#OstaniZdrav installation and operation
#OstaniZdrav works on iOS-based smartphones from the iPhone 6s upwards using iOS 13.5, and on Android-based smartphones from Android 6 upwards. The app is available for installation in the Google and Apple app stores.
Slovenia's #OstaniZdrav app fully follows the open-source Corona-Warn-App (CWA) developed in Germany.
The CWA supports and operates using a COVID-19 exposure notification system developed by Google and Apple, i.e. the Google-Apple Exposure Notification (GAEN). New Huawei devices without access to Google Play Services, which means they also have no access to GAEN, cannot use the CWA and therefore not the #OstaniZdrav app.
It has been assessed that the additional costs of developing an #OstaniZdrav app for Huawei Contact Shield API by the Ministry of Public Administration and the risk regarding compatibility with the CWA would be too high. When the CWA includes Huawei support, the #OstaniZdrav app will be upgraded accordingly.
On Android phones, the GPS location must be turned on for the Bluetooth Low Energy (BLE) to function properly, but the app has no access to it. On Apple phones the location need not be turned on. The app works in the background and requires just over 20 MB of storage space. Android users must allow the app to run in the background in battery-saving mode if they want to receive automatic notifications.
#OstaniZdrav does not collect data on user's location or movement
The #OstaniZdrav app does not track the user's location, and it does not have permission to do so. A notification that appears during the application's installation is only a requirement of the Google Android system. The Bluetooth system can only detect other phones in the immediate vicinity of the user's phone if the user has turned on their location function. This does not mean that the app installed on smartphones using Bluetooth automatically tracks the location of the user's phone.
In order for it to work, the #OstaniZdrav app must be able to detect devices in immediate vicinity. Therefore, the location function must be turned on in the general system settings. However, the app will never use GPS locations and will not record the user's location, which is also stated in the Data protection information.
This can be verified by following these steps:
- Find the location function in your phone’s settings.
- In location settings select App permission.
- A list of apps appears. You can see the apps that you have allowed to use your location. You can also give or refuse permission for apps to use your location. #OstaniZdrav does not need such permission and will not appear on the list.
More technically savvy users or experts can also confirm that the app really does not use the location data by checking publicly available source codes on the Github portal or by checking the app’s security settings in detail. It is recommended that users check for themselves which apps installed on their phones they have allowed to access location, and further that they only give such permission to apps they trust or for which access to location is really necessary.
Privacy noticeThis privacy notice explains what data is collected when you use the #OstaniZdrav App, how that data is used, and your rights under data protection law.Instructions | Government Communication Office
- Privacy notice (pdf, 171 KB)
Bluetooth must be turned on
Bluetooth must be on at all times in order to enable the exchange of rolling proximity identifiers with other app users. Internet connection (Wi-Fi or mobile data) must be active at regular intervals (ideally as often as possible), to obtain up-to-date information about personal risk from contacts, and to make the risks posed by the user's own infection with the novel coronavirus SARS-CoV-2 visible to other app users.
Exchange of rolling proximity identifiers
The app uses the COVID-19 exposure notification system developed by Google and Apple to record contacts. Two smartphones exchange random rolling proximity identifiers using Bluetooth Low Energy (BLE) technology. Bluetooth technology also allows the app to determine the duration of the encounter and calculate the distance between the devices based on the Bluetooth signal’s strength. Both are calculated through various measurements, and a threshold value is also established. The app defines contact as an encounter with a person infected with the novel coronavirus in which the threshold values of various measurements were exceeded. The app shows users their risk status determined based on these measurements.
After a mobile device downloads the list of all available keys of those users who have confirmed they are positive, the COVID-19 exposure notification system checks locally whether any of these keys match the locally collected rolling proximity identifiers. In the event of a match, the risk is assessed and the user receives appropriate instructions.
User identity is protected
When a person comes within two meters of someone infected with the novel coronavirus, they will not receive the notification in real time. Due to data protection, the app cannot provide a real-time response, as this would reveal the identity of the infected person, which would violate their right to personal data protection. The smartphone only knows that it was near another smartphone on which a verified test result confirming the infection with the novel coronavirus has been saved. Every user decides for themselves whether they share a positive test result or not.
All data are pseudonymised
All data recording in the app must use pseudonymisation; otherwise, no warning to other users would be possible. This also ensures that the app is protected against misuse, as, in order to confirm an infection, test results and specific smartphones – but not specific people – must be safely matched. Rolling proximity identifiers, which change every 10 minutes, are used for data recording. Rolling proximity identifiers are pseudonyms, which change at short intervals to make identification of individual pseudonyms even more difficult. Users do not have to enter any personal data into the app. Only users themselves can identify their personal references.
Users must consent to installation
As the data protection policy also applies to personal data without which the app cannot be installed, the app provides all the notifications, confirmations and consents during installation.
Daily keys and rolling proximity identifiers
Every day, the app generates a random daily key, from which it then generates rolling proximity identifiers in ten-minute intervals. Rolling proximity identifiers are daily key hash values, additionally encrypted together with a time interval. The app simultaneously broadcasts its own rolling proximity identifier and receives the identifiers of other app users, which it detects via BLE. These random identifiers are stored for the next 14 days, solely on the smartphones of the users who encountered each other. They are compared with the daily keys of users infected with the novel coronavirus.
Storage of daily keys and rolling proximity identifiers
The rolling proximity identifiers received are stored on the user's phone for 14 days. After this period, the app deletes the user's daily keys and the rolling proximity identifiers received from other app users.