Update: The app is a secondary one popularly used for electronic check-ins at venues, distinct from the government app which uses the Apple/Google API.
German police have misused a COVID-19 contact tracing app data by apparently faking an infection at a restaurant in order to obtain details of potential witnesses.
The joint Apple/Google API used by the government app can’t be abused in this way, as it doesn’t track locations, but a separate app for QR code check-ins was misused …
The Washington Post reports.
Apple and Google created the contact tracing API with eight privacy safeguards to prevent this kind of abuse. Among them, the API doesn’t know where you have been, and no data goes to the government without your permission.
Authorities in Germany are under fire for tracking down witnesses to a potential crime by using data from a mobile phone app that was intended to help identify close contacts of people infected with the coronavirus.
Police in the city of Mainz, near Frankfurt, successfully petitioned local health authorities to release data from an app called Luca when a man fell to his death after leaving a restaurant in November. They said they were seeking witnesses who had dined at the restaurant around the same time and reportedly found 21 people from the app data.
However, some countries have included a separate venue check-in feature that doesn’t use the API, while others have a separate app for this. When you visit say a restaurant, you can use the app to scan a QR code in order to tell it you were there on that date and at that time. That data remains unused unless someone at the venue at the same time later tests positive, in which case your details can be made available to contact tracers.
What appears to have happened here is that the police got somebody at the restaurant (likely a manager or other staff member) to falsely report a positive test result. This then triggered the release of contact details for those present at the time.
WP reports that the police action appears to be illegal.
As the piece notes, uptake of contact tracing apps has been much lower than hoped, largely due to privacy fears, so this type of abuse can do an enormous amount of harm.
Luca is subject to Germany’s strict data-protection regulations and, by law, information from the app cannot be accessed by non-health authorities and used in criminal prosecutions.
Photo: Pixabay