It's absolutely mind-boggling to me how our government(s) can get the idea to "rent" contact tracing data from a private company like this, it just reeks of corruption. I wasn't a big fan of the Covid tracing app in the beginning, but in retrospect the concept of that app seems miles ahead of the current situation with the Luca app.
I think the concept behind is really solid and a great example for what is possible w/o invading privacy. The only problem is that development got very very slow after the initial release and a lot of potential was wasted. E.g. adding some kind of check in feature was already discussed mid last year but it took them until now to pick that idea up.
It’s open source https://github.com/immuni-app.
It’s simple: contact tracing only, easy for non technical people.
And has minimal tracking (I only see a periodic ping to get.immuni.gov.it)
Let this be a lesson. If you get something good and still keep complaining and complaining, then what you get in the end is something bad.
Is it a product of smart people simply not working in this sector or corruption?. It seems from the outside to be filled with imbeciles masquerading as administrators.
We need to somehow make the government way more accountable, if only there was an organization that could do that, we could call it the media.
Government procurement is so focused on the appearance of fairness and money saving that all other goals, like actually getting something that works, take a back seat.
You end up with over-specified requirements that remove the possibility of innovative or creative solutions. Providers are treated like a commodity, where it is assumed that all will do the same job, and cost is the only real negotiation point, maybe with some kind of scoring grid against the over-specified requirements thrown in.
And the procurement decisions are made by procurement officers who are not the actual users of what is being bought (in the name of objectivity).
So what happens, on a good day, is that the operational users in the purchasing department work with the preferred vendor to "wire" the RFP to reflect the scope or work that is wanted and add requirements (e.g. years of very specific experience, past projects) that heavily favor the preferred vendor. At least this way the department may get something they want, thought it obviously can be gamed. Worse though is that many contracts just go to lowest cost staffing firms that are optimized to comply with government procurement requirements and provide the minimum set of bodies that meet those requirements, usually former government folks rented back, plus some low cost IT resources, that are there to execute to the letter of what the government has over-specified, usually something that wont actually work as written.
This is why so much government procurement is a failure by any objective measure. What I have seen work is when a vendor provides a credible unsolicited pitch to a known problem at a fixed cost, and the relevant departments are forced to decide if it makes sense.
In Canada we had a major one like that a few years ago, the outcome was great for the department that needed it, but careers were destroyed in the process as politicians and their incumbent friends pushed back to try and stop it.
And to be clear, there's a good reason for it: it's to prevent corruption.
If things aren't overspecified and providers aren't treated like a commodity, then it's incredibly hard to prove that a government official actually awarded a contract in a fair process, rather than just sending it over to their best friend's business.
Unfortunately, nobody's really come up with any reliable process for having the flexibility to get good products for good value, while reliably preventing corruption. And when there aren't these ironclad protections against corruption, experience shows it turns endemic, so much money flows through the government.
It's a seriously tough problem.
The reason it doesn't exist in the private sector is that the chain of accountability from managers to CEO to board seats is actually quite strong, and shareholders are incredibly motivated to extract profits. The accountability to voters in a democracy, on the otherhand, is far, far, far weaker -- as voters vote primarily along party lines or on only the absolute biggest hot-button issues.
The biggest companies in this space maintain an active revolving door, which ensures that procurement policy is moulded (either consciously or unconsciously) to their process and needs over time. Even more insidiously, they've convinced governments to gut their own IT workforce, removing the people most qualified to critically analyze software vendors. This appeals to your average bureaucrat because it appears to strike a good balance between effort and risk minimization (e.g. why bother managing multiple smaller vendors or timelines?), while in practice it does exactly the opposite.
A real example: police force wanted to get say 1000 new squad cars. One of the points in the tender was that the car's trunk has to be exactly that many litres (say 307L, don't remember the exact number). So of course, only one model of all the cars from all manufacturers had that value, and of course the only dealer who submitted for that tender won it. So it was blatantly obvious that the process was rotten from the start. But it was legal. And they (government)did it many times. And pretty much they are doing it for the last 20 years or so. So corruption is not something which you can solve easily, you need a lot of checks and balances to make it work.
In one country where I previously lived, there was also an "escape clause" where if there was emergency time pressure, you could circumvent the process -- so guess what? The government would "invent delays" in writing up the specifications until the last possible minute, then award the contract without a public tender because there was no time left for the tender process!
So yes, the process absolutely has to be designed with some form of oversight and without loopholes, in order to achieve the aim of preventing corruption.
You're right that it does nothing about other forms of influence like the revolving door.
And like I said, it comes at a tremendous cost of efficiency and quality. It's not trying to strike a balance between corruption and efficiency/quality, it's trying to explicitly minimize corruption at the expense of efficiency/quality.
There’s consensus in this thread that this process reinforces corruption, and is controlled by the corrupt, so preventing corruption isn’t the real reason.
If you want to prevent corruption, hire engineers directly at market rate, and promote / retain them based on their ability to deliver projects.
If you want proof that this approach works, just study history. The US government used to work this way (back when our middle class and economic clout were growing) but corrupt politicians decided to outsource everything to increase the supply of kickbacks.
There is no such consensus, and the idea that it reinforces corruption is contrary to common sense -- it's self-evident that maximum corruption bypasses specifications and public bidding altogether and just hands a contract to a politician's friend.
> If you want to prevent corruption, hire engineers directly at market rate
It's not feasible for a government to accomplish all its tasks by hiring and never by contracting. It would be incredibly wasteful because many projects are one-off, whether building a new suspension bridge or a huge new IT project. It's like saying a company should have no suppliers and write all its own software from scratch.
> just study history. The US government used to work this way
I've studied quite a bit of history thanks, and government in the US used to be quite corrupt compared to today -- just look up Tammany Hall  if you'd like a quick introduction. Corruption in the US has very much decreased over the past 150 years.
Outsourcing has existed as long as government has existed. I think you're confusing outsourcing as a general concept with privatization as a specific issue, which is about one-off decisions to choose to start outsourcing things that were previously done in-house. Which has its own set of pros and cons.
But no government can in-house everything. So hiring in-house is not the answer to corruption.
I've seen one approach work, but it struggles to scale, as it needs technical people on the client side.
Buying "outcomes" rather than services can work well - rather than procuring a specific "specification", you buy a solution. The standard contractual framework means you are paid for delivery to tangible milestones (demonstrable value), with engineering/technical background project management team overseeing the work. You work at risk, as you only get paid for delivery. That keeps many of the charlatans away, since it's very clear you're paid for delivery, not effort. That means the headline rate is higher, of course.
Focusing aggressively on actual delivery, but also not dictating the solution means you can see suppliers compete not only on price, but also on how they'll solve the problem. This means the government client needs to understand their problem well enough to articulate it (with some of that support from a technical project manager), but they then evaluate proposals for solving their problem. This moves away from the incentives to "body-shop" low-pay graduates onto a project that a partner pitched for, as it has to actually deliver.
I tend to see the "worst" projects (in terms of non-delivery, large bills incurred, poor value, and the only output being a report recommending more work) come about when the government client doesn't understand their own problem or goal though, so perhaps this approach self-selects problems where the customer can actually articulate their need.
The end result, as you'd expect, is mission-focused solutions to problems with minimal external dependencies. That means the problem gets solved in the simplest way possible, with the least overlap with incompetency possible.
It doesn't work for every problem, but it does show that forcing government to understand the problem before spending money can actually work, at least at some scale.
The same problem absolutely does exist in the private sector. Many of the same big government contractors are running almost the same scam on big companies.
I think this problem is more a function of the size of the organization than public vs. private.
I'm certainly not saying companies can't overpay for things, but there is an inherent pressure from competition to incentivize companies to try to pay less, whereas taxpayer-funded government often doesn't experience similarly direct pressure.
Yes there are obviously employees who embezzle or contractors who defraud, but companies are generally able to police this themselves relatively effectively. It's nothing like government left to its own devices.
I worked at a small 2 year college for many years. One time, my Dean I reported to was on vacation, so I had to go talk to the college president, and get him to sign a form for a $7 petty cash reimbursement for some zip ties I had bought to clean up some cabling.
One year, our President had to travel to the capital city (about 250 miles away, over the mountains) almost every other week for some budget discussions with other colleges, legislators, etc. We could have saved the taxpayers THOUSANDS of dollars by renting a modest house to use for him (and some of the other staff members that regularly traveled to the capital). But that "might" look like we were providing them with a second home, so we spent thousands more on hotels.
The same issues happen in any other procurement activity that is required to rigorously follow a specific process due to spending public money, or bill-payer money of a regulated monopoly etc.
In short, you need large numbers of people involved to avoid "corruption" (irrespective of the actual level of such risk), and this means you end up less flexible and less able to buy what's needed. Weighting price by 80% is common, as nobody wants to be seen to deliver "poor value for money to the tax-payer". Hence the cheapest bid almost always wins, as nobody wants to have to stand up and explain why they didn't pick the cheapest bid.
There's a whole separate issue in how to handle "too cheap" bids (i.e. where you under-bid on the initial work, knowing you can get technical lock-in and be able to win future contracts uncontested, and turn those lucrative), but this is still an issue - see how the large outsourcers or consultancies do this regularly, and end up winning renewals on basis of "necessity".
There's an art to writing a winning (cheap) tender, then staffing it with people who rigorously enforce the scope back onto the Government client, and force every single change through an expensive change process. That's the business model many follow, and it delivers far poorer value for money in the long run. But the headline price was cheaper, so they'll still get selected...
What we did to start winning was to make friends with the people judging us, offering free services making them personally look good until we started having such relations with them they d ask us out to frame the contracts and give them to us whatever our competitors would come up with.
It's impossible to take decisions based on surprise proposals in a public tender and it felt it was an open secret that tenders' winners MUST be decided before publication.
Private sector: pays more than lawyers and surgeons even if yiu never graduated college
Gee I wonder where smart ambitious people will go
The salary is a joke, I've made their base salary, which requires at least bachelors degree, as part time working student in private sector.
There is only one reason to work for the government in Germany and it's called "Verbeamtung" (a legal state where you are not employed, but appointed for government service, it's almost impossible to get fired and you pay little to no taxes, etc.), but the whole office politics and long decision making channels are awful (source: me working for a company owned by the local government years ago).
The only way to do money there is by having a position where you can make decisions and then twist requirements for "external tasks" so that "your" company has a good chance to get it. Worse if you don't twist requirements the job is still most likely going to a partially incompetent scam company due to how stupid the whole process it...
When you get old and had a not supper high paying job this can easily be as if you had gotten 50%-100% more salery!! At the same time they (state officials) complain they get to little. It's completely stupid. AND at the same time non "Beamte" state officials do not get any such benefits, nor especially good pensions or reasonable pay or absurd employment protections(1) or even a proper working contract...
(1): If you are a "ver_beamte_ter" state official it's close to impossible to get fired as long as you don't idk. commit some serve crime (and a few other special cases). So you are not getting any work done because you don't care anyone, no problem keep your job. You mess up all your work, ok you still have a job. You working moral degraded to a degree you are basically unemployable and still you have a full paycheck every moth and keep your job. Through besides serve crimes there are a few things which can cost you your job, but they are easy to avoid.
Anyway this doesn't meant there are not honest, proper employees in such positions it's just very hard for them to keep their motivation.
 Although there is a regular limit of two years, i.e. if you continue working after two years the employment contract will be considered indefinite. (Obligatory IANAL)
Against all odds, the government manages to recruit and retain people who can do good work.
The larger problem is that government seems designed to make it impossible for IT talent to actually apply their talent. Now I understand why one of Grace Hopper's most famous quotes in the Navy was "it is better to beg forgiveness, than to ask permission".
1. Pay fewer people more money
2. Reinstitute civil service exams
I guess this is politically impossible?
It's a system that benefits vendors that can manage the red tape that's there to prevent corruption.
Depends on the country/jurisdiction.
This reminds me of a story: college career fair is held in January. Government is there and takes resumes. Candidates start getting callbacks for government positions in late April.
Do I even have to explain that those still available late April for the summer maybe were not... the sharpest tools in the shed?
Most likely because a company with lowest bid wins or a company that has connections with government, so they get selected based on friendships rather than competence.
Then such company typically sends least experienced developers working for pittance and they hope project will last long enough that it gets scrapped before it gets completed, so they will not be held accountable for anything.
If the experience of the procuring department is that "BSI finds everything is insecure", then you procure without letting BSI know or have a say in it, and then you look good for getting the procurement completed.
Getting cross-department cooperation on anything complex tends to be the exception rather than the rule - it's much easier for everyone to make the same (avoidable) mistakes over and over again, apparently, than it is to accept the process doesn't work and fix it.
"Intangible" non-functional requirements are simply something that don't translate well into the procurement world, and are the first thing dropped to try and lower the "headline price". Being secure enough to get past BSI is a cost that your competitor likely won't be factoring in.
Sounds plausible. Especially looking at years of (German) data protection officials recommending against using Windows 10/Office 365 in government agencies, followed by officials explaining that only Microsoft's products are able to fulfill their "extremely complicated requirements".
I'm not entirely convinced that only Windows 10 has the necessary features for registering a vehicle title...
At enterprise-scale, I must concede that Microsoft have a really sleek sales pitch. Group Policy in AD offers a level of "managed desktop" that a low-pay, mid-skill sysadmin can operate. That lets you set and enforce "policies", and they get enforced on the computers, and this is something that entirely non-technical senior managers can understand and feel confident in.
Any OS could be used to register a vehicle title, but MS' option gives you a fleet of relatively cheap and accessible talent with an "official certification" (MCSP or whatever it has become) - governments love certifications, as it helps them de-risk things they don't understand. The clever enterprise vendors understand this, and try to ensure the market is awash with "their people". It's probably controversial to say, but governments love technology that is able to be run (by-design) by hiring mediocre people to run it. Windows Server with a shiny GUI to edit group policies and apply updates hits that spot for many organisations.
I wouldn't be surprised to find the "extremely complicated requirements" for the vehicle registration government agency are the ability to run some (procured) proprietary endpoint protection client (which probably runs everything it sees unsandboxed, as NT AUTHORITY\SYSTEM ), and enforce a whole host of client-side restrictions (which could easily be network-layer) to prevent people using personal email on managed devices.
 https://www.recon.cx/2018/brussels/resources/slides/RECON-BR... like Windows Defender did (!)
Regarding client-side restrictions: I doubt I'll ever understand why many organizations appear to be so focused on restricting their employees' computers, some even going for full-blown surveillance. Maybe I'm just a little naive, but is intercepting and filtering all network traffic really the only way to notice whether an employee is playing browser games all day (instead of, you know, noticing the employee's productivity dropping)?
My primary concern that those enterprise firewalls intercepting all traffic (including MitM-ing TLS traffic) regularly prevent adoption of new Internet standards. At the same time, the idea of total communication surveillance seems surreal. Image the equivalent situation 20-30 years ago: What would you have said if your employer hired a team in order to eavesdrop on every single telephone call and open every single letter entering or leaving the office?
Afraid it's not fiction. I see it pretty regularly.
> Regarding client-side restrictions: I doubt I'll ever understand why many organizations appear to be so focused on restricting their employees' computers, some even going for full-blown surveillance.
Several reasons I've seen. Firstly, don't underestimate the importance of protecting people's data at scale. If staff can use their Gmail on a computer, someone will email themselves someone's personal data. Maybe it won't be malicious, but it's still a breach. Maybe it was some software running on the computer (malware) that got in via an ad or game, that simply emails out information.
Governments (and large enterprise) operate at a scale where you need to be careful of data exfiltration by malicious users or software. While you might be able to trust people in a team of 5, it's very hard to scale that trust up to 5000 people.
> Maybe I'm just a little naive, but is intercepting and filtering all network traffic really the only way to notice whether an employee is playing browser games all day (instead of, you know, noticing the employee's productivity dropping)?
This implies that the person's manager is competent enough to actually notice this, and has enough understanding of what they do to act.
Filtering network traffic is often more about preventing data egress of other people's personal information than it is about spotting someone playing candy crush.
> My primary concern that those enterprise firewalls intercepting all traffic (including MitM-ing TLS traffic) regularly prevent adoption of new Internet standards. At the same time, the idea of total communication surveillance seems surreal. Image the equivalent situation 20-30 years ago: What would you have said if your employer hired a team in order to eavesdrop on every single telephone call and open every single letter entering or leaving the office?
In financial services and other regulated sectors, they pretty much did/do that, albeit recorded rather than having someone listen all day long. I agree with you that these kinds of active MITM firewalls likely introduce more issues than they solve - many don't themselves validate the certificate of the site they're MITM'ing properly, therefore introducing a whole new attack vector if you can convince the MITM box to serve up a valid certificate for your site's invalid certificate.
Unfortunately though, for as long as the goal is to make it possible to work at big scale and minimise the risk posed by individual employees, you'll continue to see this be the default way of working, I reckon.
The prices for crappy software/hardware solutions are mind boggling. I guess this is how it is if you just can afford it.
Was initially stoked and honored to be considered, but the longer I thought about it, the more uncomfortable and heavy the thought of how it all worked started to sour me to the entire idea.
Never realized how pervasive the whole practice was til then. Thought it was a rumor or story... Turns out...
There should be hacker clubs in each country double checking all suspicious public procurements.
I've been pitching around the idea to use hackerone as a framework but restricted to local college and university programs to do bug finding in provincial/municipal public service delivery systems as a way to create a pipeline of competent public service talent, develop real civic engagement, and create the incentives within govt to build less appallingly shitty systems.
The main challenge with that is it requires a total rethinking of what government is, which is already happening organically as dev/eng people and culture builds more generational influence in govt beyond being just "IT," but that's a longer term vision. GenX doesn't code and they're still 10-15 years from retirement, but internet generation people are slowly taking the management reins.
Near term, absolutely hack your region's contact tracing apps, and if you want to really affect change, use technology and data to create and test hypothesis' to find corruption. It's going to be unpopular and even make you a target, but if you want to summarize what the cyberpunk aspect of hacker culture was, a lot of it was based on the hypothesis of there being a corrupt conspiracy running infrastructure of The System, and by learning its secrets you could become somehow more safe from it, or expose it.
Then they got a mailing where somebody mailed them an entire collection of correspondence between the tax administration and other government bodies which was apparently intended to be sent to the Hamburg tax administration. It detailed how they were trying to actively put obstacles to financing the CCC's work. Apparently, that mailing went accidentally to CCC, which was not the intended address....
We will move to stockholm and I'm thinking of creating one :)
This culture doesn't exist in Sweden, and the spaces and organisations that aren't subsidised by government funds or universities all disappear after a few years.
(Source: Lived in all three countries, was active in such organisations in all three countries)
I guess you were simply not in contact with the right people.
You know, the more I think about it, I’m not really sure I have any idea what a computer club actually is and does...
Some hackerspaces are more a kind of makerspace and provide expensive, large or complicated hardware like industrial laser cutters, 3D printers, embroidery machines and (electronics) workshops with soldering irons, electronic parts etc.
Other hackerspaces are focusing more on the social side and offer a space to hang out, meet and discuss with beverages (I guess mostly mate and beer). There can be talks, workshops or competitions (like CTFs) and so on.
Also providing services to the public, like repair cafes and holiday programs for kids can be a way to further engage in society to share technical knowledge.
hackerspaces.org has also extensive explanations on theory of hackerspaces: https://wiki.hackerspaces.org/Theory
Only socializing online is just not the same.
That there is also a branch of very public security experts is... Incidental, I'd say.
No. It happens that a lot of members are security experts but it is far far broader than that.
The CCC is a very decentralized organization. A lot of hacker spaces are in fact operated by local subdivisions or are completely independent organizations but with a lot of overlap in membership.
In general the CCC likes define itself more by those who share its values and less by the legal entity with that name.
…or lacking members. He wrote, glancing around the empty room
There's a few other organisations, notably Teknologihuset which has some communities organising regular events and NUUG which doesn't have a physical space but moves around and is generally a good community to get in contact with.
Note that NUUG have members all throughout Norway, and also an active (Norwegian) IRC channel, which may be a good place to ask about other towns as my knowledge of those is either outdated or non-existing!
Ses på IRC! :)
They're all in German-speaking countries.
The only thing I wish, is that it was called "KAOS Computer Club," and that they have a picture of Bernie Kopell in their entryway.
also they don't have any rate limit on the sms service...
so anybody can build a loop and call the sms endpoint...
- development private and public key in the repo ( not harmful but a bad sign)
- more that i forgot
So the health department could call you.
This was done by SMS but the verification of an account does not check against that SMS verification but its just a simple else/if on the client.
Especially since there is already a government funded app (whose developers also make a much more competent impression) which is scheduled to receive similar functionality as the Luca app with the next update.
Its not run by a private company which only thinks about money.
That's just a raise of about 46% in comparison to 2019...
If this would be some other thing, like the implementation of a video surveillance system in the political center of Berlin, or any other important place, they would have taken care to at least adhere to the basics in how to give whom the job to do this, how it will be licensed/owned, how it will be run, what happens with the data. A thorough check of the company would have been made.
But in this case? It's a small startup with no expertise whatsoever in data protection, expecting the silliest terms and conditions, and the politicians are just glad to throw the money at them, and even expecting citizens to install this app if they want to take part in public life.
This is as crazy as it gets and shows how incapable they are of controlling this pandemic, even how little they care to seriously work on it, and I wonder how much this represents what they have been doing over the last decade in general.
I was glad to install the Corona-Warn-App and am a bit sad that there are so few people using it, but it was implemented correctly. Not only from a technical point of view.
But should any of these apps become a requirement to participate in public life, I'd take it as far as going to jail for not installing or uninstalling it.
Fully agree, the whole "Merkel era" was an era of political stagnation. The pandemic relentlessly uncovered that.
But now we've reached a new low, German politicians seem completely unwilling to fight the pandemic anymore despite a 3. wave caused by the B.1.1.7 variant building up rapidly. It's crazy times, the luca app disaster is just one manifestation of it.
But I guess kickbacks for using something created by state employees are not as good as for something new from a private enterprise (with blockchain! - they silently removed it, when the CCC called that out and now the CEO claims: "we've never used blockchain").
In the Luca app, the user's location data is stored centrally, and the states can then purchase a license to access data of potentially risky contacts.
(BTW the public health offices are notoriously overworked during the pandemic, so it's not clear to me if they'd even manage to do anything with this data).
Anecdotally most of them are completely overwhelmed because of the currently fairly high case numbers and effective contact tracing does not really happen anymore. Also they mostly live in the technological stone age so they have a hard time scaling it up .
The official Corona Warn App uses the Exposure Notification Framework and does not share any personal data.
I always found them whack...
Almost all of my friends did not consider fanta 4 to be rap music but rather pop music :)
One notable difference is a much closer connection to e.g. intelligence services.
On the other hand, the relationship to democratic processes, as well as the stance on state/federal involvement in IT problem spaces, seems to differ between Germany and the US.
Again: I'm an outsider and would actually like to hear from others how they see this.
Some CCC hackers had a pretty good relationship with the Russian KGB. They got information about a wide range of US military secrets including details about the Space Defense Initiative (SDI). They were so successful that they wound up dead and a movie was made about them. Since then the CCC has to be heavily infiltrated by all kinds of Intelligence Services.
Infiltrating the CCC would be akin to infiltrating Antifa. Sure, you can get close to a group and learn their secrets, but you can't get close to the center of it because it has none.
I think this more served as a cautionary tale to not get involved with this kind of agencies at all.
However since then the CCC has been very honourable and I have nothing but respect for them.
As mentioned by others, the EFF's Electronic Frontier Alliance tries to act as a regional group for these types of things, but in my experience it's pretty dead (at least the Utah group has been completely unresponsive).
I'm really surprised Germany is playing so loose and fast with privacy as they're known to be one of the countries with the strictest privacy laws around.
By the way how does this work being mandatory with people that don't own a smartphone??
You're surprised because you're expecting politicians to have consistent principles, but it's just about what's convenient right now. This is an inherent issue with having elections every couple of years.
It's hardly surprising that now that opinions are shifting, the only projects remaining are those most lacking in privacy awareness. The aware have long given up.
And opinions are shifting in no small part because unsurprisingly, the ineffective pen & paper tracking that was deployed instead was suffering from quite real privacy problems that weren't theoretic at all (routinely breached not by ssh keys in the wrong hands or some backdoor hidden in the code but by just asking nicely).
As a French citizen living in Germany I can get vaccinated if I go back to France soon (the French state literally sent me an email to tell me that as they know I'm living in a foreign country), meanwhile I keep on reading that some German states are trying to get more vaccines than the others (e.g. Sputnik in Bavaria) and I cannot get a free PCR in a state where I do not live. Why having such friendly fire in your own country, especially when my health insurance works at the national level?
But leaving the fast-moving to those least concerned with privacy is still a recipe for disaster.
Luca app just had more hype/better marketing.
This is the trajectory for everything essential it seems. Want to function in the modern world? You need a pocket computer with approved applications on it to do increasingly important, but basic tasks. Banking, health, transportation, etc. are all sitting on the pocket computer that can watch where you go and track what you do to the minute.
Similar to other governmentally supported apps this one has been made open-source beginning with the first drafts, is based on the provided framework by Apple and Google, does not store privacy relevant data on centralized servers and even follows the 10 baseline rules the CCC has published.
That actually makes it even more sad that the german government reaches out to the Luca app developers and buys their service for such a huge amount of money - although there is a product that is on par service wise and way better from a privacy perspective.
- funnily enough the same smudo who was a very vocal "Napster bad!!11eleven" voice back in the day ... however napster would at least meet 2 op the ccc criteria(instead of 0, like luca :)
And of course, they were rushed out the door, so they'd probably have quite a few problems.
It's also open source with a generous licence.
Why didn't Germany use that? Corruption.