In 2020, most European governments decided to develop a contact tracing mobile app in a bid to slow the spread of COVID-19. While in some countries these apps sparked controversy due to lack of transparency or weak data protection safeguards, the Corona-Warn-App (CWA) developed by Germany has long been hailed as the best practice for privacy and transparency.
COVID-19 Contact Tracing Apps in the EU: Lessons From Germany, a new study published by the Civil Liberties Union For Europe, a Berlin-based human and digital rights organisation, shows how the German authorities moved away from the privacy-friendly CWA and promoted a more intrusive mobile app (Luca) to please a public concerned about the slow response to the spread of the COVID-19 virus.“The study provides evidence of how authorities compromised transparency and personal data security to save face during the pandemic. Elected officials have a duty to accurately inform the public and explain why the Luca app was a worse solution to protect personal data and to trace virus infections” said Christian Thönnes, digital rights consultant at the Civil Liberties Union For Europe and author of the new study.
"Privacy is a human right that must be defended more than ever in times of crisis, like a pandemic. Treating our right to privacy as a scapegoat to improve political perceptions and appear more competent is a dangerous path. This study provides evidence of how easily German policymakers choose a populist solution over an alternative, expert-backed solution”, said Julia Reda, former Member of the European Parliament and project coordinator at the Gesellschaft für Freiheitsrechte (GFF).
The CWA, developed by the Robert Koch Institute on behalf of the German Federal Ministry of Health, was released as an official German contact tracking app in June 2020, after an open public debate with the most influential technology and privacy experts, as well as civil society organisations.
The research just published shows that this application is problematic for several reasons.
Unsafe storage of personal data: CWA was developed to store the personal data of the app’s users in a decentralized way, as suggested by the external data security experts involved in the consultation. On the other hand, the Luca app stores users’ personal information, including sensitive data, on central data servers, which by design are more vulnerable to data breaches and mismanagement. Since its launch, the Luca app has been awash with technical problems and security breaches.
Lack of transparency: There was very little transparency around the development of the Luca application. For instance, Luca’s source code was only released after relentless pressure by the online community. The release itself was beset with problems: At first, the manufacturer used an extremely restrictive license which forbade everyone from duplicating, sharing or otherwise reproducing the code on public networks – thus making critical analysis of the code practically impossible. The app’s data protection impact assessment has not been published.
Use of public money. By April 2021, 13 of the 16 federal states had purchased licenses for the new app, for a total of more than €20 million. These purchases were not preceded by an impact assessment and it is not clear on what basis the Luca app was chosen.
Overburdening health workers. There are serious questions about the effectiveness of the Luca app. In the CWA, warnings for at-risk contacts are issued immediately after a user who tests positive sends in his or her test results, whereas in Luca, struggling and overburdened health authorities have to trigger warnings first. In addition, the data seems less useful - several health authorities have reported not having used the data very much.
Inaction by regulators. During the Spring of 2021, most federal states have explicitly changed their regulations (Infection Control Orders) to allow Luca to be used instead of manual contact data records. However, when the federal health agency, the Robert Koch Institute, released a similar, more privacy-friendly notification feature in April 2021, local regulators neglected to create legal bases for check-ins via the CWA.
To stay in the loop about Liberties' work on COVID-19 contact tracing apps and other privacy related issues, subscribe to our newsletter.