Millions of people have installed the Deutsche Bahn app DB Navigator, and many users have joined by buying the 9-euro ticket. They all seem to give away more information than is necessary. The Bahn app does not take data protection very seriously, writes Stiftung Warentest.
The DB Navigator was called up more than ten million times in the Google Play Store alone. A number of users probably only recently installed the app in order to use the 9-euro ticket, and in the first week after the start of the campaign almost seven million of the discounted monthly tickets were sold. Stiftung Warentest examined the app and found “critical data transmission behavior”.
The foundation finds it unproblematic that the app sends encrypted location, data on the smartphone’s hardware and software, as well as user names and passwords to Deutsche Bahn. After all, it is data that is probably necessary for smooth operation, according to the test report. The examiners are not so enthusiastic that the navigator also reveals the name of the mobile operator and statistics on the use of the app.
However, they find it particularly critical that both the Android and the iOS app send data to an Adform Internet address. This is an international company based in Denmark that provides tailor-made advertising.
The app’s data protection provisions state that Adform uses pseudonymised user profiles on behalf of Deutsche Bahn “in order to control more targeted, usage-based online advertising”. In order to be able to use the advertising space of other websites, cookies are synchronized with Google, Doubleclick and other platforms.
Deutsche Bahn cites Article 6 Paragraph 1 Letter a of the General Data Protection Regulation (GDPR) as the legal basis. It regulates that consent is given voluntarily, informed, for a specific processing and a specific purpose and unequivocally.
Security expert Mike Kuketz has been observing the DB Navigator since last autumn. He does not assume that the app is GDPR compliant. Among other things, he accuses Deutsche Bahn of the navigator placing cookies and establishing connections while users are still being given the various options to choose from (consent banner).
Even if the information sent to Adobe Inc. (Android) and Optimizely (iOS) is information necessary for operation, this should not happen before the user has given their consent, writes Kuketz. He also wonders why Deutsche Bahn does not process personal travel data itself, but leaves it to third parties.
The security expert also criticizes the design of the consent banner, in which “Accept all cookies” is highlighted in Deutsche Bahn red. This is “a form of influencing to manipulate the user’s decision/behaviour.” In addition, Kuketz criticizes that app users have to swallow the option “Only allow necessary cookies” without a choice and that data transmission to ten companies is said to be necessary.
In an open letter to Deutsche Bahn written together with Peter Hense and padeluun (Digitalcourage), Kuketz wrote at the end of April that “significant violations of the General Data Protection Regulation (GDPR) and the Telecommunications Telemedia Data Protection Act (TTDSG) had been identified. Against the background of Deutsche Bahn’s dominant position in the market, the data protection violations that were uncovered are all the more important because they affect millions of people.”
On July 1st, the app will be subjected to another technical and legal review and legal action will be taken if the identified deficiencies have not been remedied by then.
As the test by Stiftung Warentest has shown, Deutsche Bahn has apparently not yet adapted the apps accordingly. The last updates took place on April 22 (iOS) and May 12 (Android). When asked for a statement, the Kuketz company replied that they took their criticism and suggestions very seriously and dealt with them.
However, the spokeswoman points out that all service providers used in this context are contractually bound and do not act in their own interest, but act strictly according to instructions. “They are therefore not third parties within the meaning of the GDPR.”
The consent layer has been presented to the responsible data protection supervisory authority for evaluation and is still waiting for an answer. “Should changes be necessary in the opinion of the supervisory authority, we will inform you transparently.”
In order to use the 9-euro ticket, you do not have to rely on the DB Navigator. Stiftung Warentest refers to the 9-euro ticket app from Deutsche Bahn, which does not access any superfluous data. However, users would have to make sure to assign a secure password with at least eight characters, the examiners write. The app also allows seven-digit combinations. You can also use the monthly ticket via the application of a regional provider.