Who gets license fees for rapping?

MfG, GPLThe fantastic license of the Luca app

The makers of the check-in app Luca have published the source code of their app for Android for the first time. You are responding to criticism that the security of the app cannot be properly checked without disclosure. But even with the way in which they now made the source code publicly available, the makers are facing headwinds.

A massive advertising campaign had sparked a hype about the Luca app in the past few weeks, fueled by the commitment of the rapper Smudo from the Fantastischen Vier. The app developed by NeXenio reported hundreds of thousands of downloads, and soon afterwards the federal states of Berlin and Mecklenburg-Western Pomerania announced that they would rely on Lucas' services.

But the license under which the creators of the app initially published the source code is the "worst [...] we've read in a long time," criticize the hackers from Zerforschung. Possible security checks of the app would be restricted by the restrictive license.

In the first version of the license from yesterday evening it was said that the source code could only be used for personal, non-commercial purposes. It may not be reproduced, shared or reproduced on a public network in any other way.

The conditions are a reason for exclusion for many security researchers: Zerforschung criticizes those who might dare to audit the Luca app. It is unclear whether the restriction to personal use excludes independent organizations. The restriction to non-commercial purposes could even exclude research groups that only collected donations via their website. And the ban on playback in public networks could mean that even sharing screenshots of the source code on Twitter would violate it. The left-wing politician Anke Domscheit-Berg wrote on Twitter that the creators of the app made themselves look ridiculous.

The makers quickly changed the license

In the meantime the license has changed, the app is no longer under a so-called "restricted license", but under the Gnu General Public License 3, which is often used for free software. In the notes on Gitlab it says: "Update from temporary to open source license".

Overall, publishing the code seems like a chore for the makers. At the beginning of the month, the co-founder and altrapper Smudo let it be known that there would be open source code "if we have the space for it".

Allegations that third party open source components were also used in the source code of the commercial Luca app caused a stir. This work of others is not marked as such, which represents a presumed violation of the licenses of these code parts, wrote the IT entrepreneur Ralf Rottmann on Twitter. It is also unclear whether there will still be a data protection impact assessment for the app.

When asked by netzpolitik.org, the makers of Luca emphasized that they reacted quickly to the criticism against the “restricted license”. As for the allegations of having used code parts of others in violation of the license, co-founder Patrick Henning admits "errors". "We corrected this immediately and are in direct contact with the author." The publication of the source code for Android will also be followed by that for iOS in the coming days. A data protection impact assessment is also planned and will be published after coordination with data protection authorities.

App instead of pen and paper

The Luca app is intended to solve a problem created by German politics. The corona regulations of the federal states impose the obligation on restaurants and venues to collect the contact details of their guests for contact tracking. So far, this has often been done with pen and paper in many places, which has resulted in hundreds of complaints to the data protection authorities.

At Luca, users can log in with their name and contact details, and then use the app to check in using the QR code when entering a location. The data is then encrypted and stored centrally on the app's servers. If a person later tests positive for Covid-19, they can provide the health department with a list of all the places they have visited in the past 14 days. Anyone who was present at the same time will be warned and asked to self-isolate.

But from the beginning there was criticism of the app. A research team from the University of EPFL in Lausanne showed in an analysis that the central storage of data on the servers of the Luca operators represents a potential security risk. Users could also be de-anonymized too easily. Anyone who uses the centralized system has to trust the operator's promise of security and anonymity.

In the meantime, Luca could be overtaken by a more powerful competitor: The German corona warning app, which has been downloaded more than 26 million times so far, will also be able to check in locations via QR code in its next update. This should be rolled out after Easter.

The makers of Luca say their access to central data storage is a feature, not a bug. Because, unlike the Corona warning app, it is not up to the user whether they want to react to the notification of an infection risk or not. His company expects further orders from authorities and is in talks with ten or twelve federal states, says Luca Schöpfer Henning. It is clear to him, however, that this will not happen without major debates.

About the author

Alexander Fanta

As the Brussels correspondent of netzpolitik.org, Alexander reports on the digital policy of the European Union. He writes about new laws and does investigative research on large technology companies and their lobbying. He is co-author of the study "Medienmäzen Google" on the group's journalism funding. In 2017 Alexander was a fellow at the Reuters Institute for Journalism Research at Oxford University, where he researched automation in journalism. Before that he was a foreign policy journalist for the Austrian news agency APA. E-mail:[email protected] (PGP). Twitter:@FantaAlexx. WhatsApp / Threema: +32483248596.
Published 03/31/2021 at 4:27 PM