The story begins with a tragic – but banal – news item. On November 29, 2021, in Mainz, Germany, in a bar in the old town, a man fell from the first floor and was killed.
To determine the circumstances of the accident and hear as many witnesses as possible, the local police requested the health services and obtained the personal data of all the customers who were present that evening and who had activated the Luca application. App on their smartphone, which allows tracing in the event of Covid-19 contamination. She therefore has their name, telephone, address … And for the purposes of her investigation, the investigators contacted 21 people in total.
Except that it is illegal: nowhere does it say that the police are authorized to search this data. According to German health law, the use of this information is even explicitly limited to the search for contact cases, it is not possible to use it for criminal prosecution.
The text was written precisely to avoid this kind of abuse: “The present case is serious because the legal ban on using contact tracing data for law enforcement purposes is clearly and unequivocally enshrined in the Infection Act “ said Stefan Brink, Baden-Württemberg data protection commissioner on Tuesday 11 January in the business daily Handelsblatt.
Mainz police used data from the Luca app without legal basis https://t.co/iNvyuLxa1F
– yves plagnat (@YvesPlagnat) January 12, 2022
The application in question, Luca-App, developed by a start-up and downloaded by more than 40 million people allows both to geolocate and identify its users which is not the case for example of TousAntiCovid in France.
In a country which is historically one of the most protective of Europe in terms of the right to privacy, this case has created controversy. Several politicians have asked the Germans to deactivate Luca-App. What goes even more badly is that the starting affair, admittedly tragic, was a simple accident. It wasn’t about tracking down a murderer. As citizens demand guarantees on how authorities handle their personal data, this was the worst possible signal.
The Mainz public prosecutor’s office has apologized and the person in charge of the protection of private data of the land concerned, Rhineland-Palatinate, has requested an investigation: it is not yet known whether this is an isolated case or whether the police have taken the same liberties in other situations. The German company Culture4life, which operates this application, condemned “this misuse of Luca’s data collected for the protection against infections “. According to the company, requests of this type are regular but have never been acted upon.
The app is still in use, but the contracts it signed with the 13 landers are now under threat. The regions still spent twenty million euros in total to put it into operation. The licenses expire at the end of March or the end of April and it is not known if all will be renewed. Especially since another application – public – exists in Germany, Corona-Warn, which better protects personal data.
One of the problems is that Luca-App’s data is indeed encrypted, but it is stored on the app’s own servers. The health authorities and the owner of the establishment concerned then have to use their decryption key to make them readable and users are not notified. For its detractors, this scandal is too much.
In #Germany, the #police unlawfully used the personal data of the application #Luca intended to track the # Covid_19, for an investigation. A worrying misuse of a supposedly health tool.
https://t.co/yLx4XrZ9B5– Stockings The Masks (@BLMasquesOff) January 12, 2022
All the more so with the Omicron variant, this type of application has become unnecessary: the chain of contamination is too fast, the health authorities no longer have the time to follow each contact case. There remains a huge database which is no longer used for nothing, but which continues to be able to be exploited illegally.