German police have misused COVID-19 contact tracing app data by apparently faking an infection at a restaurant in order to obtain details of potential witnesses.
The joint Apple/Google API can’t be abused in this way, as it doesn’t track locations, but a separate QR code check-in feature was misused …
The Washington Post reports.
Authorities in Germany are under fire for tracking down witnesses to a potential crime by using data from a mobile phone app that was intended to help identify close contacts of people infected with the coronavirus.
Police in the city of Mainz, near Frankfurt, successfully petitioned local health authorities to release data from an app called Luca when a man fell to his death after leaving a restaurant in November. They said they were seeking witnesses who had dined at the restaurant around the same time and reportedly found 21 people from the app data.
Apple and Google created the contact tracing API with eight privacy safeguards to prevent this kind of abuse. Among them, the API doesn’t know where you have been, and no data goes to the government without your permission.
However, some countries have included a separate venue check-in feature that doesn’t use the API. When you visit say a restaurant, you can use the app to scan a QR code in order to tell it you were there on that date and at that time. That data remains unused unless someone at the venue at the same time later tests positive, in which case your details can be made available to contact tracers.
What appears to have happened here is that the police got somebody at the restaurant (likely a manager or other staff member) to falsely report a positive test result. This then triggered the release of contact details for those present at the time.
WP reports that the police action appears to be illegal.
Luca is subject to Germany’s strict data-protection regulations and, by law, information from the app cannot be accessed by non-health authorities and used in criminal prosecutions.
As the piece notes, uptake of contact tracing apps has been much lower than helped, largely due to privacy fears, so this type of abuse can do an enormous amount of harm.
FTC: We use income earning auto affiliate links. More.