We recently published a preliminary analysis of the potential harms of the LUCA tracing system. The LUCA system is a digital presence tracing system designed to provide health departments with the contact information necessary to alert individuals who have visited a location at the same time as a SARS-CoV-2-positive person. Multiple regional health departments in Germany had recently announced their plans to deploy the LUCA system for the purpose of presence tracing.
In the meantime, some German states have inacted laws that mandate venues from bars and restaurants to churches, therapists, and political party gatherings to use the LUCA system to record the presence of individuals.
Our analysis of the system’s design uncovers major concerns about its potential harms to individuals, communities, and venues.
A short summary of our findings
Information leakage by design. In its normal mode of operation, the LUCA Backend Server collects and processes a large amount of sensitive information about venues and individuals. By design, the Luca Backend Server can learn how many individuals are currently visiting a registered venue, how long they stay, and how many people who visited a venue in the past tested positive afterwards. The central server can link visits of anonymous users through network metadata which might lead to the re-identification of users based on their location visits. These inferences do not require the adversary to actively modify the system’s operational information flows or circumvent its protection mechanisms. The LUCA service operator (or any entity that compromises, coerces, or subpoenas the Luca Backend Server) can cause any of these harms without being detected.
High risk of abuse due to centralisation of trust. The Luca system centralises trust in a single powerful entity, the party operating the Luca Backend Server. If this central entity acts maliciously, or is compromised, or coerced, the server could gain full access to any individual user’s contact data and location history. The current system does not provide any technical safeguard against arbitrary access to this information in case of misbehaviour. Its security concept solely relies on procedural controls and requires full trust in the Luca service operator to follow the protocols faithfully.
Media coverage (in German)
I gave an interview to the German national news and one of the public broadcasting stations about our findings. A great article by Eva Wolfangel for Die Zeit (one of the three biggest German news outlets) covers not only our analysis but also other problematic issues around the deployment of the LUCA system.
In this long format podcast I cover a wide range of issues relating to LUCA.
Photo by Scott Webb from Pexels