Digital solutions, such as contact tracing apps, can help manage the pandemic and offer citizens a return to normal life. Across Europe, governments have invested millions of euros in contact tracing apps, with varying degrees of success, according to our research. This is also the case in Germany, with its Corona Warning app. However, since initially this app did not provide cluster detection or event registration functionality, the Luca app was developed. What is the Luca app? How does it work and what are the concerns when using it? This article aims to answer these and other questions.

What is the Luca app? Who developed it and why?

The Luca app was developed in 2020 to help break potential COVID19 infection chains through contact data management and contact tracing. In the spring of 2021, when stores, restaurants and event venues nationwide were asked to collect their guests' contact data, it seemed to offer owners a good, efficient and more privacy-friendly alternative to the pen-and-paper contact tracing that had been used until then.

The developers of the Luca app used this to convince many policymakers. By September 2021, 13 German states, namely Baden-Württemberg, Bavaria, Berlin, Brandenburg, Bremen, Hamburg, Hesse, Mecklenburg-Western Pomerania, Lower Saxony, Rhineland-Palatinate, Saarland, Saxony-Anhalt and Schleswig-Holstein, had acquired their Luca licenses in return for contributions totaling more than 21 million euros. In the course of spring 2021, most of these federal states had made all legal adjustments in infection control to be able to replace manual contact data entry with Luca.

Two companies are behind the project: neXenio GmbH developed the Luca app, and culture4life GmbH is responsible for marketing it. Smudo, a member of the hip-hop group "Die Fantastischen Vier," provided the media attention. According to the Luca team, more than 40 million citizens have registered to date and it has been used for a total of more than 330 million check-ins.

Contact tracing during the Corona crisis: how does the Luca app work?

To use the Luca app, Luca users must register with their name and contact details. When entering a restaurant or venue, users need to scan a QR code generated by the organizer via the app. Guest data is encrypted at check-in and stored on the Luca system's central servers.

The contact data is encrypted twice: once on the user's smartphone using a key provided by the health authority and a second time at check-in at the event location using the key provided by the respective event organizer. This is to prevent both the Luca team and event organizers from unilaterally obtaining unencrypted data. Luca users who have tested positive for COVID can provide the health department with a list of all the places they have visited in the previous 14 days. The health department can then request the contact details of all visitors who were present at the same time from the event organizer. They can then release and decrypt the requested contact information. At this point, the contact data is still encrypted with the health department's key, so neither the organizer nor the Luca team can see the contact data in unencrypted form. Upon receipt, the health departments will eventually be able to fully decrypt the contact information.

It is up to the health authority to trigger a centralized alert to all affected users. This differs from the decentralized approach of the Corona Warning App (CWA), where affected users are warned directly upon submission of verified positive test results, without the need for intervention by a central government agency.

Did the Luca app deliver on its promise?

Health departments have reported that Luca is of little use to them. In a survey by the news website netzpolitik.org, only 3 out of 137 health departments said they use Luca on a regular basis. Reasons cited against regular use included poor data quality, irrelevance of data received, poor customer support, and general work overload. Many health departments reported that they rarely worked with contact lists provided by restaurants. As a result, most states let their contracts with Culture4Life expire.

Luca-App Problems

Since its release, the Luca app has been plagued by technical issues and security vulnerabilities. New breaches and other problems were reported almost every week. Here are just a few examples:

Deanonymization: Researchers at EPFL University in Lausanne have already pointed out security gaps in spring 2021: For example, that users do not only send encrypted contact data to Luca's server during check-in, but also other information along with it, such as the IP address. Hackers could theoretically use this data to reconstruct which person is behind the user ID and track where this person has checked in over the past two weeks. The researchers also criticized the fact that such a large amount of sensitive data is stored on a central server, which could be dangerous in the event of a hacker attack.

Lack of transparency: When the developers of the Luca app finally released the source code after intense pressure from the online community, they used an extremely restrictive license that prohibited anyone from duplicating, sharing, or otherwise reproducing the code on public networks. In doing so, they made it virtually impossible for anyone to critically analyze the code. Also, no privacy impact assessment (DSFA) has been published for the Luca app to date, which does not speak well for Luca's commitment to transparency.

Unsatisfactory key management: In March 2021, the German Data Protection Conference (DSK) voiced criticism over the Luca system's encryption concept, in particular the fact that all health offices held the same keys for decrypting contact data. This posed the risk that "a significant amount of the data that is managed centralized by the system could be accessed without authorization by spying on or misusing these keys. Similarly, it is difficult for event organizers to verify that a request for decryption is legitimate, so they could be tricked into decrypting data without a legitimate request. A successful attack on culture4life GmbH's systems could therefore put the security of the overall system at risk." DSK therefore asked the Luca team to examine whether the functionalities of their app could be implemented in a decentralized system.

Movement profiling using physical key rings: The Luca team offers physical keyrings that have QR codes printed on them. This is intended to allow people without smartphones to be included in Luca's digital contact tracing. However, a group of IT experts pointed out how unauthorized people could use these physical key rings to reconstruct movement profiles for individual users. Since, unlike Luca's digital QR codes, the physical QR codes remain the same, a photo of them is enough to track all check-ins over the last 30 days. Code injection via CSV files: In May 2021, a vulnerability was exposed that allowed hackers to inject malware into health IT systems. The Luca team had failed to disable the use of special characters in their name registration forms. This allowed users to program codes into CSV files. By opening these CSV files with Microsoft Excel, health departments could have contact information deleted or extracted from the health department's system, or ransomware could be installed. The German Federal Office for Information Security (BSI) confirmed this vulnerability in a public statement and held the Luca team responsible.

These and numerous other security problems prompted many experts to speak out: more than 70 leading German IT security researchers published an open letter sharply criticizing Luca and urgently warning against its acquisition and use. In the letter, they wrote that Luca did not fulfill any of the four main principles of responsible contact tracing apps: purpose limitation, transparency, voluntariness and risk assessment. The Chaos Computer Club (CCC) called for a "federal emergency brake" („Bundesnotbremse“) on Luca.

What does the future hold for the Luca app?

Since then, the health authorities have discontinued contact tracing, making the Luca app obsolete. In response, the Luca team has now decided to add two new features to the app. In the new version of the app users will be able to save their ID card to their smartphone, and when entering a restaurant or venue, they will be able to show it at the same time as their proof of vaccination, which should serve to reduce the waiting time at check-in. Also, you will soon be able to pay with the Luca app in restaurants, cafes and bars.

Photocredits:

Clay Banks/Unsplash.com
Ashkan Forouzani/Unsplash.com
Ashkan Forouzani/Unsplash.com
Mufid Majnun/Unsplash.com