significant number of protesters are using such an application then
I imagine government will throw the “for your protection“ excuse to go harvest
information from the phones of protesters to see who was meeting with him and
who their social circles are. Of course, to keep us and our children safe.

~~~
zabana
It's already happened in the wake of the events related to the unfortunate
death of George Floyd. Police in minneapolis have admitted the use of contact
tracing technology to locate protesters.

~~~
huxley
My understanding is that that was the police grabbing cell phone tower records
from the cell service providers -- which they've always been able to do, it is
a different (though still problematic) issue. The writers of the article
conflated it with contact tracing.

------
pjc50
Meanwhile in the UK, it's closed source corruptionware:
[https://www.mirror.co.uk/news/politics/tory-husband-test-
tra...](https://www.mirror.co.uk/news/politics/tory-husband-test-trace-
chief-22128892)

~~~
chimprich
That story does not say anything about that.

The UK app's source code has been released. Previous discussion:
[https://news.ycombinator.com/item?id=23107553](https://news.ycombinator.com/item?id=23107553)

------
traspler
So are all the parts of what will become the Swiss COVID tracing app:
[https://github.com/DP-3T](https://github.com/DP-3T)

~~~
outadoc
French app, protocol and backend here:
[https://gitlab.inria.fr/stopcovid19/](https://gitlab.inria.fr/stopcovid19/)

------
xupybd
The New Zealand contact tracing app just allows you to log visits to
businesses that display QR codes listing their address. So you can have a log
of where you've been. Only most businesses here don't have the codes on
display as applying for them has too much red tape.

~~~
mschuster91
Also NZ is essentially corona-free, there isn't much pressure for app based
tracing as long as those in contact with people coming in from anywhere else
(i.e. air and sea port workers, customs officials and the likes) get
rigorously tested.

~~~
fredrb
Wouldn't a tracing app make more sense than having a rigorous border tests? It
takes one miss-tested infected person to start a second wave in the country.
So I would assume that the investment to make sure businesses provide the QR
pays off testing everyone and risking another lockdown. I'm also not sure
countries have the resources to enforce huge amounts of tests at the border.

~~~
johannes1234321
> I'm also not sure countries have the resources to enforce huge amounts of
> tests at the border.

Right.

One issue with testing is that the only test you can do for masses in a border
are basic health checks like temperature, but aside from all general issues
with such kind of test (people are exhausted after travelling on a plane,
having to do a test, ...) with COVID symptoms often only appear after one had
been infectious for a while already, so one can pass by undetected and still
spread.

Things like PCR tests take time and effort and have notable cost, which makes
it hard to apply on a larger entrance port.

Either shut down completely (maybe based on origin region or recently visited
regions) or be prepared to handle afterwards ... tracing contacts to identify
potential carriers after ridentifying infected is a way which is at least a
bit promising.

~~~
DiogenesKynikos
> Either shut down completely (maybe based on origin region or recently
> visited regions) or be prepared to handle afterwards

If you only shut down based on recently visited regions, you're likely to
import cases anyways. With CoVID-19, it takes several weeks to identify an
outbreak in a region (especially without extensive testing). By the time you
shut down travel from a given region, you've probably already been importing
cases for weeks.

The WHO has gotten a huge amount of flak for not calling for travel
restrictions during this pandemic. But their recommendations were based on the
ineffectiveness of travel restrictions,* according to previous research. They
recommended screening passengers for symptoms, but also told countries to take
measures to limit spread (like testing and contact tracing), on the assumption
that countries would import cases.

* The WHO's recommendations were also based on the International Health Regulations, an international treaty that basically every country on Earth has joined. Most of the public is unaware of the IHR or what it says about travel restrictions, or of the history of the WHO (one of its founding goals was to stop countries from automatically shutting their borders whenever there was an outbreak, and instead to take rational, evidence-based measures).

------
ubanholzer
Covid contact tracing app Switzerland:

Android repository: [https://github.com/DP-3T/dp3t-app-android-
ch](https://github.com/DP-3T/dp3t-app-android-ch)

iOS repository: [https://github.com/DP-3T/dp3t-app-ios-
ch](https://github.com/DP-3T/dp3t-app-ios-ch)

Covidcode Frontend: [https://github.com/admin-ch/CovidCode-
UI](https://github.com/admin-ch/CovidCode-UI)

App backend: [https://github.com/DP-3T/dp3t-sdk-
backend](https://github.com/DP-3T/dp3t-sdk-backend)

App config backend: [https://github.com/DP-3T/dp3t-config-backend-
ch](https://github.com/DP-3T/dp3t-config-backend-ch)

Covidcode backend: [https://github.com/admin-ch/CovidCode-
Service](https://github.com/admin-ch/CovidCode-Service)

------
lou1306
FWIW The Italian contact tracing app, Immuni, is open source as well:
[https://github.com/immuni-app](https://github.com/immuni-app)

I installed it today and I live in one of the 4 pilot regions, let's see how
it goes.

------
rurban
As I expected it's backdoored. It uses the new central Google Tracking ID
feature. [https://github.com/corona-warn-app/cwa-app-
android/wiki/4-Go...](https://github.com/corona-warn-app/cwa-app-
android/wiki/4-Google-Exposure-Notifications-API)

Other apps can do without central tracking Id's. It was fishy that Germany
waited weeks for this Google API (officially to support low voltage
Bluetooth), whilst other countries had their open source apps ready for long.
Germany and France pushed for centralized tracking, it was called off after
protests, now its again in via their US friends.

------
zxienin
Having spent some time looking at contact tracing app architectures across the
world, I realize how conceptually same they are. Mostly variations are in
central or decentral handling of data.

BLE based. Similar usage protocol.

Instead of 50 odd countries, each making tracing app with ~90% similarity,
doesn’t it make sense that there is one grand GitHub repo? Each country
instantiates their own variant of it, by injecting own config, while
contributing to the this repo.

Am surprised at the mushrooming effect here.

------
krzyk
Polish one is also opensource - [https://github.com/ProteGO-
Safe](https://github.com/ProteGO-Safe)

------
s_dev
I'm at a loss as to why Ireland isn't open sourcing our contact tracing app or
just using another open source App considering every other EU nation is.

I suspect combination of soft corruption and perverse incentives.

~~~
padmick
did they announce they wont open source it? don't think ill be giving it a
download then :/ shame

~~~
s_dev
[https://www.reddit.com/r/DevelEire/comments/g77kcc/irish_gov...](https://www.reddit.com/r/DevelEire/comments/g77kcc/irish_government_keeping_the_source_code_of_their/)

------
danielfoster
Great to see this open-sourced. I think the biggest issue here is why the app
is still under development and won't be released. until mid-June.

The government has already had more than 3 months to get this ready.

------
Lutger
Most European countries develop their contract tracing apps as open source
software.

The fragmented landscape is unfortunate. It's not just the code being
developed that could benefit from a cooperative approach, the ethical, legal,
medical and governance issues around these apps could benefit a lot from a
shared European approach.

We have done this with the GDPR, we should collaborate on this as well.

~~~
bennofs
At this scale, collaboration would probably slow things down more than it
helps. Finding a consensus among so many parties is hard. Building separate
solutions first and then unifying them later might be better.

~~~
Lutger
Maybe. I just don't understand why European developers didn't start by forking
the austrian app, which has an apache license.

The Stopp Corona app is developed by the Austrian red cross and has already
been successfully deployed and used. There's a lot of experience around it.

Why not begin with a fork and add your own requirements? Then slowly try to
merge those upstream? Now the landscape is fragmented from the start. It's NIH
all over the place.

