Norway’s contact-tracing app suspended over privacy concerns

Norway has suspended its Covid-19 tracing app after criticism from the country’s national data protection agency, Datatilsynet.

The regulator has given Norway’s public health department until 23 June to cease all data collection and storage, amid concerns that the app is infringing the privacy of citizens.   

The app, designed by the Norwegian Institute for Public Health (FHI), is intended to contain the spread of the virus by alerting users when they have been in proximity of a person with Covid-19 and sending them advice on how to minimise the risks of further transmission.

But Bjørn Erik Thon, director of Datatilsynet, said the benefits of the app are disproportionate to the privacy infringements on citizens.

The app, known as Smittestopp (“stop infection”), collects anonymised data about people’s movements, which the FHI says it uses to gain insight into the effectiveness of social distancing measures taken to fight transmission.

Norway’s health authorities match data collected by the app with the Norwegian MSIS database – the public health record for Norwegian citizens that stores details of Covid-19 carriers.

Datatilsynet said the suspension of the app will give the FHI the opportunity make any “necessary changes” to protect users’ privacy in order to resume use of the app. Part of this will entail justifying which location data it is “strictly necessary” to be collected.

Amnesty International today described the app as one of the most intrusive, allowing the near-real-time tracking of people’s movements by regularly uploading their GPS co-ordinates into a server.

But Norway’s health authority says the suspension of the app will leave the country less prepared to manage further outbreaks of the coronavirus.

Camilla Stoltenberg, director of the FHI, said these measures “will result in poorer preparedness as we lose time in the development and testing of the app”.

This will lead to “poorer control over transmission in Norway”, she said, adding: “Without the Smittestopp app, we will be less equipped to prevent new local or national outbreaks.”

The FHI claims in its privacy policy that personal data will not be used to monitor whether individuals are complying with recommendations or rules, will not be released to the police, insurance or employers, even with the user’s consent, and cannot be used for commercial purposes.

The app had been downloaded 1.6 million time by 3 June, with almost 600,000 active users sharing their data with the FHI.

The low number of confirmed Covid-19 cases in Norway makes it difficult to measure the app’s effectiveness.

So far, no users of the Smittestopp app have received text messages alerting them to close contact with an infected person.

The app’s developer, Simula, maintains that a person’s movements or location are not tracked, other than identifying incidents of close contact once a user has tested positive for Covid-19.

The app collects data via Bluetooth and GPS location services, and this is either deleted after 30 days or removed manually by users.

It uses Bluetooth to detect nearby phones of other app users when they are closer than two metres for more than 15 minutes over a 24-hour period.

If users of the app are tested positive for Covid-19, people who have been in close proximity to them are alerted without disclosing the identity of the infected person, and are advised to self-isolate.

An analysis by Amnesty International of contact-tracing apps in Europe, the Middle East and Africa found Norway’s app one of the most alarming in terms of privacy.

“The Norwegian app is deeply intrusive and put people’s privacy at risk,” said Claudio Guarnieri, head of Amnesty International’s Security Lab. “It is the right decision to press pause and go back to the drawing board to design an app that puts privacy front and centre.

“This episode should act as a warning to all governments rushing ahead with apps that are invasive and designed in a way that puts human rights at risk. Privacy doesn’t need to be a casualty in the roll-out of these apps.”

The news comes as Germany today launches at contact-tracing app with the help of Deutsche Telekom and SAP.

The app adopts the Apple/Google framework for decentralised digital contact tracing, which means no personally identifiable data or user location information is recorded or stored.

Attila Tomascheck, digital privacy expert at ProPrivacy, has dubbed the German app as a “model to follow” in its effectiveness and preservation of user privacy.

A similar decentralised approach, backed by Apple and Google, is now being considered in Norway.