Norway’s coronavirus tracing app halted by Data Protection Authority – too invasive and not useful
“This reduces our ability to fight the spread of the virus that is happening now”, warns Camilla Stoltenberg, director of the Norwegian Institute of Public Health.
The warning from the Data Protection Authority this Monday, June 15th, called for a temporary halt to all collection of personal data through the coronavirus tracing app called Smittestopp - infection stop.
The Norwegian Institute of Public Health however announced that they would also delete all data collected so far.
"The app can be a useful tool for saving lives, but it is important that there is full transparency about what data are collected and what they are used for," said Bjørn Erik Thon, director of the Data Protection Authority, when the app was launched in the middle of April. Prime Minister Erna Solberg encouraged everybody to join in the fight to control the virus, and download the app.
At that point, Norway was still in lockdown, initially implemented on March 12th. The ease up from lockdown started on April 20th with the careful opening of kindergartens. The situation in Norway today is that the numbers of new infections, of hospitalizations and deaths are very low, and large parts of society are back to something close to normal. As of the publication of this article, 242 people have died from COVID-19 in Norway, and 20 people are hospitalized – 7 of them receiving intensive care.
In this situation – the Data Protection Authority find the app to be too invasive.
“Smittestopp is a very invasive measure when it comes to privacy, also in a state of emergency when society is trying to fight a pandemic. We believe the value of this is not present in the situation which we have today, and regarding how the technical solution is designed and is working at the moment”, said director Thon in the statement from Monday this week, on the Authority’s website.
Reduced ability to fight the coronavirus
"We do not agree with the assessment of the Data Protection Authority, but see no other way than to delete all the data and pause our work as a consequence of this warning”, said Camilla Stoltenberg, director of the Norwegian Institute of Public Health in a statement on the NIPH website.
“This will worsen our preparedness because we lose time that could be used to develop and test the app. It also reduces our ability to fight the spread of the virus that is happening now. This pandemic is not over. We do not have immunity in our population, no vaccine, and no effective treatment. Without the Smittestopp-app we are worse off when it comes to preventing new outbreaks that can happen locally or nationally”, she said.
The first analysis of data from the app were presented last week and found that the level of social distancing in Norway has gone down, with a shift happening around May 10th.
“This is important information which tells us something about how the measures to curb this virus are working”, NIPH write.
“We were now in a phase where we have great faith in Smittestopp becoming a useful tool both to track infections, and to gain control of the spread of the virus”, said Stoltenberg.
Too much data collected, not enough users
Actual tracing of coronaviruscases has so far only been tested in three municipalities in Norway. Because so few people are infected, it has been hard to validate whether the app contacts the right people to warn them that they have been exposed to somebody who is now infected.
Read more about how the app is supposed to work: A Norwegian virus app to help stop the spread of COVID-19
This lack of validation was also one of the reasons cited by the Data Protection Authority for halting the app at the present moment, along with the number of users, which the Authority deems low. About 1,6 million – out of 5,4 million Norwegians – have downloaded the app. 600 000 of them have been actively sharing their data with NIPH. This is far from the 60 per cent uptake deemed necessary for the app to be effective.
The Data Protection Authority also criticize that it is not possible to opt out of the research-part of the app. Once you share your data, this is used both for tracing and for research.
And finally, as opposed to several other tracing apps which use only Bluetooth technology to log movement, the Norwegian app uses Bluetooth and GPS-data, which many deem as unnecessary. The first roll out of the app used so much of the smart phone batteries that it became a standing joke.
The European Data Protection Board also criticized the Smittestopp-app for collecting too much and too detailed data, in a letter dated April 14th, a few days before the launch of the app. “Contact tracing apps do not require location tracking of individual users”, they wrote, continuing: “Collecting an individual’s movements in the context of contact tracing apps would violate the principle of data minimisation. In addition, doing so would create major security and privacy risks.”
Data minimisation means collecting as little data as necessary.
Losing the opportunity to trace new outbreaks
Gun Peggy Knudsen from the Norwegian Institute of Public Health is responsible for the Smittestopp-app. She says Norway loses two important things when deleting the data so far collected.
“We lose the opportunity to see over time how people’s contact patterns change, and we lose the opportunity to be able to quickly get back on track and start tracing cases”.
The Data Protection Authorities deem the app to not be useful partly because the level of infection in Norway is so low. Knudsen finds this an odd argument.
“What we want is for this app to be part of our readiness to meet any new outbreaks or a second wave of infections. If we only start using it once an outbreak is a fact – then we’re too late. The whole idea is to be able to track this back in time”.
If a new outbreak were to appear in the capital Oslo on Friday this week, this means the app could not be used to help trace possible cases. However, the app hasn’t yet been validated – meaning found to be accurate, and it also hasn’t yet been used for tracing and warning in Oslo. So would it make a difference?
“If an outbreak in Oslo occurred, we would have wanted to continue with our validation efforts. We would do digital and manual contact tracing simultaneously so we could compare them, which again would make our algorithms even better”, says Knudsen.
“We would have been ready to do this in Oslo – or any other part of the country for that matter”, she says.
What then about the fact that so few have downloaded the app?
“The answer to this question is that the more people who use it, the more useful it is. But it’s not true that a low number of users renders it useless”, Knudsen asserts.
“And as we remove more and more of the other measures, the more important this one tool will be, despite fewer users. Part of the reason we had trouble validating the app was that during the period we have been using it, a lot of people spent a lot of time at home. Now however, people are moving about a lot. So this is when we would really need it.”
Neither security nor privacy
The Smittestopp-app was reviewed by an independent group of experts who delivered their report on May 18th. They concluded that neither security nor privacy was responsibly taken care of in the system as of that date.
Eivind Arvesen, a software developer/architect, and a consultant for Bouvet, and a member of the expert group, has summarized the findings of the report on his blog (in English). He explains that one of the main issues was that the app used a so-called static identifier, meaning that every device is given an ID which never changes.
“This means you can potentially track one device, meaning one person”, Arvesen says to sciencenorway.no.
“In the case of security, rectifying the use of a static identifier might have bettered security-aspects so much as lead us to another conclusion – but privacy concerns demand more, and larger alterations”, the expert group write in their report.
Arvesen doesn’t wish to comment on whether or not he downloaded the app himself, but he does believe the efforts made to create the app were worth supporting.
“The motives and the intent here are noble. It’s a good thing that they wanted to use available technology to solve this problem. The question however is how do you do this in a way that safeguards rights and interests, and also what are the best technical solutions”, he says.
Gun Peggy Knudsen from NIPH tells sciencenorway.no that the static identifiers were to be removed from the app, and if it does reappear, then it will be without this way of storing data.
Definitely of interest to foreign powers
The Smittestopp-app essentially logs people’s movements. So how dangerous is it if some hacker or foreign nation were to access these data? And are they really interested in when and where you do your shopping and whether or not you work from home or at the office these days?
“On a general basis, based on the knowledge we have of information security, I can say that there is no doubt that this sort of information is of interest to foreign powers”, says Arvesen.
A so-called APT – Advanced Persistent Threat – is, according to Wikipedia “a stealthy computer network threat actor, typically a nation state or state-sponsored group, which gains unauthorized access to a computer network and remains undetected for an extended period.” It may also be “non-state sponsored groups conducting large-scale targeted intrusions for specific goals.”
“Ever since the talk of town was digital tracking of the spread of the virus, APTs have directed their attention toward organisations who work on those types of things”, says Arvesen, adding that these are not the only threats – these sorts of data are interesting to many, and can be misused in many ways.
“I don’t want to speculate in what concrete threats might come out of this. But what we found in the expert group, was that this could have been done in less invasive ways, and that the technological choices they made lead to a higher cost than necessary in terms of privacy”.
Research requires and active consent
While working on the app, the Institute of Public Health and Simula, the research institute who were doing the actual development of the app, got in touch with the Norwegian National Research Ethics Committees. They wanted advice on what to think about if data were to be used for research purposes.
"We in the secretariat had four recommendations for them", says Helene Ingierd, General Director of the National Research Ethics Committees.
“All of them connected to trust.”
The first recommendation was that if the data were to be used for research purposes later, this must be clearly stated – and that this should require a specific consent.
“In our committee for health and medical research they often talk about ticking the box twice – consenting to research should be an active act from the person who downloads the app”, says Ingierd.
The second point was to not oversell the usefulness of the app.
“For this kind of project, implemented during a state of emergency when we are all called upon to do our bit for the greater good, it’s especially important to be sober when presenting the usefulness of a measure. In this case, it has turned out it hasn’t been all that useful – for many reasons, among them that not enough people have downloaded the app. Which again comes down to trust”, she says.
Not possible to sufficiently anonymize such data
The third recommendation pertains to the risk to the user of the app – and specifically to the word ‘anonymization’.
“They said the data will be deleted, and if they are used for research purposes later, then they will be anonymized. But firstly – if they are to be used later, then clearly they are not deleted. And secondly – when we talk about this amount of data, anonymization will often be difficult, if not impossible”, says Ingierd.
The Research Committees have recently had a large project on the implications of big data and research, and will launch a report later this fall. One of their findings is that anonymizing large amounts of data is close to impossible.
“We therefore advised the NIPH to be careful in promising anonymization, when talking about such large amounts of data. The problem is that these data can be connected to other types of data, and the risk then is high for identification. Anonymous data do not necessarily remain anonymous as they are connected to other data – which is what researchers often do”, says Ingierd.
Surveillance and misuse of data
The final point regarding research ethics is the risk for misuse of the data. At the time the committee secretariat gave their advice, it wasn’t yet clear how or where the data would be stored. The final solution was to store the data centrally on servers in Ireland rather than locally on each and every phone. This has been heavily criticized.
“When you store these data on servers abroad, you have less control over them. Who can use them, can they be sold to commercial companies, in a worst-case scenario – can they be used for surveillance, and to weaken democratic rights? These are real risks that need to be taken seriously. We have real examples of meddling with democratic elections and influencing voters – this isn’t science fiction”, says Ingierd.
NIPH was in a hurry when the app was developed. The numbers of infections had not yet gone down, the country was still in a state of emergency.
“It’s easy to be wise in hindsight”, says Ingierd.
“Still, we were clear that if you want people to trust this app, you have to approach it in the same way as when we do research. This means you have to have thought through all these things that I have mentioned, and find good solutions, otherwise it will not be of use. And it seems they hadn’t thought this through well enough”.
Our goal is to handle this crisis
Gun Peggy Knudsen from NIPH believes the data they have collected are sufficiently anonymized.
“We haven’t just removed an ID, what we’re talking about here are tables of aggregate data. I think if some of our critics could see these tables they would understand that this is not a traditional set of data at all”, she says.
In fact, NIPH have been criticized for limiting the potential for research because they remove so much information from the collected data.
Also, what the institute is currently doing with the data isn’t research – even though you could call analysis and evaluation a form of research, Knudsen admits.
“The whole point of collecting these data is not to do research on them later – although somebody could do that potentially. Our goal is to handle this crisis, this outbreak of COVID-19. That is our mandate. This app and these data are part of our tools to be able to catch signals of new outbreaks early or predict where and when they might come.”
On the issue of storing data centrally on servers or decentralised on each individuals phone, Knudsen maintains that local storage would be a completely different tracking tool.
“There’s a lot of focus on technology in the debates on privacy. A decentralized solution would not give the authorities or us any information. We would not be able to monitor how contact behavior changes, how different measures work, and we would not know how many are warned of possible contact with an infected person. In short – we’re talking a completely different tool.”
The servers in Ireland, where the individual data have been stored until now, are chosen for their safety, according to Knudsen. The data would never be sold to a commercial company or used for any other purpose than that which is the stated purpose of the app, she assures.
Among the most invasive in the world?
The day after the news of the halt was announced, Amnesty Norway published a report claiming that the Smittestopp app is among the most invasive in the world – together with those developed in Kuwait and Bahrain.
Knudsen says the NIPH has great respect for Amnesty, but that they find the comparisons they have done of different countries’ tracing apps odd.
“It’s hard to understand why they would compare parts of the technological solutions completely isolated, without also reviewing functionality, process and government in the different countries”, she says.
“Norway is a democracy, voluntary participation is the foundation of the work we have done, as well as openness. Our app is never to be used for controlling behavior or surveillance. But they have not taken this into account, which is hard to understand.”
Starting today, June 16th, the Smittestopp app will no longer collect any data. NIPH however write that they hope people will keep the app on their phones, and just temporarily deactivate it, as they work on finding better solutions.
UPDATE: The Norwegian parliament decided during Tuesday the 16th that the coronavirus app will be split in two - one part for virus tracking, and one part for collecting data for the purpose of analaysis. Users may consent to both or just one of the purposes.