exclusive
Data from hundreds of cannabis clubs were available Contrasts-Information publicly viewable. The leak was discovered by a collective of security researchers. Critics have been warning about data protection problems for a long time.
On April 1st, hundreds of cannabis users gathered at the Brandenburg Gate to “get high” together – demonstratively in front of numerous cameras. While they voluntarily displayed their consumption, a four-digit number of cannabis users were apparently involuntarily exposed. According to research by the ARD-Politics magazine Contrasts openly accessible. How could this happen?
Consumption, possession and home cultivation have been partially legalized since April. From July, cannabis can also be grown collectively in so-called cultivation associations. Since the proposed law became known, a large number of such cannabis clubs have formed. They are looking for acreage and systems to manage their members.
According to the new cannabis law, they are obliged to document comprehensive data about their members. Names, dates of birth and addresses must be kept in a database. Every time they purchase cannabis, the date, quantity and THC content must be documented and stored for five years.
Names, email addresses and dates of birth were visible
The “Canguard” software from ThingBring, based in Hamelin, Lower Saxony, promises cannabis clubs a simple solution: “Your club, your data” – this is how the provider advertised the supposed security of the software on its website. After Contrasts-Information that there is said to have been a comprehensive data leak here.
The names, email addresses, dates of birth, postal codes and hashed passwords of “Canguard” user accounts were apparently accessible to third parties. In addition, it was probably publicly clear whether a user account is the “owner” or “member” of a cannabis club. In addition, it is said to have been possible to edit user accounts and cultivation associations from third parties and thus even take them over from a technical point of view. The security gap was discovered Hacker collective “Zerforschung”.
Those affected remain ignorant for a long time
Loud Contrasts-Information “Zerforschung” informed the software company about the data leak on the Wednesday before Easter and described the security gap in detail. However, the affected club operators apparently only found out about a security incident after Easter. Even a week after “Zerforschung” informed the company, the club operators still seemed to have no idea about the extent of the data leak.
In a blog post, the hacker collective writes that the software is “clearly still in its infancy” and criticizes: “If a product is market-ready enough to store customer data, it must also be mature enough to keep it for itself .” But that’s not all: In the event of a data leak, those responsible are obliged to report the security incident to the responsible state commissioner for data protection (LfD) within 72 hours. It is still unclear whether ThingBring GmbH should have reported the data leak to the LfD itself.
From a legal point of view, the company may only process the clubs’ data – in which case the clubs themselves would have had to report it to the respective LfD. In any case, ThingBring should have informed the club operators immediately. A week after the hacker collective informed ThingBring, the LfD in Lower Saxony had not yet received a report about the incident like this one Contrasts communicated upon request.
ThingBring wants now Safety standards check
The operator of the software, ThingBring GmbH, said upon request that a review of the security standards and possible consequences was taking place. “Data was flowable for people who were familiar with it,” said managing director Lennart Schneider in an interview Contrasts. However, he could not make any statement about which and how much data was visible.
Schneider admitted that the data leak was not reported to the state commissioner. He announced that he would examine personnel consequences. One day after the phone call Contrasts The operator took the software offline and reported the security gap to the Lower Saxony LfD. After contrasts-The club operators were then informed of the full extent of the security gap.
Critics say big things Privacy concerns
Data protection advocates are critical of the obligation to comprehensively store data: For David Werdermann from the Society for Civil Rights, the documentation requirement and long storage period amount to private data retention, which seems like an invitation to misuse.
Data leaks can never be completely avoided. Even a single club produces enormous amounts of data. “If the data from several growing associations can now be accessed via software, these are huge data sets,” said Werdermann Contrasts. “Insurance companies and data traders will then become even more interested in leaking this data.”
Data security is not sufficiently addressed in the law. There is only a short passage in the justification for the law. “If the law prescribes such comprehensive documentation requirements, we would also have liked stricter requirements for data security,” said Werdermann.
Authorities gain deep insight
So is the data leak just a foretaste of the screening of cannabis consumers? The law grants state authorities extensive access to the data collected. The clubs should be regularly inspected by state authorities.
The controlling authority receives copies of documents and is allowed to store personal data for up to two years. In the event of administrative offenses or criminal offenses, this data can also be passed on to security authorities.
This has a deterrent effect on cannabis consumers, said Oliver Waack-Jürgensen from the Cannabis Social Club umbrella organization in Germany. “For many people, the legal route seems too risky. This makes it more difficult to dry up the black market, as the law actually wants,” said Waack-Jürgensen Contrasts. Even though the security incident at Canguard was a relatively small data leak, it shows that whoever collects data will harvest data.