Norway Shuts Down Contract Tracing App Amid Privacy Concerns
Officials in Norway have put the kibosh on its national COVID-19 contact tracing application following an outside review that found the app “highly invasive.” The decision comes just days before Germany is expected to roll out its own tracking application.
Amnesty International conducted a technical review of the contact tracing apps sponsored by 11 countries across Europe, the Middle East, and North Africa, and concluded that three of them put peoples’ privacy at risk.
“Bahrain, Kuwait, and Norway have run roughshod over people’s privacy, with highly invasive surveillance tools which go far beyond what is justified in efforts to tackle COVID-19,” stated Claudio Guarnieri, Head of Amnesty International’s Security Lab, in a statement published yesterday. “ Privacy must not be another casualty as governments rush to roll out app.”
Contact tracing apps that record the movement of individuals have burst into the spotlight recently as a potentially valuable tool in tracking the spread of COVID-19, the pneumonia-like illness that’s caused by the novel coronavirus. But depending on how they’re developed, the apps raise the potential for abusing people’s privacy.
The big design flaw of the apps Bahrain, Kuwait, and Norway is that they track people’s whereabouts through GPS and then upload that data to a centralized server. That gives government officials the ability to track the location of individuals, which is a breach of their privacy. Bahrain officials went a step further with their app and linked it to a giveaway during Ramadan. Government officials would select one phone number at random and call it, and if that person was at home, they would win a prize.
“The Norwegian app was highly invasive and the decision to go back to the drawing board is the right one,” Guarnieri stated. “We urge the Bahraini and Kuwaiti governments to also immediately halt the use of such intrusive apps in their current form. They are essentially broadcasting the locations of users to a government database in real time – this is unlikely to be necessary and proportionate in the context of a public health response.”
Norwegian officials agreed, and pulled the app on Monday while pledging to delete all the data. The app, called Smittestopp, was downloaded 1.6 million times and has nearly 600,000 users, according to Norwegian officials, who also claimed the low rate of infection in their country meant the app was no longer needed.
According to Amnesty, a decentralized approach that is voluntary and preserves anonymity is a better approach for contact tracing apps. Many of these apps use the mobile phones’ Bluetooth radio to record when other people come nearby. This data is stored on the app itself, as opposed to uploading it to a centralized server. If a user tests positive for COVID-19, the people who came within a short range of the infected individual are notified.
This is the approach that Germany is taking with its new app, which was developed with help from Deutsche Telekom and SAP, according to a Reuters story. Austria, Ireland, Switzerland, and the UK use this style of contact tracing app. By contrast, China, Ethiopia, and Guatemala use apps with centralized databases, in addition to Bahrain and Kuwait, and Norway before it pulled its app.
Neil Sweeney, the CEO of personal data empowerment firm Killi, says users should not trade their data privacy for health security.
“As the economy starts to reopen, governments are now working with tech companies to implement contact tracing and location-based tools to track their citizens and prevent the spread of the disease,” Sweeney tells Datanami. “But while the health and safety of the general population is a real concern, the pandemic has opened up new questions around consumer privacy and how data should be appropriately managed and stored.”
While health is important, it should not come at the cost of enabling tech giants to violate privacy or breaking laws, he says. “Companies like Facebook, Apple, etc. rely on consumer data and make billions of dollars a year profiting off personal information, so there’s clearly much more going on beneath the surface here,” Sweeney says.
Google and Apple have prevented third-party contact tracing apps from being used on their phone platforms in the United States, which Sweeney says is a concern, especially in light of controversial data sharing practices in the past.
“Numerous sectors of the economy will be looking at location-based data to normalize things and help people feel safe in mass gatherings,” Sweeney says. “But consumers can’t afford to lose ground here, and lawmakers need to be more vigilant than ever in prohibiting tech companies to rewrite privacy rules on their own terms.”