Norway pulls its coronavirus contacts-tracing app after privacy watchdog’s warning

One of the first national coronavirus contacts-tracing apps to be launched in Europe is being suspended in Norway after the country’s data protection authority raised concerns that the software, called “Smittestopp,” poses a disproportionate threat to user privacy — including by continuously uploading people’s location.

Following a warning from the watchdog Friday, the Norwegian Institute of Public Health (FHI) said today it will stop uploading data from tomorrow — ahead of a June 23 deadline when the DPA had asked for use of the app to be suspended so that changes could be made. It added that it disagrees with the watchdog’s assessment but will nonetheless delete user data “as soon as possible.”

As of June 3, the app had been downloaded 1.6 million times, and had around 600,000 active users, according to the FHI — which is just over 10% of Norway’s population; or around 14% of the population aged over 16 years.

“We do not agree with the Data Protection Agency’s assessment, but now we have to delete all data and pause work as a result of the notification,” said FHI director Camilla Stoltenberg in a statement [translated via Google Translate]. “With this, we weaken an important part of our preparedness for increased spread of infection, because we lose time in developing and testing the app. At the same time, we have a reduced ability to fight the spread of infection that is ongoing.

“The pandemic is not over. We have no immunity in the population, no vaccine, and no effective treatment. Without the Smittestopp app, we will be less equipped to prevent new outbreaks that may occur locally or nationally.”

Europe’s data protection framework allows for personal data to be processed for a pressing public health purpose — and Norway’s DPA had earlier agreed an app could be a suitable tool to combat the coronavirus emergency. Although the agency was not actively consulted during the app’s development, and had expressed reservations — saying it would closely monitor developments.

Developments that have led the watchdog to intervene are a low contagion rate in the country and a low download rate for the app — meaning it now takes the view that Smittestopp is no longer a proportionate intervention.

“We believe that FHI has not demonstrated that it is strictly necessary to use location data for infection detection,” said Bjørn Erik Thon, director of Norway’s DPA, in a statement posted on its website today.

Unlike many of the national coronavirus apps in Europe — which use only Bluetooth signals to estimate user proximity as a means of calculating exposure risk to COVID-19 — Norway’s app also tracks real-time GPS location data.

The country took the decision to track GPS before the European Data Protection Board — which is made up of representatives of DPAs across the EU (and the EEA, of which Norway is a member) — had put out guidelines, specifying that contact-tracing apps “do not require tracking the location of individual users”; and suggesting the use of “proximity data” instead.

Additionally, Norway opted for a centralized app architecture, meaning user data is uploaded to a central server controlled by the health authority, instead of being stored locally on device — as is the case with decentralized coronavirus contacts-tracing apps, such as the app being developed by Germany and one launched recently in Italy. (Apple and Google’s exposure notification API also exclusively supports decentralized app architectures.)

The FHI had been using what it describes as “anonymised” user data from the app to track movement patterns around the country — saying the data would be used to monitor whether restrictions intended to limit the spread of the virus (such as social distancing) were working as intended.

The DPA said today that it’s also unhappy users of the app have no ability to choose to grant permission only for coronavirus contacts tracing — but must also agree to their personal information being used for research purposes, contravening the EU data protection principle of purpose limitation.

Another objection it has is around how the app data was being anonymized and aggregated by the FHI — location data being notoriously difficult to robustly anonymize.

“It is FHI’s choice that they stop all data collection and storage right away. Now I hope they use the time until June 23 well, both to document the usefulness of the app and to make other necessary changes so that they can resume use,” said Thon. “The reason for the notification is the [DPA]’s assessment that Smittestopp can no longer be regarded as a proportionate encroachment on users’ basic privacy rights.”

“Smittestopp is a very privacy-intensive measure, even in an exceptional situation where society is trying to fight a pandemic. We believe that the utility is not present the way it is today, and that is how the technical solution is designed and working now,” he also said.

Commenting on the developments, Luca Tosoni, a research fellow at the University of Oslo’s Norwegian Research Center for Computers and Law, suggested the Norway DPA’s decision could lead to similar bans on contacts-tracing apps elsewhere in Europe — should contagion levels drop to a similarly low level. (And rates of COVID-19 continue declining across the region, at this stage.)

“To my knowledge, this is the first instance in which a European DPA has imposed a ban on a contact-tracing app already in use in light of national developments regarding contagion levels,” he told us. “It is thus possible that other European DPAs will impose similar bans in the future and demand that contact-tracing apps be changed as soon as contagion levels substantially decrease also in other parts of Europe. Norway has currently one of the lowest contagion levels in Europe.”

“The ban was not only related to the app’s use of GPS data. The latter was probably the most important feature of the app that the Norwegian DPA has criticised, but not the only one to be seen as problematic,” Tosoni added. “Another element that was criticised by the Norwegian DPA was that the app’s users are currently unable to consent only to the use of their their data for infection tracking purposes without consenting to their data being used also for research purposes.

“The DPA also questioned the accuracy of the app in light of the current low level of contagion in Norway, and criticised the absence of an appropriate solution for aggregating and anonymising the data collected.”

Tosoni said the watchdog is expected to reassess the app in the next few weeks, including assessing any changes proposed by the developer, but he takes the view that it’s unlikely the DPA would deem a switch to Bluetooth-only tracing to be sufficient for the app’s use of personal data proportionate.

Even so, the FHI said today it hopes users will suspend the app (by disabling its access to GPS and Bluetooth in settings), rather than deleting it entirely — so the software could be more easily reactivated in future should it be deemed necessary and legal.