Tracking corona infections: German Luca app in a downfall

Five Länder no longer renew their contracts with culture4life, the company’s new business model could also run into turbulence

So far, 13 German federal states have used the Luca app to warn of Corona infections, but at least five governments want to do without it in the future. Most recently, Berlin announced that it would no longer extend its contract with the manufacturer culture4life GmbH. Previously, Schleswig-Holstein, Mecklenburg-Western Pomerania and Bremen dropped out. According to Rundfunk Berlin-Brandenburg, Brandenburg is also planning to end its use.

The Luca app is used in restaurants, cafés, shops, but also public institutions. Hosts and organisers can create a QR code that visitors can then scan with the app and leave their personal data. Conversely, it is possible for the host to read a QR code stored on the mobile phone at the entrance control. The service also works without an app via an internet browser.

Meanwhile, culture4life is relying on a new business model. A fortnight ago, the company announced that it wanted to position itself even more „as a digitalisation partner for the gastronomy and culture industry“. Menus can already be downloaded via the app after the user has booked into a restaurant. In the future, this could also include booking tickets. Apparently, the company also wants to integrate vaccination and test certificates as well as identification documents into the app. This would make showing multiple documents at an admission check obsolete.

According to its creators, the Luca app is installed on 40 million phones. This distribution was only possible with public funds, which were, however, allocated for a limited purpose. If this purpose is subsequently expanded, it is a questionable competitive advantage that could even end up in the courts.

In at least one case, a public authority has also used the personal data of the Luca app for a purpose other than the intended one. For example, the police in Mainz were looking for witnesses after a fatal tumble of a person and used Luca data from a pub to query the health authorities. There, the data is actually encrypted and can only be made readable with the consent of the host. This is only allowed for the purpose of tracing contacts after an infection. The police persuaded the office to fake such a case to the owner of the pub, so she agreed to the release of the data. Subsequently, the public prosecutor’s office in Mainz admitted that there was „no sufficient legal basis“ for the query it allowed.

According to a report of the public broadcaster ZDF, however, the frequently used paper contact lists in restaurants and shops were also queried for criminal prosecution in more than 100 cases, including investigations of suspected theft, sexual abuse of children and attempted homicide. At least 500 people were affected by this, according to various prosecutors‘ offices, but this number could be much higher, according to the ZDF. In addition, there are cases in which the police collected the data without the knowledge of the public prosecutor’s office.

Since 19 November 2020 at the latest, the use of the lists of persons „for purposes other than contact tracing“ has been prohibited under the Infection Protection Act. However, some public prosecutors‘ offices consider the query permissible, for example in the case of capital crimes, ZDF reports. The state data protection commissioners, however, see it differently. The Bavarian data protection commissioner, Thomas Petri, therefore recommends the use of the state funded Corona warning app, which, due to its decentralised approach, does not allow unauthorised data retrieval. However, the app is only legally permitted for contact recording in a few federal states.

Image: PantheraLeo1359531, Freiheitshalle Hof Luca-App 20210812 HOF03250, CC BY 4.0.

Autor: Matthias Monroy

Knowledge worker, activist, editor of the German civil rights journal Bürgerrechte & Polizei/CILIP.