Dubious business model, defective software, irregularities in the awarding of contracts: The Chaos Computer Club (CCC) demands an immediate end to states' alimentation of Smudo's million-dollar tax grab "Luca app."
In recent weeks, glaring flaws in the specification, implementation and proper licensing of the Luca app have been uncovered. The unending series of security problems and the vendor's heavy-handed responses are evidence of a fundamental lack of competence and care.
Still, more and more states are wasting taxpayer money on the digital promise of salvation without proper bidding procedures. Mecklenburg-Western Pomerania even wants to make installation of the app a prerequisite for participating in public life.
The CCC calls for an immediate moratorium, a review of the award practices by the Federal Audit Office and an immediate end to the app coercion. For handling highly sensitive health and movement data, the state-subsidized roll-out of untested software is self-defeating.
Investor Smudo's talk show tour
A marketing campaign by rapper Smudo that lasted several months made it possible: despite glaring deficiencies, various German states have so far invested more than 20 million euros in taxpayers' money for licenses to use the Luca app. Yet the app does not meet a single one of the CCC's ten touchstones for assessing "contact tracing" apps.
State-subsidized business model
Although taxpayer money is used generously, the data, app and infrastructure naturally remain in the hands of private-sector operators. Yet the expensive licenses are only valid for one year - enough time to make the Luca app the de facto standard for admission systems. Mecklenburg-Vorpommern has already officially made use of the app mandatory as part of its infection control ordinance.
For the time after public alimentation, the owners already have unabashed plans to further commercialize presence tracking: In addition to connecting to ticketing systems, they hope to broadly connect to different business models. With entrepreneurial foresight, the "luca" brand was registered for, among other things, "access control, visitor management, printed tickets, and ticket reservation for events, especially cultural and sporting events, political events, events for educational and training purposes, and scientific meetings".
Doubtful awarding practices
The state of Bavaria alone spent 5.5 million euros for a one-year license. Other states such as Baden-Württemberg (3.7 million euros), Lower Saxony (3.0 million euros) and Berlin (1.2 million euros) acquired the licenses by circumventing tendering requirements. The ruling mayor of Berlin, Müller, even boasts of having purchased the license without a technical inspection. He had not even spoken to Smudo and thus probably unconsciously revealed the main reason for his spending mood. Shortly after the impulse purchase the Berlin data protection commissioner warned of "considerable risks" with the Luca app.
Alternatives studiously ignored
However, Luca is not without alternatives: more than thirty competitors have been lobbying unsuccessfully for weeks in the alliance "Wir für Digitalisierung" against the advertising power of Stuttgart-resident rapper Smudo. "The Luca app has no shortage of competing products that are just as bad," noted Linus Neumann, spokesperson for the Chaos Computer Club.
The generous waste of taxpayers' money becomes all the more incomprehensible because the state governments are thus competing with the decentralized, data-saving and open-source Corona-Warn-App, which is to receive comparable functionality with the next update. The federally funded Corona-Warn-App already has a broad user base, but after a successful launch it was abandoned and reluctantly improved for several months. This neglect is now to be monetized by the privately funded Luca app.
The app's utility remains questionable and its applications limited. Examples at the 20-hectare Osnabrück Zoo and various IKEA stores have amused the web for days: a meaningful contribution to pandemic control cannot be constructed, even with a great deal of creativity.
The link to health offices is emphasized as a special performance feature. However, public health departments have not yet attracted attention for their particularly rapid contact tracing or for their special interest in visitor lists: Regularly, these are too extensive and too imprecise to identify relevant contacts.
"Vaccination and effective disease control measures are the only meaningful way to stop the pandemic. I wouldn't be surprised if Luca’s digital promise of salvation soon becomes the scapegoat for the ongoing failure of federal and state governments, Neumann speculated.
Operators encroach on central database
A team of internationally renowned privacy and security researchers warned early on in an eighteen-page "preliminary analysis"of a wide variety of potential abuses of the centralized approach.
The centralized Luca system stores all data with operators, allowing real-time monitoring of all check-ins. This also applies to those check-ins that are marked as "private" in the app. Operators are also not afraid to actively intervene in these meetings and delete them, for example.
Craftsmanship flaws and vulnerabilities
The Luca app's flaws and embarrassments found so far are a colorful bouquet of incompetence:
When registering, the phone number is supposed to be "validated" via SMS. Millions of euros have to be spent by various states to send it. However, a technically flawed implementation renders the validation ineffective. As a result, mass creation of fake accounts is as easy as their check-in at arbitrary locations. The vulnerability risks nothing less than the collapse of the entire Luca system.
The Luca key fobs, purchased by the hundreds of thousands for people without smartphones, reveal the complete centrally stored location history with every scan. "Whoever scans the QR code can not only check in under your name in the future, but also see where you've been checked in so far," Linus Neumann confirmed of the “Lucatrack“ vulnerability published today by Bianca Kastl and Tobias Ravenstein. "The vulnerability is obvious and unnecessary. It demonstrates a fundamental lack of understanding of basic IT security principles. Here - once again - it was knitted with a hot needle instead of building a well-considered solution," Neumann continued.
Contrary to the promises of the security concept, the Luca backend is potentially able at any time to uniquely identify individual devices and assign all check-ins to them.
As a musician Smudo likes to rant about the "free society" and copyright infringement. For the Luca app, however, third-party software components were used in blatant disregard of the licensing terms. An "unfortunate mistake" that simply doesn't happen to professional programmers.
To date, only part of the source code of the entire system is public. To what extent this part even still corresponds to the production environment is unclear.
The app does not meet minimum accessibility standards. App coercion is a particularly severe form of discrimination.
CCC calls for immediate halt and full investigation
The shady award practice testifies at best to the advertising power of Smudo, who had not previously attracted attention as a programmer or data protector: the investor of culture4life GmbH, which has stomped the Luca app from the ground in no time, has managed to raise millions for an immature and unfit product within months. In the process, investor Smudo likes to forget to mention that he holds a 22% stake in the company. He is not promoting the Luca app without considerable self-interest.
"The Luca app is not the only case of COVID-profiteers capitalizing on the pandemic far beyond a reasonable level," said Linus Neumann. "The German ‘mask scandal’ was just successfully swept under the rug. In order to stop a further loss of confidence in politics, it must now be completely clarified how it came to the dubious award, Neumann continued.