Make it clearer that scanning a certificate imports it (rather than verify it)

[philip-n]

Similar to corona-warn-app/cwa-documentation#716, this is less of a technical / documentation issue but rather (imho) some behavior that could be made clearer, thus related to corona-warn-app/cwa-documentation#666 .

As the new "scan"-button is now available in the app that says it can scan certificates, test results, etc, I assumed it could be used to scan the certificate shown in the CWA of another person and verify it. I then found that scanning somebody else's vaccination certificate adds it to my set of certificates in the app.

To prevent others from making the same error, I'd like to suggest two things:

1. Prevent erroneous import: Give some indication about what happens when a vaccination certificate is scanned. E.g. a popup that says "Certificate detected. Do you want to import it into your CWA? Yes / Cancel", with an additional help text about how to verify a certificate (same explanation as here).
2. Make it possible to undo erroneous imports: Offer a way to delete certificates from the app. I found the "favorite"-button that allows to pin a certificate to the top, which is great; however, the possibility to actually delete a certificate (that was maybe scanned in error) would be great. If this already exists, display it in a more prominent way 😉

---

Internal Tracking ID: EXPOSUREAPP-10263

[MikeMcC399]

@philip-n
Re 2. See https://www.coronawarn.app/en/faq/#eu_dcc_remove "How do I remove a certificate from the Corona-Warn-App?"

[Ein-Tim]

@philip-n

Do you consider this as a bug or as a enhancement request?

[philip-n]

@philip-n Re 2. See https://www.coronawarn.app/en/faq/#eu_dcc_remove "How do I remove a certificate from the Corona-Warn-App?"

Oh, my fault. Did not look at this in detail, as it was more of an afterthought. Sorry, and thank you for the pointer!

However, can I suggest that this could be placed more visibly? From a users perspective, I somehow expected that after selecting a certificate on the main screen, the interaction options (like deleting it) would be available directly on the certificate screen. The fact that there is one interaction option shown ("set this certificate as default/favorite") added to this impression.

(to clarify: with "certificate" I mean the "full" certificate that gets valid 14 days after second vaccination, not the two "sub-certificates" that confirm one vaccination each).

---

@Ein-Tim I consider it an enhancement request, not a bug (was unsure which template creates what kind of issue).

[Ein-Tim]

@philip-n

I consider it an enhancement request, not a bug (was unsure which template creates what kind of issue).

Thanks for the feedback! In this case I suggest to @dsarkar (one of our super nice community managers here) to transfer this issue to the https://github.com/corona-warn-app/cwa-wishlist repository.

In the https://github.com/corona-warn-app/cwa-wishlist repository, we keep all issues which are feature requests or request an enhancement.

---

However, can I suggest that this could be placed more visibly? From a users perspective, I somehow expected that after selecting a certificate on the main screen, the interaction options (like deleting it) would be available directly on the certificate screen. The fact that there is one interaction option shown ("set this certificate as default/favorite") added to this impression.

I suggest you open a new issue reg. this in the https://github.com/corona-warn-app/cwa-wishlist repository.

Have a nice Sunday!

[Ein-Tim]

Okay, this is actually something users are confused from: https://twitter.com/kimbeereis/status/1452165913155878915?s=21

This should be improved ASAP.

[vbra0001]

Hello,
I would suggest, that this is a rather bug in the text that describes the functionality of function „QR-Code-Scan“.

From „personal data safety“ point of view ist is very important, that also a user who doesn‘t read documentation/FAQs, realizes before doing the scanning that he should/must only scan QR-codes for his personal usage (my certificate, my event check-in, my children‘s certificates,…)
This weekend I experienced at a sports club that a manager was afraid to use CWA event-QR-Code for the club’s event check-in because he doubted the GDPR compliance: He scanned other persons certificates, assuming he was doing a vaildity check + check-in, and complained that all this „foreign data“ was saved on his mobile phone.

So, in my opinion, the text which is displayed below the scan-window should state
a) scan your own test, vaccination and recovery certificates and your check-ins, or certificates of persons closely related to you
b) Note: Use CovPass Ceck app to validate certificates

(I am completly new to GitHub, I hope I am using this comment function correctly…)

[Ein-Tim]

@vbra0001

Thank you for your comment!
Yes, this also seems like a bug to me rather than a feature request now!

(I am completly new to GitHub, I hope I am using this comment function correctly…)

Yes you do! Thanks for commenting here!

[philip-n]

This weekend I experienced at a sports club that a manager was afraid to use CWA event-QR-Code for the club’s event check-in because he doubted the GDPR compliance: He scanned other persons certificates, assuming he was doing a vaildity check + check-in, and complained that all this „foreign data“ was saved on his mobile phone.

This is actually very similar to the problem I had in mind, but I could not describe it as well. Thanks!

Certificate checks (due to 3G or 2G) are quite common not only at commercial venues, but also in voluntary-run settings (Vereinsfeste, Sporttraining, Mitgliederversammlungen). Many people have the CWA already installed, so I see a quite high chance that what @vbra0001 described is not the only instance where this happened / happens.

To prevent this, I'd argue for a pop-up where the user needs to explicitly confirm that they want to import an additional certificate. As scanning personal certificates or test results with the CWA does not happen too often (probably less than weekly, if at all?), I do not think that this would be too intrusive. To me, just showing an explanatory text in the scanner interface sounds like something that many people would overlook easily.

[vbra0001]

To prevent this, I'd argue for a pop-up where the user needs to explicitly confirm that they want to import an additional certificate. As scanning personal certificates or test results with the CWA does not happen too often (probably less than weekly, if at all?), I do not think that this would be too intrusive. To me, just showing an explanatory text in the scanner interface sounds like something that many people would overlook easily.

As the scan of a check-in QR-code already displays a pop-up where you need to klick a button to confirm the check-in, yes, I also think, it seems „natural“ if there also was such a confirmation-pop-up when scanning a certificate.

Additionally, I think, the text below of the scan-frame should be changed so it’s pointed out that the scan function is only meant for your own certificates/check-ins and that CovPassCheck must be used for validation.
And in German language the text („PCR-Test und Schnelltest, Testzertifikate, Impfzertifikate, Genesenenzertifikate und Check-ins“) is a rather long enumeration and contains kind of duplicate words („PCR-Test und Schnelltest“) in my understanding, since one cannot scan a test but only a certificate.

So, maybe like this:
————————————————
Welche QR-Codes können Sie scannen?
Eigene Impf-, Genesenen- und Testzertifikate und eigene Check-ins.
(Für die Prüfung von Zertifikaten muss die CovPassCheck-App genutzt werden.)
————————————————

(Well, my opinion is all from endusers point of view (having no idea how much programming effort this would mean….)

[MikeMcC399]

@vbra0001

... in my understanding, since one cannot scan a test but only a certificate.

That is not correct. Look under:

Manage Your Tests > Scan QR Code
or
Ihre Testverwaltung > QR-Code scannen

Test QR codes were the first ones which could be scanned by CWA. The certificates came much later.

You can see an example of a QR test code on https://www.coronawarn.app/assets/documents/MU%2010C%20(01_2021)%20web.pdf

[vbra0001]

Hello @MikeMcC399, then I probably misunderstand something here, my apologies...
Isn't a "Test QR code" after all the same thing as a "test (result) certificate" ? If not, then I probably didn't understand so far what the difference to a "test certificate" is (in German the difference between 'PCR-Test und Schnelltest' and '... 'Testzertifikate') ...

[MikeMcC399]

@vbra0001

then I probably misunderstand something here, my apologies...

no problem!

Isn't a "Test QR code" after all the same thing as a "test (result) certificate" ? If not, then I probably didn't understand so far what the difference to a "test certificate" is (in German the difference between 'PCR-Test und Schnelltest' and '... 'Testzertifikate') ...

The Test QR code is so that you can receive the results of your test.

A certificate can be issued if the result of the test is negative.

The in-app explanations are not so detailed. The best place to read in detail are the privacy notice (English) or Datenschutzerklärung (German). (This is integrated into the app through the three-dot or i icon on the top right of the Status screen.)

You can also read the Solution Architecture document but that has not been updated to cover certificates.

[vbra0001]

The in-app explanations are not so detailed. The best place to read in detail are the privacy notice (English) or Datenschutzerklärung (German). (This is integrated into the app through the three-dot or i icon on the top right of the Status screen.)

Oh my... I obviously didn't follow the "first read the full documentation" rule, although I would've never searched the privacy notes for finding these definitions... Thank you for this hint.
Anyway, for the not-reading-all-the-documentation type of user (like me) it would be good to see right away, that in CWA I am supposed to scan only "my" things.
But, if ever suggestion #633 was implemented, then I guess the overall-presentation of the "scan-window(s)" would have to be re-done anyway, to make it visible at one glance what kind of QR-Code the user should scan.

[MikeMcC399]

I have added corona-warn-app/cwa-website#1995 as a request to have a statement "Can I legally use CWA to verify another person's 2G/3G status?" on the FAQ website for clarity.

[dsarkar]

currently tracked here: Internal Tracking ID: EXPOSUREAPP-10263

[Ein-Tim]

@dsarkar

Is there any enhancement planned? Users are using CWA to "verify" certificates. This is obviously a user error but CWA could prevent this by improving the UI: https://www1.wdr.de/nachrichten/rheinland/barbesitzer-deckt-sicherheitsluecke-corona-warn-app-auf-100.html

Cc @mlenkeit

[dsarkar]

@Ein-Tim We will look at this! Thanks.

[vaubaehn]

Some works are on the way: #717

[mlenkeit]

@dsarkar

Is there any enhancement planned? Users are using CWA to "verify" certificates. This is obviously a user error but CWA could prevent this by improving the UI: https://www1.wdr.de/nachrichten/rheinland/barbesitzer-deckt-sicherheitsluecke-corona-warn-app-auf-100.html

Cc @mlenkeit

@Ein-Tim As some of you might have spotted, an initial step to address this is taken with corona-warn-app/cwa-app-android#4513 and corona-warn-app/cwa-app-ios#3961, which will probably be part of 2.15. This will restrict the number of distinct people for which certificates can be added and there's a threshold for that, once exceeded, a warning is displayed whenever a certificate for a new person is scanned. Both threshold and maximum are subject to configuration and initial values are not yet finalized.

See also https://twitter.com/coronawarnapp/status/1468928375683227651

We are also evaluating further adjustments when scanning a certificate and we are of course considering the different suggestions that have been made here on GitHub. But as usual, no promises that any further changes will be done here or not.

[Ein-Tim]

@mlenkeit

Okay thank you for the long and detailed answer!

One question remains: Why are the reports on GitHub only heard now? The first report that the UQS is used to verify certificates was in #666, which was opened 2 months ago.

I assume these changes are made as a reaction on the press articles in the last days. Why were the reports in GitHub not analyzed?

Sorry for this "critical" question, but if this would have been improved after it was reported, the CWA wouldn't have to deal with this (and the pad press) now.

[Ein-Tim]

@mlenkeit

One important thing I forgot:

Thanks to the whole development team for implementing this in just one (1!) day!
It's so nice to get this into the 2.15 release!

[Jo-Achim]

@philip-n wrote:
As the new "scan"-button is now available in the app that says it can scan certificates, test results, etc, I assumed it could be used to scan the certificate shown in the CWA of another person and verify it. I then found that scanning somebody else's vaccination certificate adds it to my set of certificates in the app.

To prevent others from making the same error, I'd like to suggest two things:

1. _Prevent erroneous import:_ Give some indication about what happens when a vaccination certificate is scanned. E.g. a popup that says "Certificate detected. Do you want to import it into your CWA? Yes / Cancel", with an additional help text about how to verify a certificate (same explanation as [here](https://github.com/corona-warn-app/cwa-documentation/issues/716#issuecomment-932157428)).

If we assume that the legitimate scanning and saving of certificates into the CWA is rarely necessary, the hurdle for storing such a certificate could also be increased.
For example, by compulsory entry of the date of birth that is specified on the scanned certificate.

This is probably not demand too much for the legitimate storing of an (own) vaccination certificate into the CWA. Or?
However, if you want to 'collect' certificates with the help of the CWA, you can hardly keep up with entering the required date of birth. And finally, this time expenditure would be noticed when scanning.

Cross referece: Fraud protection.

[hxr404]

Perhaps simply renaming the "Scan" button to "Import Certificate" could do the trick.

Of course this doesn't prevent anyone from maliciously "harvesting" certificates, but I think certificates being imported by accident is a bigger issue currently.

[Jo-Achim]

Simple ideas are often the best.
But if I understand correctly ... not always.

Because behind the "Scan" button (v.2.15.1) there are not only functions for scanning vaccination certificates, but also for tests, check-ins and proof of ticket bookings.
I would consider "Import Certificate" to be inappropriate here. But maybe there are even better formulations.

[Ein-Tim]

#706 is an idea how to simply improve this.

[Ein-Tim]

This issue is obsolete IMO, the app now shows a warning that it can't be used to verify certificates & refers to the CovPassCheck-App.

Here is a screenshot of the warning:

Please close this issue.

[Ein-Tim]

Please close this issue @larswmh / @dsarkar.

[larswmh]

Thanks for all of your comments. Feel free to open another issue if necessary.

Closing as suggested