Corona data donation app of the RKI - CCC recognizes clear defects and gaps

Corona data donation The Robert Koch Institute (RKI) app is designed to collect anonymized data in order to identify coronavirus hotspots. But the Chaos Computer Club (CCC) recognizes clear shortcomings. Data protection has not been sufficiently considered and reading out personal data is not only possible by the provider of the app, but also by third parties. Furthermore, the app and the data collection procedure behind it are not compliant with the European General Data Protection Regulation (GDPR). A harsh judgment, then; but important for those who want to link their fitness trackers with the app and thus with the RKI.

In the RKI's Corona data donation app, the Chaos Computer Club recognizes clear defects and security gaps. Technically and organizationally improvements must be made.

In the RKI's Corona data donation app, the Chaos Computer Club recognizes clear defects and security gaps. Technically and organizationally improvements must be made.

Chaos Computer Club criticizes the RKI's corona data donation app

The RKI app should be able to trace infection chains in order to contain the pandemic caused by the coronavirus (SARS-CoV-2). The software for iOS and Android devices was released on April 7, 2020 and can also be found in the Apple App Store for the iPhone and iPad. The CCC has now taken a close look at the app and found several points that are worthy of criticism or indicate major deficiencies. Data protection is not given comprehensively and attacks from outside are also possible, if one could Message on the website of the Chaos Computer Club.

DIY tip: Mix hand disinfectant yourself

The criticisms of the CCC against the app of the Robert Koch Institute

A total of eight aspects received a negative rating - not only from a technical but also from an organizational point of view. The CCC once again refers to the “6 touchstones for assessing 'Contact Tracing' apps” published on April 2020, 10, which you see here can. In the article linked above, the following deficiencies are summarized and listed:

  • Cloud connection: The data of the users are not taken from the smartphone (as previously assumed), but directly from the fitness tracker providers. With the corresponding access code there is the possibility of reading out the real names and other personal data.
  • Inadequate pseudonymization: The health data and other user information are not pseudo or anonymized locally on the smartphone, but only after they have been retrieved and transmitted to the RKI. Whether, when and how this happens cannot be checked by the user.
  • Insufficient protection of the access data: To access the fitness tracker or the data it collects, the RKI app requires the access data for the respective user account. "In the majority of cases, these could be read by man-in-the-middle attackers“, Says the CCC. Third parties can also read data if the smartphone is lost, for example from the Google account.
  • Organizational deficits: Nothing is done about manipulation because, according to the CCC, the RKI does not know who is donating the data or whether the relevant person really exists. In addition, no effective consent is obtained for the processing of the data (not GDPR-compliant) - and rights of data subjects in the event of manipulation are not guaranteed.

An FAQ about the defects and how to fix them 

In addition to my summary, I recommend that you read the article linked above on the Chaos Computer Club website. At the end there are also frequently asked questions and the answers to them, i.e. an FAQ. This clarifies that the CCC had no access to any user data, that the RKI has already reacted, how quickly the deficiencies can be remedied, what users of the app can do and so on. Especially if you have already installed and used the app, you should take a look. Because simply uninstalling the Corona data donation app does not cancel the connection between the fitness tracker account and the RKI per se! This is important to know ...


Did you like the article and did the instructions on the blog help you? Then I would be happy if you the blog via a Steady Membership or at Patreon would support.

Leave a Comment

Your e-mail address will not be published.