Own Analysis of SwissCovid

The National Cyber Security Center (NCSC) organized a public security test of the SwissCovid app. The test "aims to provide full transparency".

In response to the public test, we provided a report on June 5 which was subject to Responsible Disclosure with no duration limit. A summary of our conclusions were quickly published by NCSC without our report. However, our report were commented and even criticized in the press on June 10 by SwissCovid representatives (while we were still forbidden to publish the report itself).

On June 16, we received an authorization to publish by ourselves. The NCSC site lists many security evaluation reports which are quite positive about SwissCovid. It does not list ours. Instead, it contains a "detailed analysis" by NCSC about out report. We are in a disagreement with this analysis.

As it appears to be quite clear that communication is not transparent, we put here our observations for the public.

Our Report

The June 5 report was augmented with an addendum. In summary, our observations are as follows.

To resolve GAEN having no available source code although the law mandates all components to have an available source code, the Federal Council issued an ordinance making an exhaustive list of components which does not include GAEN. To justify such exclusion, SwissCovid promoters argue that GAEN is part of the operating system of the phone, or sometimes part of the Bluetooth communication interface of the phone, and that it is not common to require to disclose the source code of such parts. We deny that GAEN is any such part of the phone, at least on Android phones. GAEN is part of the Google Play Services which are independent of the operating system and of the communication interfaces. We could actually run a pre-standard version of SwissCovid on an Android phone which had no Google Play Services. However, this phone had the Android operating system and could use Bluetooth. Furthermore, most of the former DP3T protocol which was implemented in this pre-standard version disappeared in the current version of the app since an equivalent protocol is now in GAEN. We conclude that there is no founded technical justification for excluding GAEN from the components of the system. We strongly believe that the ordinance is a legal trick to bypass the law which is the consequence of a disagreement between SwissCovid and Apple-Google. We urge constitutional experts to make an assessment on the validity of the ordinance.

The NCSC Analysis

We put here the NCSC analysis on our report together with our own notes. The summary of our remarks are as follows.


[Note: this section was written before June 24. Please read Episode II for evolution.]
The Law on Epidemics (LEp) was extended with Art.60a on June 20, 2020. This is the legal frame of SwissCovid. This article restricts the use of SwissCovid to the intended purpose, imposes that usage is voluntary, prohibits discrimination based on usage or not (except for a free medical test if notified at-risk by the application), and gives (in alinea 5) five requirements on the design of SwissCovid. The compliance of SwissCovid must be done with respect to those requirements. In addition to this, regulation on data protection applies (alinea 6). This implies restrictions when using personal information. A delicate question, both technically and legally, is whether the ephemeral identifiers which are exchanged via Bluetooth, as well as the diagnosed keys which are stored on the server and transit via Amazon services, are personal information or not. Since ephemeral identifiers can be computed from diagnosed keys, we believe that either both or none should be considered as personal information.

On the FOPH website we can read "The phone does not send any personal or location data to a central storage location or server". On another page we can read "The CDN only gives users access to information that cannot be used to obtain personal information (i.e. anonymous keys)". This defends that none are personal information, hence not subject to regulation on data protection. One consequence is that it seems perfectly legal that anyone collects ephemeral identifiers which are sent via Bluetooth and run some of the known attacks. We rather believe that those information should be considered as personal information hence subject to regulation. Collecting those information should be subject to legal restriction. This may have legal consequences on how data is treated on the server and transits via the Amazon CDN service.

Most of the former DP3T protocol is now replaced by what Apple and Google implemented in a component of the system called GAEN. It implements most of the crucial operations which are required in the SwissCovid system. GAEN is undoubtedly a component from a technical viewpoint. However, GAEN has no available source code, as required by law. Promoters argue that GAEN is part of the phone design, either of the operating system or of the Bluetooth communication interface, which justifies this exception. This argument is incorrect, at least on Android systems.

GAEN is part of the Google Play Services which are not open source. Telephones in which those services are removed still have the same working Android operating system and can use Bluetooth. We can live with such phones. SwissCovid does not work on them, but the pre-standard version of SwissCovid does, with available source codes. Therefore, the switch from pre-standard to GAEN-based version made SwissCovid not compliant with the law.

Compliance (Episode II)

On June 24, 2020, the Federal Council released an Ordinance on the proximity tracing system for coronavirus (OSTP). It refines LEp about SwissCovid. Quite predictably, OSTP defines the components of the system by excluding GAEN (Art.2). The system is composed of servers and of the SwissCovid app that users install on their phone. We already qualified this as a trick to exclude GAEN from the source code disclosure requirement.

Quite surprisingly, Art.5 al.2 describes the functions that the SwissCovid app is fulfilling with the help of an interface of the operating system. We understand this as a reference to GAEN (although GAEN is not part of the operating system, as already discussed). We observe below that nearly none of the 5 listed functionalities have any corresponding line of code in the available source code, for the simple reason that these are the functionalities which are fulfilled by ("with the help of") GAEN.

This is actually the list of the tasks of GAEN. What the app is really doing is not listed here.

OSTP also strengthens the exclusion of GAEN to the source code disclosure requirement of LEp by adding an explicit exception to the law for the functions of the operating system which are used via the interface, hence GAEN (Art.5 al.3). Adding an exception to a law for a part which is not recognized as a component is quite awkward. What is clear it that the job of the app (which is subject to LEp) is nealry totally outsourced to GAEN (which is exempted from LEp by OSTP). Obviously, this is not compliant with the spirit of LEp.

In a nutshell, the 19.6.2020 LEp law says all components of the SwissCovid system must have a publicly available source code and lets the Federal Council the responsibility to address the deployment details. The 24.6.2020 ordinance from the Federal Council defines the components by excluding what is provided by Google-Apple and is implementing the DP3T functionalities. Consequently, the implementation of DP3T has bypassed the law. We believe that the ordinance was already in preparation while the Council of States and the National Council were discussing on the necessity to have a publicly available source code and our analysis was censored. Citizens and the parliament have been deceived. May it be for good reasons (e.g. to hit the second wave), it is a blatant cheat. In our opinion, the law, which was made to protect people for having to use an opaque system, has proven itself to be insufficient 5 days after adoption.


Caution: as far as we know, no scientific reference (ours included) went through any peer review process.

Our references:

Legal references (some references in French): Other references:

Last update: July 7, 2020.