News

How (not) to set up a public warning system

on:

What is the best way to alert people about catastrophes? Germany went with proprietary apps which caused the recent warning day ("Warntag") to become an official failure. We analysed the situation and found more robust solutions that respect user rights.

The basic idea of testing emergency systems is to find potential or real problems. However, it is remarkable how much went wrong in Germany's official warning day in September. Especially the unreliability of the officially advertised non-free and non-standard apps forced the Federal Ministry of the Interior (BMI), that is in charge of the responsible Federal Office of Civil Protection and Disaster Assistance (BBK), to label the test day as a failure.

The FSFE analysed the findings together with experts in civil protection and mobile networking to figure out why the apps failed, and what a more resilient and open system can look like.

A red emergency phone

Digital Warning Systems in Germany

There are three popular publicly financed apps that can carry official emergency alerts to their users: Katwarn, Nina, and Biwapp. All three are proprietary, so non-free software that does not allow their users to use, study, share, and improve the software. Moreover, they rely on fetching emergency alerts from the central MoWaS ("modular warning system"), and forwarding these to the app users using their phones' WiFi or mobile internet connection.

An overload of this central system was the main reason why many alerts did not reach the app users in time or at all. This did not come as a surprise, though. In a scenario where millions of devices are reached at the same time from a central instance with one-to-one (unicast) connections, network bottlenecks are almost inevitable.

The underlying problem, however, is unnecessary complexity and duplicated structures. Instead of investing large amounts of public money into centralised systems and three proprietary apps, other states run a more resilient and well-tested infrastructure for distributing emergency messages: SMSCB, more commonly called cell broadcasts, to provide one-to-many messages.

Cell Broadcasts

Standardised around 1990, cell broadcasts are an established method to send messages to all mobile network users, either in a whole country or limited to specific areas, in no more than a few seconds. Phones do not have to be registered in a specific network to receive these messages, and alerts with the highest priority will ring an alarm even if the phone is muted. And unlike SMS and mobile internet, cell broadcasts have a reserved channel that works even if phone cells are overloaded with users and messages.

Furthermore, cell broadcasts can be received by every phone, no matter whether emergency apps, an up-to-date operating system, or proprietary Google/Apple services are installed. Because the communication is one-to-many, there are no privacy concerns either. These clear benefits made the European Union decide to base the EU-Alert system on cell broadcasts. As a directive, this has to be implemented by all EU member states before June 2022, unless a state can provide a service with a similarily reliable performance – which is a very high threshold.

Regardless of these advantages, Germany chose to not base its emergency alert system on the SMSBC standard, unlike other countries such as the Netherlands, Greece, Romania, Italy, or the USA. Because there is no official obligation to do so, most mobile network providers deactivated this feature to save costs. Instead, much higher costs are incurred by the taxpayers to finance an isolated system and accompanying proprietary apps.

EU-Alert/NL-Alert Cell Broadcast message
EU-Alert/NL-Alert Cell Broadcast message in 2018. CC-BY-SA-4.0 by WarningMessageDelivery

Warning Apps

Despite the clear advantages of cell broadcasts, warning apps have their justification. Users can request various information about other regions and past events. However, basing a large part of the emergency communication system on warning apps has proven to be too prone to single points of failure.

Furthermore, because of the critical role of emergency communication systems for the public, they have to be Free Software, and built upon Open Standards. Only with the freedoms to use, study, share, and improve software, can they be analysed by citizens and independent security researchers. This in turn increases trust and willingness to install a complementary warning app, as the practical experience with the Corona tracing apps shows.

Conclusion

Our analysis concludes with three key findings that not only the responsible administrations but also other actors should keep in mind.

In this sense, the responsible administrations, BBK and BMI, have a lot of work ahead. But it is doable, both from the practical and financial perspectives.