Ruhr-Uni-Bochum
HGI

Copyright: HGI, stock.adobe.com: chinnarach

Open Letter: Joint Statement on Digital Contact Tracing

In connection with the luca app, leading scientists from the fields of IT security and privacy have published a joint statement. Among them are numerous HGI members.

Copyright: HGI/CASA, Marquard

Joint statement on digital contact tracing
Digital tools, such as contact tracing apps, can make a supportive contribution to the management of a pandemic. To develop their full potential, such tools must be embedded in an overall strategy in a targeted manner and enjoy the trust of the population. If their introduction also creates new risks for citizens and social groups, their benefits must be weighed against these risks.

A year ago, more than 600 international scientists issued an open letter calling on their governments to develop and deploy digital contact tracing technologies in a responsible and targeted manner. The letter called for adherence to basic development principles, most of which have been implemented in an exemplary manner in Germany with the Corona warning app:

  • Purpose limitation: The sole objective must be pandemic control. Linkage with other business models, application possibilities and profit interests must be ruled out, ideally technically impossible.
  • Openness and transparency: Experts, IT security and data protection specialists must be given the opportunity at an early stage to participate constructively in the development process or to review it independently.
  • Voluntariness: The use of certain tools for digital contact tracking must be voluntary. Citizens who do not wish to use the tool must not be excluded from social activities, access to public buildings, stores, etc.
  • Risk assessment: It must be possible to independently and publicly assess the benefits and risks of such a solution in advance. This is especially true if the effect of the technical solution is based to a large extent on the trust of citizens.

The currently much-discussed approach of including digital tools for contact tracing in public spaces and for events seems to make sense. Used correctly, they could break infection chains more quickly and relieve the burden on public health departments.
Concrete functional requirements for such digital contact tracing have not yet been communicated transparently and clearly by the responsible authorities. But this is the only way to develop effective solutions that can make a meaningful contribution to containing the pandemic while collecting personal data only to the extent necessary.

LUCA
The LUCA system already in use in many German states does not fulfill any of these principles. There is no technical earmarking, but other business models based on LUCA have already been discussed [1]. This creates a dependency on a single private company with a profit motive as the operator of the system. A non-transparently developed system was put into operation and even easy-to-find security vulnerabilities could only be discovered during operation. If the app becomes a prerequisite to participate in public life or is even mandated by corona protection ordinances [2], voluntariness is not given, as a de facto compulsion to use arises.

The usefulness of the LUCA system remains doubtful, as the current implementation is essentially limited to automating the manual collection of paper lists, but evaluation continues to be done manually by health departments. In addition, because LUCA can easily generate false or even manipulated registrations and check-ins in large numbers, there is a risk that the burden on health departments will increase as data quality decreases [3].

At the same time, the LUCA system captures movement and contact data on a large scale: who was where, with whom in the same place, and for how long. The data is centralized and retained by a private company. The much advertised double encryption of contact data does not deliver the promised security, since movement profiles of users can be created solely on the basis of the metadata generated. Such comprehensive data collection in a central location harbors massive potential for misuse and the risk of serious data leaks [4].

Individual systems that act as central data repositories are attractive targets that can hardly be protected against attacks. Even large companies are not able to fully secure such systems. It is not to be expected that a start-up, which has already attracted attention due to numerous conceptual security gaps, data leaks and a lack of understanding of fundamental security principles [5], should be able to do this any better.

Conclusion
Broad public support is essential for the success of digital contact tracking tools. This is especially true when they deeply intrude into the privacy of citizens and comprehensively collect confidential data. The trust required for this can only be created through transparency and privacy-by-design, for example through genuine decentralization. Security and data protection are elementary prerequisites for the acceptance and thus the hoped-for benefits of such a system.

There are already systems that reduce the risks for citizens to a minimum while guaranteeing faster notification. These are decentralized solutions such as those implemented and already in use in the Corona warning app, NotifyMe (Switzerland), NHS COVID-19 (UK), and NZ COVID Tracer (New Zealand). The risks associated with the LUCA system appear to be completely disproportionate as they significantly outweigh the expected benefits.

We strongly recommend returning to the above principles and applying them to the development of digital contact tracing tools. In particular, we believe there should be no de facto compulsion to use a solution that blatantly violates these principles.


If there are concrete requirements that are not yet achieved by existing decentralized systems, then these must be clearly formulated so that appropriate extensions can be developed in a targeted manner. Even in a decentralized and data-saving system, necessary information for pandemic control can be collected and made available to the health authorities.

TO THE JOINT STATEMENT AND THE LIST OF SIGNATORIES

References
[1] As early as March 25, 2021, Ticket i/O and the developers of the LUCA system announced their collaboration. So far, it is about the verification of rapid tests. However, internal documents indicate that the cooperation will be expanded.
[2] From the Corona Ordinance of the State of Mecklenburg-Western Pomerania: "The mandatory documentation for contact tracking shall be carried out in electronic form in a uniform manner throughout the state by means of the LUCA app."
[3] That check-in is possible from any location has already been demonstrated in practice.
[4] A detailed analysis of the risks of the LUCA system was already published as a preprint on March 23, 2021. This was also referred to in a statement by the BfDI.
5] A comprehensive overview of the deficiencies identified in the basic system design and in the implementation is provided in a statement by the CCC.