Privacy Concerns Lead To Deletion Of All Data Collected By Norway's Contact Tracing App
from the not-enough-infections-is-a-nice-problem-to-have dept
In the early days of the coronavirus outbreak -- a few months ago, in other words -- there was a flurry of activity around contact tracing apps. Desperate to be seen to be doing something -- anything -- governments around the world rushed to announced their own digital solutions to tracing people who have been in the proximity of infected individuals. There are now over 40 in various stages of development. After the initial excitement, it's striking how quiet things have gone on the contact tracing front, as projects struggle to turn politicians' promises into useful programs. Some of the apps are beginning to emerge now, and we're likely to hear more about them over the next few weeks and months. For example, there's been an interesting development in Norway, one of the first to release its smartphone app, Smittestopp ("infection stop"), back in April. As the Guardian reports:
On Friday, the [Norwegian] data agency Datatilsynet issued a warning that it would stop the Norwegian Institute of Public Health from handling data collected via Smittestopp.
Datatilsynet said the restricted spread of coronavirus in Norway, as well as the app's limited effectiveness due to the small number of people using it, meant the invasion of privacy resulting from its use was disproportionate.
There are two important points there. One is about the balance between tackling COVID-19, and protecting privacy. In this case, the Norwegian data protection authority (NDPA) believes that the benefit is so small that the harm to privacy is unjustified. The other is that when the infection rate is low, as is the case in Norway, which has reported fewer than 250 deaths from coronavirus so far, people may not see much point in using it. Professor Camilla Stoltenberg, Director-General at the Norwegian Institute of Public Health, is unhappy with Datatilsynet's move:
We do not agree with the NDPA's evaluation, but now we will delete all data and put work on hold following the notification. This will weaken an important part of our preparedness for increased transmission because we are losing time in developing and testing the app. Meanwhile, we have a reduced ability to combat ongoing transmission. The pandemic is not over. There is no immunity in the population, no vaccine, and no effective treatment. Without the Smittestopp app, we will be less equipped to prevent new local or national outbreaks
It's worth noting that Stoltenberg admits that "the work involved in getting the app to work optimally has taken longer than planned, partly because there are few people who are infected". As the number of COVID-19 cases continues to fall in some countries, those developing contact tracing apps there may encounter similar problems.
Follow me @glynmoody on Twitter, Diaspora, or Mastodon.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: contact tracing, covid-19, data, deletion, norway, privacy
Reader Comments
Subscribe: RSS
View by: Time | Thread
FWIW, the German app just launched and it's promising. The contractors delivered: it's open source, has seen a flurry of third party activity and has also been vetted, even professionally. They use the privacy friendly DP3T, is integrated with Google/Apple API.
I don't see the gloom and doom. In the case of Norwegian app, it sounds like it was rushed. Maybe that's more the problem than tracing itself.
[ link to this | view in chronology ]
The UK app is DOA because of the shady behavior of the government, the involvement of someone involved in the rampant data misuse during the Brexit referendum and their absolute refusal to disclose what the data they gather will be used for and to delete it once it's no longer needed for the purpose it was gathered for. The whole thing is a nightmare of their own creation, they had alternatives ready to go, but they decided to do their own thing and give jobs and money to the wider circle of sleaze.
[ link to this | view in chronology ]
Re:
"The UK app is DOA because of the"
...long and unfortunate history of Tories giving IT contracts to corrupt friends who rarely deliver what was promised, and never within time and budget, but also never face consequences for their tidy profits from the public purse. 9 times out of 10 when there's a failed government IT project in the UK, it's traced back to someone's Eton chum.
[ link to this | view in chronology ]
The excuse that the app will now be hard to develop is bullshit. If they want an app that is ready to deploy if necessary and has been reviewed to protect privacy to the extent possible, that would be better done in the absence of any necessity so there is no pressure to roll it out. The can always use their own employees to test the app and ask for volunteers if need be.
[ link to this | view in chronology ]
A nice idea, but . . .
Contact tracing apps are a nice idea, but there are too many drawbacks:
1) Technical limitations, mainly of Bluetooth, which most of the apps seem to focus on, make their accuracy and usefulness questionable to begin with.
2) Data abuse is inevitable. Governments and data collection (read privacy abusing) companies have proven this at every opportunity. See Point 1) in the DP-3T Privacy and Security Attacks on Digital Proximity Tracing Systems.pdf
3) Many people will simply not use them because they are aware of points 1) and 2).
When you combine points 1) and 3), I doubt that any data that is collected will be of sufficient quantity and accuracy to have any significant value at all.
As an aside, do people in Norway really believe that the Norwegian Institute of Public Health (and anyone they may have already given the data to) will really delete the data? This is an actual question, not a snark, since I am unfamiliar with Norway, it's government in general, or the Norwegian Institute of Public Health in particular.
[ link to this | view in chronology ]
Meanwhile, more authoritarian countries like the US continue to secretly develop "contact tracing" apps in wait for the next epidemic or pandemic of covid or something.
[ link to this | view in chronology ]
Re:
The problem would then be secrecy and the inability of the public to review the code to know exactly what the app does. Contact tracing doesn't necessarilly automatically conflict with privacy. It's the secrecy that conflicts with privacy. After all, contact tracing already exists and has existed for a long time for certain diseases, almost all of which are STIs. If you know exactly what a contact tracing app does, you are free to not use it, just as you are free to say you don't remember who you had sex with if you get an STI and don't want to give out that information.
[ link to this | view in chronology ]