As of April 2021, 13 of the 16 German states have officially launched the Luca app, spending a total of roughly 21 million euros on it. It has been under criticism since day one of its release. Privacy advocates and cybersecurity experts keep finding vulnerabilities and security holes in the app, which is supposed to be used for contact tracking and promises responsible and secure data transmission. According to recent media reports, it has so far barely lived up to its task. CISPA faculty Ben Stock, Christian Rossow, and Cas Cremers explain why Luca is problematic from the perspective of cybersecurity experts.
You spoke out against the Luca app in a statement already months ago. What were you trying to accomplish with that?
Ben Stock: The opinion of the signatories is quite clear: there should not be a de facto compulsion for an app that does not fulfill the principles we have mentioned. In Germany, with the CWA, we have an app that already has 33 million downloads, was developed with a focus on privacy-by-design under explicit mandate from the state, and also implemented a check-in function in mid-May. However, many state regulations currently do not allow the CWA to replace paper lists because contact information must be collected by operators/organizers. Here, it should be checked whether this personal data is necessary at all. Thereby, if the RKI as operator of the CWA clarifies that there are problems or disadvantages in the CWA, solutions can be found. In the case of Luca, on the other hand, it seems as if there were a solution before the problem had been specified. Personally, I hope that our letter will stimulate a discussion about the real added value of the contact data for the containment of the pandemic, and that a workable and data-sparing solution can be deployed.
Christian Rossow: It is a concern to me to point out the problems with the basic Luca design, and thus to elicit openness and more support for better alternatives. My core message: the Luca app can be replaced immediately and without loss.
What are specific criticisms of the Luca app and how big are the alleged security gaps really?
Ben Stock: The security vulnerabilities found so far allowed, for example, someone who had once seen one of the key fobs to query the owner's complete visiting log. But the problem lies primarily in the design itself: the centralized data storage. This is exacerbated by the fact that the Luca app requests the key material, which is used for "double encryption," from the Luca server. The authenticity of the keys is not certified by an independent body. This is a bit like not having your ID card issued by the citizens' registration office in a forgery-proof way, but simply confirming yourself that you are who you say you are. This only works as long as Luca's servers are not attacked, in which case an attacker could decide which keys are issued. In case of doubt, this means that the "double encryption" happens with two attacker-controlled keys so that the attacker can see all data in plain text. If Luca is then used for political or religious events, this is highly critical. In contrast, relatively little can happen if the CWA servers are attacked since they never process personal data - neither encrypted nor in plain text.
Luca has been introduced officially and for a lot of money in most federal states. So it seems to strike a chord and do something that the Corona warning app, for example, cannot. Can it?
Christian Rossow: In my eyes, there are two reasons for the broad introduction of the Luca app. First, Luca was faster to provide a check-in feature. The decision for Luca was pending when CWA did not yet offer this feature, nor was it on the horizon. At the same time, due to regional openings, politics was under immense pressure to find a solution to track contacts at events in a more systematized way than by paper. With the updates to the CWA, this head start has become obsolete. Secondly, Luca complies with the requirement in quite a few federal states for event organizers to record personal data. There is an urgent need for legislation here to also allow anonymous contact tracking as with CWA, as both serve the purpose of notification in the event of potential contact.
Ben Stock: It should also be said that this is primarily a state policy decision. For example, Saxony has already decided that the CWA is sufficient for tracing, so no personal data needs to be collected. And there are already reports about how rarely personal data from restaurants was needed at all. So, in general, the need to collect the data has to be questioned, firstly.
So is the Corona warning app the better app, and do we even need the Luca app then?
Christian Rossow: The CWA not only offers advantages in data protection, but its benefits are also significantly higher. First, in addition to check-ins, other contacts that take place outside of the events set up for contact tracking are also recorded. So the overall protection is much greater, especially if the check-in function encourages even more citizens to install the CWA. Second, the CWA immensely reduces public health departments' workload by providing fully automated notification to users in the event of risk. Third, unlike Luca, the CWA does not allow masses of unverified and thus easily falsifiable personal data, such as fictitious contact data or data from uninvolved parties, to be entered into the system.
Many were looking forward to more freedom with the Luca app. Why are you being spoilsports now?
Christian Rossow: We are not interested in taking away freedoms or preventing their reintroduction. We also consider it worthwhile to track contacts at events. However, there are privacy-friendly and more effective solutions than Luca for this very purpose.
Ben Stock: I agree wholeheartedly with Christian here - digital tracing is a crucial tool in the containment of the pandemic, especially with everything opened. But if health departments are not getting caught up with notifying because everything is happening manually, incidences will go up, and everything will shut down again. So the CWA is a significantly faster and better solution.
In the open letter, you complain that the Luca operators lack transparency. What exactly is meant by this and why is openness so important in the development process?
Ben Stock: Candor and transparency create trust, which is absolutely necessary for the acceptance of systems that deeply interfere with citizens' privacy. Open and transparent development makes the technology accessible to independent experts right from the start, which helps to avoid conceptual weaknesses and technical errors. Errors in IT systems are always more difficult to iron out during ongoing operation. However, with fundamental conceptual weaknesses, it is impossible. The dangers of this have been demonstrated repeatedly, for example, with the Luca tracking gap or the CSV injection in the data export that became known at the end of May.
Christian Rossow: Transparency is essential for the design and development of such comprehensive IT systems in order to assess possible risks and thus maintain trust in the technology. Unfortunately, Luca did not disclose the source code and basic design principles until very late, i.e., well after the launch, rather than at the conception stage. There is indeed much more transparency now than there was months ago. However, fundamental changes to the general concept are no longer possible. So while the current level of transparency helps to highlight conceptual weaknesses, these can no longer really be fixed. In this respect, other contact tracking technologies have been developed much more transparently by gathering feedback from the broader community and academia very early on during their conceptualization.
Many individual rights were restricted during the months of the lockdown, and some are still being restricted today. Why are you highlighting data protection as such an important good? Shouldn't the balance be in favor of a better quality of life?
Christian Rossow: Data protection and other freedoms are not in competition with each other. The fact is that no restriction of data privacy is necessary to achieve the goal of contact tracking. If contact tracking systems do emerge that are questionable from a data protection perspective, criticism is in order. However, this criticism is in no way directed against the fundamental idea of digital contact tracking - quite the opposite. We only criticize implementations of contact tracking that are noteworthy from a data protection perspective.
Ben Stock: The Luca app seemed to be a step back into normality. However, it turns out that the flood of data cannot be used at all, so the collection does not add any value. Regardless of the implications for data privacy, we need solutions that help in a targeted way instead of adding more burden to already overburdened health authorities.
Is there any argument supporting a centralized solution? Or is the decentralized solution always the better one?
Cas Cremers: “It depends on what the goal is – one cannot make a general statement. Currently it does not seem to be the case that the healthcare authorities actually need lists with names. However, if lists with names are really desired by the healthcare authorities, then this can be done in a more privacy-respecting manner than Luca is currently doing.
In your letter, you criticize the fact that the Luca app is not purpose-bound. Ideally, it should even be technically impossible to use it for profit, it says. Why do you think this is important?
Ben Stock: This also refers to the original letter from 2020, in which hundreds of international experts called for earmarking. Luca has already explained in internal marketing materials that ticketing is an interesting topic for them - even if Patrick Hennig refutes this. So at the end of the day, in case of doubt, we have an app whose development and deployment is financed through taxpayer funds, which is heavily promoted by the deploying states, and from which the operator can still make additional profit in the end. This contradicts the principle that an app for pandemic control should be used exclusively for this purpose.