UNDO: The APP for new freedom

Who isn’t burdened by the prolonged lockdown? We all want to get back to normal. It’s clear that this can’t happen all at once. But it can happen step by step, with a clear concept, deliberately and permanently. We are all aware that we need to vaccinate quickly. This is the most promising way out of the restrictions on basic rights and back into our normal lives. In addition to vaccination, digital contact tracing can effectively help us break the chains of infection. With the digital contact tracing undo, Scopevisio AG from Bonn, Germany, has developed a demographic-pandemic app with the goal of efficiently discovering and breaking infection chains.

UNDO stands for a joint doing (UNited DOing) to reverse the restrictions caused by the pandemic to be reversed (UNDO).

Such a solution must not only be easy for individuals to use when checking in and out, but must also adequately map facilities of any complexity (operator lounge). Services by employees must be possible (employee lounge) and the health department must be efficiently and effectively enabled to detect and break chains of infection (health department lounge).

Facility plus person-centric approach

In the UNDO app, Scopevisio combines the facility-centric approach from the country-specific Corona protection regulations (visitor history) with the person-centric approach of a personal diary (visit history).

Why are both approaches only effective in combination?

In a facility-centered solution, individuals visiting a facility are registered with time and place of stay (=30-day facility visitor history). The more precisely the location, time and contact persons are determined, the more effectively contacts can be traced. This is in line with the Corona protection regulation.
In a person-centered solution, the facility that a person visits is registered with time and place of stay (= 14-day visit history of the person). If a person visits many different facilities and registers each time, he or she builds up a personal visit history (diary).
Both approaches have their advantages. While the facility-centered approach can track much more accurately within a facility who was in contact with whom and when, the person-centered approach helps to assist the person in indicating facilities visited in the last 14 days to fill in “memory gaps.” However, it is the combination of both approaches that yields the best results: If a person becomes Covid-19 positive, the health department can request the fourteen-day visit history from the infected person. Knowing at what time in which facility the infected person was, the health department can request the visitor history of all persons who were there at the same time through the operator of the facility in question.

UNDO, the professional solution for facilities and operators

The UNDO solution is suitable for small and simple facilities as well as for large complex facilities. UNDO’s multi-client capability also allows large groups, for example from the hotel industry, hospitals, retail, franchising or corporate groups, to centrally administer and decentrally deploy digital contact tracking.

The larger and more complex facilities, events or groups are, the less competitive solutions are able to handle this complexity. Think of a soccer stadium with 40,000 visitors. It does not make sense for the health department to declare everyone in a football stadium to be close contacts (higher risk of infection) just because an infected person was in the stadium. The larger the facility or event, the more important it is to know the exact whereabouts of an infected person. UNDO registers the facility with outline levels of any depth. I.e. by simply scanning the QR code of a ticket, e.g. from Eventim, the organizational structure of the facility is automatically recognized and created. For example, in the person-centric view of a soccer stadium: east stand, entrance B, zone B2, row 15, seat 27. If the person in this seat 27 is reported as infected, then in the facility-centric view, the health department can have all close contacts in an infection cell dynamically calculated by UNDO around the infected person with the visitor history reported by the organizer. For example, the persons within a radius of 3 meters can be declared as close contacts. With such analyses, the health department remains operationally capable even at large facilities and events.

Infection cells can be described in more detail via risk factors. In the health department lounge, a risk assessment required by the RKI thus becomes possible.

UNDO comprehensively and in detail combines these two approaches in one solution. The UNDO solution was designed for simple to very complicated and large facilities. The UNDO app in combination with the UNDO web solution simultaneously addresses all regulations of the country-specific Corona protection regulations with the advantages of a fully closed personal visit history.

Easy to use, but with a high level of comfort: that’s UNDO.

The UNDO solution is as easy to use and set up as possible, yet extremely powerful: Registration is carried out using the personal data required by law. To validate the registration of natural persons to UNDO, a TAN code is used, which is transmitted to the specified mobile phone number for confirmation. To validate the registration of institutions to UNDO serves an e-mail confirmation in the double-opt-in procedure to the specified e-mail address to be deposited. There are copy-proof dynamic QR codes that renew every 30 seconds.

Native iOS and Android apps and a web app are available for individuals. Employee-, location-, and site-specific QR codes are printable, as well as manual digital captures by the visitor, an escort, or a staff member.

The QR code can be scanned by the operator at the individual as well as by the visitor at the facility. Check-in is plausible via geofencing, i.e. it is checked whether the person checking in is at the location of the facility. Check-out can be done by the visitor, the operator as well as by geofencing by means of removal from the location. Especially for moving facilities like trains or buses, geofencing can be switched off.



Facility-related information such as menu cards, directional signs, information boards, program booklets, instructions, etc. can be stored by the operator in UNDO for contactless use, as can individual images, logos or banners. The individualizations are activated at check-in and deactivated at check-out. For large and affiliated companies (groups) there is a simple entry of mass master data, for example for facilities, employees, areas, zones, rooms, units, tables, chairs or seats (import). The personal visit data is automatically and permanently deleted after 14 days and the facility-related visitor data after 30 days, in each case in compliance with the ordinance.

Where can UNDO be used?
UNDO can be used everywhere, nationwide in every institution and by every person: whether in churches, hotels and restaurants, retail, museums, children’s birthday parties, schools, lecture halls, kindergartens, events, zoos, workplaces, private parties, large halls, (soccer) stadiums, administration, construction and food markets, parliaments or general meetings. There are hardly any limits to the use.

Who can use UNDO?

Without restriction, every private person, every institution, every employee and the health department can use UNDO free of charge. There are four different user groups, for each of which a user lounge is available:

  1. Individuals via the UNDO app (native and web app).
  2. Facilities via the operator lounge (web solution).
  3. Service staff, vendors, … via the employee lounge (web app).
  4. For pandemic control, the health department via the health department lounge (web solution).

User-specific functionalities are available for each lounge. The clear order reduces application complexity and simplifies handling to the essentials.

What functions are available to the health office in UNDO?

The challenge of health departments is to monitor a huge flood of contact tracing data when incidence rates are high. To support this work as efficiently as possible, a health department lounge has been developed in UNDO. Using two-factor authentication, the health department can enter a protected area and from there engage in direct and rapid communication with individuals and operators. The RKI recommends that health departments conduct a risk assessment in terms of one-time or ongoing exposure by the infected person in their potential environment. This first requires an assessment of the infection environment. To make this risk assessment much easier for the health department, UNDO allows the formation of infection cells. In infection cells, UNDO describes risk factors of an exposure and makes indications of the intensity of an aerosol transmission transparent. Infection cells are defined in UNDO, for example, by describing the type of space (size in QM and/or CBM of the space), duration of stay, density of people, ventilation conditions (outdoors, large open windows, ventilation system (AHU), filter class ISO ePM11 to reduce viruses and bacteria, enclosed space), activities (sports, singing, etc.) and type of event. In addition, infection cells are to be set up by the operators to group the least number of possible close contacts.

Thus, when inquiries are made by the public health department to the operator, those who may be considered close contacts can be more easily identified and qualitatively better assessed via risk factors. This significantly reduces the number of contacts to be followed up and increases the quality of selection and prioritization of the close contacts at highest risk. As a result, the work of the health department can be carried out much more effectively.

Another goal of UNDO addressed is the speed and convenience of communication from the health department to infected individuals and operators. If the health department receives word of an infected person, that person is usually called. If this infected person confirms the use of UNDO on the phone and authorizes the transfer of personal visit history data, then the following process applies:

  1. In the visit history, the infected person releases the history and provides the health office with a release code on the phone.
  2. In the health office lounge, the health office can decrypt the visit history with its private key and the release code.
  3. According to the selected criteria, e.g. all stays longer than 10 minutes in closed rooms, the health office can narrow down the visit history.
  4. With one click, the health department can then send the narrowed down history of visits to all affected operators for release of the visitor history (= close contacts).
  5. The operator is then required to release the list of potential close contacts to the health department. The selection is made according to the contacts in the infection cells and includes all risk factors deposited by the operator.
  6. The health department can now better assess the level of risk of close contacts and provide them with targeted information

In parallel with the release of the visitor history, coordinated CSV files are generated in Sormas format in each case and transmitted to the health department. These can then be uploaded to Sormas. The state of NRW has commissioned the development of a gateway to the upstream system IRIS from the initiative “Wir für Digitalisierung”. As soon as an API or gateway is available, we will connect UNDO directly online.

UNDO is suitable for narrowing down the potential close contacts of an infected person, even in large and complex facilities or at major events. With UNDO, the health department is able to efficiently and effectively perform contact tracing even in such cases. Consequently, large events such as Bundesliga games or concerts with thousands of visitors are coming back into the realm of the responsible.

What about data security?

Data privacy and security is very important at UNDO.

In the facility-centric approach, visitor data from individuals at a facility is stored in an ISO 27001-certified Telekom data center in Germany. All personal data fields are individually encrypted per facility and thus it is also not possible to infer individual persons implicitly via symmetries. The personal data of a visitor history can only be decrypted with the private key of the respective operator of a facility. The visitor identification is also encrypted, so it is not possible to query a visitor-related visit history. The private individual remains the “master” of his or her data in the visit history. The operator of a facility can only decrypt a facility-related visitor history in a requested time period (up to 30 days in the past) upon request by the health department and send it to the health department as a Sormas-enabled CSV file. This is consistent with the provisions of the states’ Corona Protection Ordinances.

In the person-centered approach, data autonomy over personal visit history remains solely with the individual. Physically, personal visit data is persistently stored only locally in the memory of the user’s terminal device for the duration of the last 14 days. Viewing the visit history can optionally be blocked via a PIN. With this protection, no one can create a movement profile without physical possession and criminal “hacking” of the end device. In particular, it is impossible to create broad-based movement profiles of many people. If the health department requests a person’s visit history, that person can decide autonomously whether to transmit this visit data to the health department or to delete individual entries before transmission. There is no legal obligation to transmit the data.

The UNDO solution does not use a system-side key. This means that neither personal nor facility-related or movement data can be decrypted by unauthorized third parties, not even by the manufacturer SCOPEVISIO.

Encrypted properties of a visit are the start and end times, the location in the facility, and a one-way ID of the person and facility. The symmetric key is not stored. An anonymous history of visits, where only one-way IDs are visible, is possible for operators of a facility across users. This is implemented using the open libraries Stanford Javascript Crypto Library (SJCL) (time-based SHA-256 key) and with OpenSSL on the server side.

And with data protection?

UNDO is developed in compliance with the GDPR and protects the security of personal data. For example, a lot of effort has been put into ensuring that it is impossible to centrally create movement profiles across many people. The application is technically designed in such a way that data protection default settings that require consent are initially deactivated (Artt. 7, 8 DSGVO). Personal data can be changed independently at any time by the data subject (here in the sense of “user of the application”) (Art. 16 DSGVO). The application does not use any form of tracking – not even through cookies (Art. 25 DSGVO). The data is stored in encrypted form (Art. 32 DSGVO). Technical settings ensure that the data is automatically and permanently deleted after 30 days as part of the legally required contact data tracking (Art. 17 DSGVO).

The personal fourteen-day visit history is solely under the sovereignty of the data subject. She alone decides whether she wants to share this transaction data with the health department upon request. She can delete it at her own discretion or delete individual entries from it, as there is no legal obligation to collect and transfer this data. The private individual always remains “master of her data in the visit history” and has full data autonomy over it (Art. 18 DSGVO).

The personal fourteen-day visit history is solely under the sovereignty of the data subject. She alone decides whether she wants to share this transaction data with the health department upon request. She can delete it at her own discretion or delete individual entries from it, as there is no legal obligation to collect and transfer this data. The private individual always remains “master of her data in the visit history” and has full data autonomy over it (Art. 18 DSGVO).

Scopevisio informs the users of the application in accordance with the provisions of Article 13 of the data collection and the scope of data processing. In addition, an agreement on commissioned data processing in accordance with Art. 28 DSGVO is concluded with the respective institution to regulate the obligations under data protection law. This also lists all technical-organizational measures (TOM) taken to protect the data.

Scopevisio discloses the source code to the data protection officers of the federal states as well as the Federal Data Protection Commissioner via GitHub and is maximally transparent. At a later date, the UNDO open source will be disclosed to all. This is currently being prepared.

What is planned?

In the short term, date-related storage of the first and second vaccination and antibody detection will be available. In addition, it will be possible to store a PCR test and rapid tests all with digital proof of the findings. The integration of medically validated test results by verified laboratories can significantly increase the safety of all guests. For example, at large events, guests will soon be registered with a scan and the admission control will receive an acoustic and/or visual signal about the result of a day-specific test validated online at the laboratory.

Furthermore, an event calendar is in preparation, which can be assigned to the organizational structure levels. Thus, not only location but also occasion of potential contacts is available to the health department for contact tracking.

Why is the solution free of charge?

UNDO does not cost anyone anything! This is our contribution to society in the fight against the pandemic. Users of the app do not commit to anything, it is free for the duration of the pandemic and without any commitment.

All information is also available for download here.

To Website of UNDO-APP