German authorities came under fire for their use of a COVID contact tracing tool to investigate a case.The app LUCA has been plagued by cybersecurity, data protection and even copyright infringement issues since its initial deployment in March 2021, leading to a strong joint statement against its use by hundreds of IT experts.
The instance demonstrates data protection specialists’ concerns. Politicians have cautioned that it plays into the hands of opposition organizations that vehemently oppose all pandemic curbs and express doubt about COVID vaccinations.
The incident concerns authorities in the city of Mainz. At the end of November, a man fell to his death after leaving a restaurant in the city, prompting police to open a case.
While trying to track down witnesses, police, and prosecutors managed to successfully petition local health authorities to release data from the Luca app, which logs how long people stayed at an establishment.
Authorities then reached out to 21 potential witnesses based on the data they had unlawfully acquired from the app. The case’s reports, which surfaced last week, prompted considerable outrage.
In a statement, Mainz public prosecutors said they’ve begun an investigation and are working to ensure “that the relevant data will not be exploited further.“
To date, no additional examples have been reported in which authorities were able to obtain data from the app in order to conduct investigations.
What does the app do?
The Luca app works by logging the amount of time that patrons spent at a restaurant, bar, or cultural event. Users enter their personal information into the app. They can then scan a QR code at a restaurant or event and log out when they leave.
In the event that someone tests positive for COVID-19, local health authorities can more easily identify and alert people who may have been exposed to the virus.
The use of the Luca app and others like it have relieved some of the paperwork burdens for restaurants, bars, and event organizers — who, in the early stages of the pandemic, were required to have customers write down their contact details on pieces of paper.
The app is also subject to Germany’s strict data protection laws. The only way to retrieve the data is if the local health department and the establishment both give their consent to unencrypt the personal data.
Once it is no longer encrypted, only local health departments are permitted to have access to the personal details of the patrons. Furthermore, the data can only be used in the event of chasing a potential infection chain.
What has the response been?
The app’s developers, culture4life, sharply criticized the actions of authorities in Mainz.
“We condemn the abuse of Luca data collected to protect against infections,” the company said in a statement.
Culture4life added that it receives frequent requests for its data from law enforcement — but those requests are routinely denied. Members of Germany’s ruling coalition, which comprises the Social Democrats, Greens, and Free Democrats, have also voiced concern over the case.
Konstantin von Notz, a senior member of the Greens, warned that abuse of the app could undermine public trust and hamper efforts to stem rising COVID-19 cases.
Luca is governed by Germany’s strong data protection laws, which state that information from the app cannot be accessed by non-health authorities or utilized in criminal proceedings.
Despite the fact that there was “no legal basis to do so,” the Mainz public prosecutor’s office confirmed that officers used the Luca app to issue the data inquiry.
It expressed “regret” for the occurrence and promised that such information would no longer be used by police. It said that a preliminary inquiry into the use of the Luca app had not turned up any additional instances of the software being abused.
Is this the first time?
Authorities in Germany aren’t the first to use information collected from coronavirus tracing applications in criminal investigations.
Last year, officials in Singapore admitted to using data from the country’s TraceTogether app in a homicide inquiry, despite the country’s lax privacy regulations. While using applications like Luca is largely optional in Europe, in Singapore, TraceTogether is mandatory to obtain access to many eateries and office buildings.
In response to the uproar, Singaporean officials revised the app’s privacy statement and modified legislation to make it clear that the data might be utilised in a serious criminal investigation. The government of the Southeast Asian state has agreed to discontinue using the app after the pandemic has passed.