Luca contact tracing app: CCC calls for an immediate moratorium

In recent weeks, glaring flaws in the specification, implementation and proper licensing of the Luca app have been uncovered. The unending series of security problems and the vendor’s heavy-handed responses are evidence of a fundamental lack of competence and care.

Still, more and more states of Germany are wasting taxpayer money on the digital promise of salvation without proper bidding procedures. Mecklenburg-Western Pomerania even wants to make installation of the app a prerequisite for participating in public life.

The CCC calls for an immediate moratorium, a review of the award practices by the German Federal Audit Office and an immediate end to the app coercion. For handling highly sensitive health and movement data, the state-subsidised roll-out of untested software is self-defeating.

Investor on talk show tour

A marketing campaign by a rapper who likes to forget to mention that he holds a 22% stake in the company made it possible: despite glaring deficiencies, various German states have so far invested more than 20 million euros of taxpayers’ money for licenses to use the Luca app. Yet the app does not meet a single one of the CCC’s requirements for the evaluation of “Contact Tracing” apps.

State-subsidised business model

Although taxpayer money is used generously, the data, app and infrastructure naturally remain in the hands of private-sector operators. Yet the expensive licenses are only valid for one year – enough time to make the Luca app the de facto standard for admission systems. Mecklenburg-Vorpommern has already officially made use of the app mandatory as part of its infection control ordinance.

The owners already have unabashed plans to further commercialise presence tracking: In addition to connecting to ticketing systems, they hope to broadly connect to different business models.

Alternatives studiously ignored

The generous waste of taxpayers’ money becomes all the more incomprehensible because the state governments are in face competing with the decentralised, data-saving and open-source Corona-Warn-App, which is to receive comparable functionality with the next update. The federally funded Corona-Warn-App already has a broad user base, but after a successful launch it was abandoned and reluctantly improved for several months. This neglect will now be monetised by the privately funded Luca app.

Dubious benefit

The app’s utility remains questionable and its applications limited. The link to health offices is emphasised as a special performance feature. However, public health departments have not yet attracted attention for their particularly rapid contact tracing or for their special interest in visitor lists: Regularly, these are too extensive and too imprecise to identify relevant contacts.

Flaws and vulnerabilities

A team of internationally renowned privacy and security researchers warned early on in an eighteen-page “preliminary analysis” of a wide variety of potential abuses of the centralised approach.

The Luca app’s flaws and blunders found so far are a colorful bouquet of incompetence:

• The centralised Luca system stores all data with operators, allowing real-time monitoring of all check-ins. This also applies to those check-ins that are marked as “private” in the app.
• The SMS phone verification is ineffective.
• Key fobs, purchased by the hundreds of thousands for people without smartphones, reveal the complete centrally stored location history with every scan.
• Third-party software components were used in blatant disregard of the licensing terms.
• The app does not meet minimum accessibility standards.

An extended version of this article was published in German and in English.

(Image credit: Rendy Novantino/ Unsplash)