How (not) to set up a public warning system
What is the best way to alert people about catastrophes? Germany went with proprietary apps which caused the recent warning day ("Warntag") to become an official failure. We analysed the situation and found more robust solutions that respect user rights.
The basic idea of testing emergency systems is to find potential or real problems. However, it is remarkable how much went wrong in Germany's official warning day in September. Especially the unreliability of the officially advertised non-free and non-standard apps forced the Federal Ministry of the Interior (BMI), that is in charge of the responsible Federal Office of Civil Protection and Disaster Assistance (BBK), to label the test day as a failure.
The FSFE analysed the findings together with experts in civil protection and mobile networking to figure out why the apps failed, and what a more resilient and open system can look like.
Digital Warning Systems in Germany
There are three popular publicly financed apps that can carry official emergency alerts to their users: Katwarn, Nina, and Biwapp. All three are proprietary, so non-free software that does not allow their users to use, study, share, and improve the software. Moreover, they rely on fetching emergency alerts from the central MoWaS ("modular warning system"), and forwarding these to the app users using their phones' WiFi or mobile internet connection.
An overload of this central system was the main reason why many alerts did not reach the app users in time or at all. This did not come as a surprise, though. In a scenario where millions of devices are reached at the same time from a central instance with one-to-one (unicast) connections, network bottlenecks are almost inevitable.
The underlying problem, however, is unnecessary complexity and duplicated structures. Instead of investing large amounts of public money into centralised systems and three proprietary apps, other states run a more resilient and well-tested infrastructure for distributing emergency messages: SMSCB, more commonly called cell broadcasts, to provide one-to-many messages.
Standardised around 1990, cell broadcasts are an established method to send messages to all mobile network users, either in a whole country or limited to specific areas, in no more than a few seconds. Phones do not have to be registered in a specific network to receive these messages, and alerts with the highest priority will ring an alarm even if the phone is muted. And unlike SMS and mobile internet, cell broadcasts have a reserved channel that works even if phone cells are overloaded with users and messages.
Furthermore, cell broadcasts can be received by every phone, no matter whether emergency apps, an up-to-date operating system, or proprietary Google/Apple services are installed. Because the communication is one-to-many, there are no privacy concerns either. These clear benefits made the European Union decide to base the EU-Alert system on cell broadcasts. As a directive, this has to be implemented by all EU member states before June 2022, unless a state can provide a service with a similarily reliable performance – which is a very high threshold.
Regardless of these advantages, Germany chose to not base its emergency alert system on the SMSBC standard, unlike other countries such as the Netherlands, Greece, Romania, Italy, or the USA. Because there is no official obligation to do so, most mobile network providers deactivated this feature to save costs. Instead, much higher costs are incurred by the taxpayers to finance an isolated system and accompanying proprietary apps.
Despite the clear advantages of cell broadcasts, warning apps have their justification. Users can request various information about other regions and past events. However, basing a large part of the emergency communication system on warning apps has proven to be too prone to single points of failure.
Furthermore, because of the critical role of emergency communication systems for the public, they have to be Free Software, and built upon Open Standards. Only with the freedoms to use, study, share, and improve software, can they be analysed by citizens and independent security researchers. This in turn increases trust and willingness to install a complementary warning app, as the practical experience with the Corona tracing apps shows.
Our analysis concludes with three key findings that not only the responsible administrations but also other actors should keep in mind.
- The foundation of emergency communication from authorities should be a standardised, resilient system that is capable of sending millions of messages to as many devices as possible, regardless of their operating system or installed software. Currently, SMSBC, or cell broadcasts, seem to be the best possible implementation that works well in numerous states. Therefore, we appreciate that the EU chose to base EU-Alert on cell broadcasts.
- Warning apps can be a useful complement. Especially for publicly funded apps, it is crucial to develop and release the software under a Free Software license, following the principle of Public Money? Public Code!.
- Testing warning systems is important, and the planned regular warning days should be maintained in the future. It is normal that errors occur during these tests, but they must not be glossed over. Instead errors must be addressed thoroughly.
In this sense, the responsible administrations, BBK and BMI, have a lot of work ahead. But it is doable, both from the practical and financial perspectives.