DB Navigator: data protection officers sue against the Deutsche Bahn app

Digital tickets, travel information with real-time information, fast bookings: the "DB Navigator" app offers a wide range of options and is almost indispensable for a train journey within Germany.

The app has already been downloaded more than ten million times in the Google Playstore and is number one in the Travel category in the Apple App Store.

An analysis of the DB Navigator app by IT security expert Mike Kuketz revealed significant data protection problems.

Together with the Digitalcourage association and the lawyer Peter Hense, who specializes in IT and data protection law, Kuketz now wants to initiate a lawsuit against the DB Group: "Our main concern is that you comply with the law and don't try exploit any loopholes,” they say.

For a number of years now, Kuketz has been primarily checking those apps that are installed by many users, because he finds checking data protection particularly important there.

In April, he took a close look at the "DB Navigator", looked at which servers the app contacts, which information is sent, and thus analyzed the data flows.

The problem here: “The app is a kind of black box.

We only know that data is being transmitted, but we have no insight into what ultimately happens to the data," explains Kuketz in an interview with the Frankfurter Allgemeine Zeitung.

But how is user data passed on?

As with any other app, users can determine whether they want to "allow all cookies" or only select the "necessary" ones.

The analysis by Kuketz shows that even with the data protection-friendly restriction to "necessary" cookies, DB Navigator allows a significant number of trackers to transmit user data to third parties.

However, the app does not give the user the opportunity to refuse the transfer of data, nor does it explicitly ask for his or her consent.

The purposes of data transfer are also not made transparent.

The IT expert Kuketz and the lawyer Hense come to the conclusion: The currently offered configuration is illegal.

In an interview with the FAZ.NET, Kuketz clearly says that the use of trackers in apps is not unusual at first.

This is also not the criticism of the DB Navigator.

Because trackers have different tasks.

For example, some user profiles analyze, i.e. store the extent to which an app is used and what users click on frequently - this can then be used, for example, to place personalized advertising.

Trackers are also there to record app crashes, explains Kuketz.

It is quite possible that the railways will transmit the data to third parties in order to carry out strategic market analyses, but this cannot be known from the information provided by DB.

The problem with this: “As a user, I do not have the opportunity to object to this data processing.

We don't know what happens to the data either.” The DB Navigator itself doesn't provide any information on this, which makes it – like any other app – a black box.

Even whether the data is sold to third parties is unclear due to the lack of transparency in the data protection declaration.

In a press release, Deutsche Bahn called the criticism of the Digital Courage association “unfounded”.

Regarding data processing by trackers, which are also used with the setting "required", it says: "No identifying personal information is processed, only pseudonymised data, which is isolated to the individual provider as anonymous data content.

None of the providers is able to use the data elsewhere or even for their own marketing purposes.” DB reacted to the criticism that customers of the DB App cannot refuse the data transfer and that the purposes of the tracking are not openly listed anywhere not.