German Police Caught Using COVID-Tracing Data To Search For Crime Witnesses
from the law-enforcement-means-applying-enforcement-in-one-direction-only dept
Multiple governments have been relying on contact-tracing apps to limit the spread of COVID. This has gone on nearly uninterrupted for the last couple of years in more than a few countries. Given the type of data collected -- contact information and location data -- it was only a matter of time before some government decided to abuse this new information source for reasons unrelated to tracking COVID infections.
I guess the only surprise is that it took this long to be abused.
Authorities in Germany faced increasing criticism on Tuesday over their misuse of a COVID contact tracing app to investigate a case.
[...]
The incident concerns authorities in the city of Mainz. At the end of November, a man fell to his death after leaving a restaurant in the city, prompting police to open a case.
While trying to track down witnesses, police and prosecutors managed to successfully petition local health authorities to release data from the Luca app, which logs how long people stayed at an establishment.
Authorities then reached out to 21 potential witnesses based on the data they had unlawfully acquired from the app.
The Luca app used in Germany collects data on visitors to public places. Users enter their contact info into the app and scan QR codes posted at restaurants, bars, and public events. When they leave the venue, Luca users sign out of the location.
This app has proven very useful in Germany, mostly due to it automating the mandatory paperwork required of restaurant and venue owners, who were required to gather contact information on patrons and log the time they spent in their businesses. The Luca app does this automatically and encrypts the info, protecting it from the prying eyes of malicious outsiders.
Both the venue and the health department have to agree to decrypt the data and, once decrypted, it remains solely in the hands of the health department. It is only supposed to be used to track potential infections, hence the backlash against police and prosecutors in Mainz.
Following the backlash, prosecutors are now promising to never do this again. But that pledge only applies to these law enforcement officials. According to Luca's developers, lots of cops are asking for this data.
The app's developers, culture4life, sharply criticized the actions of authorities in Mainz.
"We condemn the abuse of Luca data collected to protect against infections," the company said in a statement.
Culture4life added that it receives frequent requests for its data from the law enforcement — but those requests are routinely denied.
This may be Germany's first scandal related to misuse of COVID-tracking data. Hopefully, the public response to this news will help it to be its last. But if the rules that have been in place since the app went into use aren't sufficient to deter law enforcement from seeking data it's clearly illegal for it to obtain, it's unlikely a little bad press targeting another agency will have much of an effect on investigators who think they've found a better way to round up suspects or witnesses.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: contact tracing, covid tracking, germany, luca, surveillance
Reader Comments
Subscribe: RSS
View by: Time | Thread
Not the first time this has happened
[ link to this | view in chronology ]
Re: Not the first time this has happened
Yeah, so what's going on here? Why are they using the COVID data? Do German phone companies actually protect the privacy of their subscribers, unlike these app makers (despite their "sharp criticism")?
[ link to this | view in chronology ]
Abuse
That we know of.
[ link to this | view in chronology ]
Re: Abuse
Yes, I think it's much more likely that this is merely the first time the abuse is public information.
[ link to this | view in chronology ]
What? Haven't they heard of geo-fenced reverse-location warrants?
[ link to this | view in chronology ]
What? They couldn't afford Pegasus?
[ link to this | view in chronology ]
Lucy yanks the football away, Charlie Brown falls & is shocked just shocked she pulled it away.
Any tool they have access to, will be used however they can.
Even in the face of rules & laws saying don't do this, they will do just that because its a shortcut & courts keep finding ways to let shortcuts stand.
I can't even muster a shocked face after finding out they misused it.
[ link to this | view in chronology ]
Thanks german police, real big help in refuting the paranoid people who already think that basic health and safety measures are a government plot to track everyone for nefarious reasons, I'm sure your actions here will in no way have long-term consequences that make the public less safe.
[ link to this | view in chronology ]
Re:
Since when did the police start caring about safety aside from their own?
[ link to this | view in chronology ]
Western Australia
A similar thing happened in Western Australia:
[ link to this | view in chronology ]
Re: Western Australia
The difference being, that this isn't a government app here but one made by a private enterprise. And the official government app is provably privacy conscious (open source on Github).
[ link to this | view in chronology ]
Correction
I cannot let this stand.
The app is very controversial here in Germany. It has proven useful in only a tiny fraction of cases (a few hundred out of hundreds of thousands). Also, the app's developers have repeatedly denied security flaws that exist(ed) in the app, only later to claim it's the first they've heard of it when exploits were demonstrated by security researchers (try #lucafail on Twitter).
The app was introduced in a very dubious fashion, too. Politicians jumped on the band waggon and paid millions in license fees (for one year) often because of the persistent lobbying by a certain well-known German hip hop artist. Now that the app has proven essentially ineffective, many German states terminate their contracts.
Another critical thing was the planned commercial exploitation of the user base that Luca accumulated. Developer-internal documents show that the planned commercialisation included, among others, ticket sales and entry to concert venues, which explains why said hip hop artist was so keen to invest in and lobby for them.
Lastly, there's a much better app for doing what Luca was supposed to do and that's the official Corona-Warn-App (CWA) of the German government. It can do all the same things and more. The difference is, it's open source, developed in the open (on Github), is privacy oriented in that it doesn't collect any personal data at all and does all tracing and alerting via the contact tracing framework that Apple and Google built (based on low-energy bluetooth beacons).
No, it isn't. The police had used the paper contact lists that existed (and still exist) before digital check-ins became more common for investigative purposes. The rules were changed to prohibit that but it's still happening. That's the real scandal here.
[ link to this | view in chronology ]
it took this long to be abused, this long to be discovered and pray tell, how long to get it stopped? Obviously, had this been someone else, anyone else other than a 'Security Service' they would have been discovered, shut down within a day and the perpetrator arrested! Oh, how the other half lives!!
[ link to this | view in chronology ]
If these "witnesses" wanted to help, they would have came forward to the police. Don't know if it's just me but if I didn't want to become involved and the police discovered my identity, I would call it not only an invasion of my privacy but harassment.
Everyone has their reasons for not wanting to get involved. It just peeves me off to no end when anyone involved in the justice system starts using that excuse of "doing your civic duty". Courts, Judges, Police Officers, Lawyers all get paid substantial salaries for appearing in trials and yet the common citizen and juries are barely paid for interrupting their daily lives to be part of the process. Where I live, in Michigan, you're barely paid $15 daily for serving on a jury and witnesses get nothing. It's pathetic. Even retail works get a minimum per hour pay of $12-$15 per hour and juries can last multiple days, several hours each day, and can go on for weeks.
The courts just do not fairly compensate juries or witnesses for participating in the process.
[ link to this | view in chronology ]