The Federal Ministry of the Interior will not have the controversial Luca app to contain the corona pandemic examined comprehensively by the Federal Office for Information Security (BSI). The State of Hesse had previously asked the BSI to carry out a comprehensive source code check of the Luca application, the ministry announced on request, thereby confirming a report by the news magazine “Der Spiegel”. “The request was not granted,” said a ministry spokesman. Hessen had requested an examination of the “overall system including all components of the underlying IT infrastructure”, “Spiegel” quotes a spokesman for the Hessian interior ministry.
The Luca app aims to replace the mess of paper that arises from analogue recording of visits to restaurants, exhibitions and other events. In the past weeks and months, the creators of the app had to fix vulnerabilities that data protectionists and activists of the Chaos Computer Club had discovered. Some privacy advocates such as the Berlin data protection officer Maja Smoltczyk are bothered by the concept of storing the recorded data centrally. The manufacturers of the app refer to effective protection through encryption technology. The Luca app is used in 13 federal states. Only Saxony, North Rhine-Westphalia and Thuringia do not have a contract with the Luca manufacturer.
Hesse could require examination from Luca makers
A spokesman for the Ministry of the Interior told the dpa that the Luca application was a privately-owned application. “The contractual partners of the manufacturer of the Luca application are the federal states.” The guarantee of IT security is usually the subject of the manufacturer’s service. “The buyer (here: the countries) is free to request further assurances, such as a source code check, as part of his contract drafting.” For tasks such as source code checks or penetration tests, there are also specialized companies that could also be BSI-certified. “Hessen can therefore demand this service from the manufacturer of the Luca application, who then buys it on the market. This is a tried and tested procedure that is usually also used by federal authorities.”