RKI application: Voluntary donation of data becomes a collapse of data protection

Analysis of Chaos Computer Club

The new application of the Robert Koch Institute [RKI] should enable your fitness data to better track the coronavirus. Of course, according to RKI, it is completely anonymous and can only be obtained through your mobile phone. The CCC has now discovered that this may not be entirely correct.

The RKI app is actually used to track the corona virus and uses data that users voluntarily provide from smartphones, smart watches or fitness bracelets. At least that was the explanation of the Robert Koch Institute. Now, the Chaos Computer Club [CCC] has found that many data does not come from mobile phones, but directly from fitness providers.

In doing so, as the CCC report on the corona tracking application stated, RKI violated its own data protection rules. The data does not come directly from the mobile phone, but directly from the servers of Google or other providers, and can only be anonymized at the Robert Koch Institute. This contradicts the data protection rules issued by RKI, which should only provide anonymous data.

"Http://feedproxy.google.com/" fitness data is not regularly sent from the donor ’s smartphone to
RKI transmitted, but directly from RKI to the fitness tracker or Google Fit provider
Query, and then pseudonymize. To this end, RKI stores access data,
A full health record and the name of the data provider with you
can be visited. "Http://feedproxy.google.com/"
Chaos Computer Club through RKI application

According to CCC, RKI also involves contradictory information in certain descriptions of applications and data protection. The institute pointed out that the collected data is encrypted and then transmitted from the smartphone to the RKI's dedicated server in Germany, where it is processed and stored.

On the other hand, RKI explained in the FAQ of Corona Tracking App that the background data is automatically queried from the server of the fitness bracelet or smart watch manufacturer. This contradicts the description given above.

According to CCC, data streams are also vulnerable to attacks

The fact that the data was not transferred anonymously to the Robert Koch Institute made it vulnerable to cybercriminals. According to the CCC report, so-called "man-in-the-middle" attacks allow data to be eavesdropped and evaluated. This is because the application has a built-in "Webview" that can transfer data to RKI without an appropriate security certificate. It is sufficient to use most standard browsers.

So far, RKI has not issued a statement. Time will also show whether we can expect to update the current RKI application. However, the mobile phone application was not developed by the Robert Koch Institute [Robert Koch Institute], but was developed in collaboration with the developer mHealth Pioneers.