Police in Mainz, Germany, have just admitted having unlawfully access to personal data collected by Luca-App, an application similar to TousAntiCovid. A scandal that has revived the debate on the dangers of these geolocation applications supposed to help quickly break the chains of Covid-19 contamination and which are full of sensitive personal data.
It all started with a fatal accident in Mainz, Rhineland-Palatinate, on November 29, 2021. Almost two months later, this tragic news item turned into a national scandal in Germany. At issue: the misuse by the police of personal data and the security of one of the two German Covid-19 tracking applications, similar to the French TousAntiCovid.
“I got a call from the criminal police shortly after Christmas. The officer told me he wanted to question me and that he had got my personal details, including my cell phone number, thanks to the Luca-App application, « Olivier Matter, a resident of Mainz, told Südwestrundfunk (SWR), which was the first to reveal the case, on January 7.
On November 29, he had spent part of the evening in a bar in the old town of Mainz. It was there that a person had a fatal fall, falling from the first floor of the establishment. After this accident, the police requested and obtained the personal data of the customers present that evening and who had the Luca-App application on their smartphone. She was able to contact 21 people to determine the exact circumstances of the tragedy, the Mainz prosecutor’s office told SWR.
Luca-App makes it possible to geolocate users of the application in bars, restaurants, concert halls and other stores. Data which is then used by the health authorities of the 13 Länders where this application is deployed in order to trace the chain of contaminations when a focus of Covid-19 infection is discovered.
But nowhere does it say that the police can dig into this data for their investigations. In reality, the health law even limits the use of this information to the sole search for contact cases to fight against the spread of Covid-19.
The SWR revelations quickly sparked an avalanche of outraged reactions from across the Rhine. First against the forces of order in Mainz, accused of having paid little attention to the privacy of citizens in a case which, moreover, had all the appearances of a tragic but simple accident.
In a country which, as the Deutsche Welle points out, is historically one of the most protective of the right to privacy in Europe, such deviations from the police are very badly perceived. All the more so since the excuse put forward by the Mainz prosecutor’s office is far from being considered satisfactory. The police « have misinterpreted the legal basis of their action under the law, » said the prosecutor’s office.
Lawyers and computer security experts were quick to point out that the law had yet been clearly drafted to prevent this kind of abuse. « There was never any doubt that access to this private data was strictly illegal for the police, » said Bianca Kastl, computer security expert, who warned about the dangers of the Luca-App application in June 2021, contacted by France 24.
For Dieter Kugelmann, head of private data protection for the Land of Rhineland-Palatinate, the problem is not only that the police have exceeded their rights in this case. It is also that « it sends the worst possible signal at a time when citizens need to have confidence in the way in which the authorities are handling personal data during this health crisis, » he said.
He also asked, Monday January 10, an investigation to determine whether the police had not already taken liberties with the personal data collected via Luca-App on other occasions. The prosecution assured that, for the moment, it had found « no other error ». But the authorities in Mainz said the investigation was not yet closed.
Call to delete the application
Pending the findings, several local politicians urged the Germans to erase the Luca-App. This is the case of Daniel Karrais, the « digital economy man » of the liberals of the FDP in the Land of Rhineland-Palatinate, and of his environmental colleague Alexander Salomon. For them, this case highlights above all that this application would be more dangerous for privacy than it is useful to fight against the spread of the virus.
Reviews that are not new. « In March 2021, an open letter was published by Internet privacy advocates warning of the limits of this application. A month later, several crypto experts predicted that there would be leaks of sensitive data « , recalls Bianca Kastl. She herself had advised the health authorities of the Lake Constance district – in the Land of Baden-Württemberg – not to use Luca-App to track down contact cases after discovering technical flaws in the application.
Luca-App, developed by the Berlin start-up Culture4Life, has been criticized above all because the data collected – names, addresses, phone numbers – is stored on its own servers. They are certainly encrypted, but it suffices for the health authorities of a Land and the owner of the establishment – bar, museum, theater, etc. – concerned by cases of Covid-19 use their decryption key to give unencrypted access to data on customers of the place. « This means that the users of the app are not even consulted when we access their personal information », specifies Bianca Kastl.
This did not prevent thirteen Länders from spending more than 20 million euros to be able to use Luca-App – in addition to the public application Corona-warn – in the fight against the spread of the virus. More than 40 million Germans have downloaded it, recalls the ZDF television channel. The contracts that link these regions to Culture4Life all expire at the end of March.
Apps no longer needed?
The Mainz affair risks playing against an extension of these agreements. Those responsible for Culture4Life are aware of this. They assured that they had not been informed of the « mistake » of the police and deplored this attitude.
But for Bianca Kastl, this illegal access to personal data is only the last nail in the coffin of Luca-App. This service would not only have technical faults, « it has become unnecessary », she assures us.
Omicron’s fault. « Such an application is only useful if health authorities play along with quickly tracing contact cases. But with the speed of spread of the Omicron variant, they simply do not have time to follow each case, » he explains. she. In other words, this huge sensitive data bank is no longer really used to fight the epidemic, but it remains likely to be exploited illegally.