Hacking Corona: An Overview of the Winners of Germany‘s WirVsVirus Hackathon – and the Privacy Angle

Category: Coronavirus, Hackathon, IT-security, Privacy

Hacking Against the Virus

The coronavirus pandemic has the world firmly in its grip. To combat the challenges posed by the spreading plague, with the goal of minimising death rates, countries all over the globe are drastically restricting the free movement of their citizens. This, in turn, creates a host of new social and economic challenges with many people unable to pursue their profession altogether or being confined to their home office and working exclusively in front of their computer.

But the fact that the crisis directly affects a great number of people can also have productive sides: The Estonian government was the first to organise a hackathon in mid March, encouraging people to come together digitally to work on solutions for the many problems created by COVID-19. The idea got picked up quickly, and only a week later, Germany followed suit by holding its own “WirVsVirus” (translated as “we against the virus”) hackathon.

Solutions based on (Personal) Data

Based on over 2,000 ideas for projects submitted by the interested German public and government, hackathon record-breaking 28,361 participants spent the weekend working on projects that tackled one of 48 different challenges. After two days of coding and conference calls, over 1,500 projects were submitted. The selection committee took the next week to rate each project on one of five dimensions (incremental social value, degree of innovation, scalability, progress, and comprehensibility). The best-rated submissions were evaluated by a jury consisting of 45 representatives from the federal government, civil society and the tech-community, with the top 20 being announced on Monday, the 30th March 2020.

The top 20 chosen open source prototypes all fall under one of five categories:

  1. Services facilitating the access to or distribution of information (8/20), which in most cases make use of data that is provided by a trusted party (like the government or centre for disease control). These do not collect user data, except for one case, where personal data (like name and address) is reported directly to a government agency in case of an emergency. This project’s description, however, also made explicit mention of the fact that all data would be processed and stored in ways compliant with GDPR.

example project: DEalog expands an existing official app for crisis communication in Germany by providing geospecific warnings and an individualised news feed that brings together relevant information from accredited sources on federal, state and district level. It collects no personal data.

  1. Services facilitating official administrative procedures (1/20), in this case a solution enabling quicker border controls by collecting and storing personal information about the individuals crossing the border as well as their journey. The project description did not include an explicit mention indicating awareness of the sensitivity of the data handled.

  1. Services facilitating the distribution of auxiliary resources, work force, or products (4/20), which mainly serve as platforms connecting various stakeholders that can communicate either demand or potential supply. Except for the product-centered prototype, the creation of profiles for both recipients and suppliers is necessary, which also requires the collection of sensitive personal data. Only one project explicitly mentioned the need to validate user accounts, as a necessary precaution against misuse, for future development.

example project: RemedyMatch is a logistics platform to which institutions can upload numbers of existing medical stock or specify their demand. Transportation is then facilitated through volunteers also registered on the platform. To register on the platform, name and email have to be provided. To enable the transport, an address will have to be provided as well. The project’s description did not include any reference to data protection and how sensitive data is to be handled.

  1. Services facilitating a streamlined Corona-testing process (2/20), which record an individual’s state of health through a questionnaire and then automatically schedule an appointment. To provide this service, medical information (including current medication) and personal data is collected. None of the projects’ descriptions under this category indicated that special care would be taken to secure personal and potentially very sensitive medical data used.

example project: (translated as “digital waiting room”) provides a questionnaire collecting personal data (name, birthdate, gender, address and contact details), data on the potential infection source, closeness of contact, symptoms, and primary diseases. It then schedules an appointment at a testing center based on an automated risk assessment. The data protection declaration on the webpage leads (as of writing this post) to a blank page.

  1. Services facilitating social cohesion in times of social distancing (5/20), which either provided a way for individuals to connect with each other without requiring personal information or served as platforms to connect high-risk populations and their shopping needs with volunteers willing to help. For the latter, personal data is collected and shared with other people on the platform, yet only one project explicitly indicated awareness to issues around data security.

example project: WirFürUns (translated as “We For Us”) aims to connect people that – due to infection or membership of a high-risk group – can or do not want leave their home with volunteers offering their help. It also handles money transfer to reimburse money spend in advance. To sign up, it requires personal information like name and address as well as a bank account. Both location information and surnames of people needing help are then displayed to all logged-in volunteers in the vicinity. The project description contains no indication of awareness for the sensitivity of the handled data.

A “Solution-based” vs. a “Privacy-first” Approach: An Unfair Evaluation?

This summary critically notes that most of the 20 chosen projects lack focus on data protection. At the same time, it must be emphasised  that most of the solutions were created from scratch within two days, resulting not in final products but rather in prototypes that are required to demonstrate basic functionality.

The projects mentioned (along with 80-130 more) will receive continued support by the German government in order to be quickly finalised, tested and validated within the coming weeks. It is to be expected that the development process will include a stronger focus on privacy and GDPR compliance.

The enthusiasm to quickly create solutions to present COVID-19 problems is understandable, even warranted. But workable solutions will need to accommodate laws and restrictions on the collecting and processing of personal data. Prototypes that focus on providing privacy-sensitve solutions from the start will arguably result in very different technologies than those to which privacy is a bothersome afterthought. As contact and movement restrictions impose significant limitations on individual rights and freedoms, governments and developers around the world could use this opportunity to create technological solutions that do not only save lives but also respect (as opposed to bend) the fundamental rights to data protection and privacy.