Special Feature
Part of a ZDNet Special Feature: Navigating data privacy

Contact tracing: Now Norway suspends use of its app, citing privacy fears

The European country’s data protection agency has banned the collection of personal data through the app.

Contact tracing: COVID-19 panacea or privacy nightmare?

While many countries are only just launching national contact-tracing apps now, Norway has taken a U-turn and put its two-month old Smittestopp app – translated as "infection stop" – on hold until further notice. 

Special Feature

Special Report: Navigating data privacy (free PDF)

This ebook, based on the latest ZDNet / TechRepublic special feature, provides the information CIOs need to better meet the growing demand for data privacy, without stifling innovation.

Read More

Reacting to privacy concerns, the Norwegian data inspectorate last week placed a temporary ban on the processing of personal data associated with the app. The country's institute of public health (FHI), which developed and manages the app, has therefore had to stop the collection of information in Smittestopp, and delete the personal data stored so far thanks to the tool.

The ban was received reluctantly by the FHI. The organization's director Camilla Stoltenberg said: "We do not agree with the Data Protection Agency's assessment, but now we have to delete all data and pause work as a result of the notification. With this, we weaken an important part of our preparedness for the increased spread of the infection."

SEE: How to become a data scientist: A cheat sheet (TechRepublic)

"We have no immunity in the population, no vaccine, and no effective treatment. Without the Smittestopp app, we will be less equipped to prevent new outbreaks that may occur," she said.

Smittestopp was launched nation-wide in mid-April. Although anyone in Norway could download the app and share information, only three municipalities in the country were trialing the notification process. It has been downloaded, and was used actively, by about 14% of over-16s in the three test zones. 

The FHI's executive director Gun Peggy Knudsen told ZDNet that the plan was to validate the technology in those three zones by comparing manual and digital contact-tracing, before opening the app fully to the rest of the nation.

With the infection rates in Norway dropping, however, the FHI has not been able to finalize the validation process. "We got too few cases to compare manual and digital contact-tracing," said Knudsen. "But still, we really argue that this is a necessary tool to have to be prepared for the next wave of the virus."

For the Norwegian data inspectorate, on the other hand, the lower numbers of COVID-19 cases mean that it is no longer necessary to use the app. Given the context, some of the technology's more privacy intrusive features were deemed no longer justified. 

latest developments

Coronavirus: Business and technology in a pandemic

From cancelled conferences to disrupted supply chains, not a corner of the global economy is immune to the spread of COVID-19.

Read More

Bjørn Erik Thon, director of the data inspectorate, said: "It is a very privacy intensive measure, even in an exceptional situation where society is trying to fight a pandemic. We believe that the utility of the app is not evident today, given the way that the app is designed and working now."

Norway has adopted a centralized approach to design Smittestopp, in which user data is collected both via Bluetooth and GPS location. Other European countries that have opted for a centralized model, such as France and the UK, only gather Bluetooth data.

Information is anonymized before being sent to a central database managed by the FHI. Norwegian public health authorities can therefore manage which warnings are sent via the app and to whom, as well as run analytics relevant to the pandemic thanks to the information that users are sharing. 

Data is deleted after 30 days, and, according to FHI, is not made available to anyone other than authorized personnel. 

The method differs from the Bluetooth contact-tracing API put forward by Apple and Google, also known as a decentralized protocol. The tech giants have suggested that their model follows a "privacy by design" approach, since data is not processed and analyzed in a central database. Rather, privacy sensitive operations are carried out automatically and locally on users' phones.

Norway's data inspectorate highlighted several elements that it found problematic in Smittestopp. The organization said that users cannot choose to contribute personal information to the app without accepting that the data is also used for analysis and research, which shows a "lack of freedom of choice".

The data protection agency also questioned the need to register GPS data in the app. Given that several EU countries have successfully developed contact-tracing technologies based on Bluetooth only, the organization concluded that it is unnecessary to use location data in Smittestopp.

According to Knudsen, GPS location is included in the app because the Norwegian government started working on a contact-tracing app much earlier than its European counterparts, and before Apple and Google put forward the Bluetooth-enabled API. 

"We started building the app with GPS and Bluetooth data running in parallel," said Knudsen. "The idea was to use technology to have as accurate a picture as possible, to carry out digital tracing but also to predict where the next outbreak will take place."

To illustrate that the technology could be used to study movement and contact patterns, the FHI pointed to the first analyses that have been made possible by Smittestopp.

Based on anonymous mobility data, researchers have found that since mid-May, Norwegians have been increasingly by-passing the two-metre safe distance, most probably because of schools re-opening, combined with sunnier weather. 

Although the FHI will most likely have to revise the technology before it is allowed to collect data again, Knudsen said that she hopes a solution will be found to keep the possibility of running analytics on the data collected.

"We would like to argue in favor of using the data," she said. "We had already decided to do some more data minimization, and reduce the storage time for the data, so that's one measure. We are looking at comparing the use of Bluetooth alone, to the combination with the use of GPS data.

"It's not just a technology assessment, however – it's a question of which tool, and what information, we need to handle the situation. Ultimately, we are concerned by not having enough data," added Knudsen.

The FHI has encouraged Norwegians to leave the app downloaded on their phones, ready to be re-activated as soon as a compromise is reached with the data protection agency.

SEE: Coronavirus: Business and technology in a pandemic

Meanwhile, the German health minister Jens Spahn said that Germany's own national contact-tracing app will be ready to launch this week, although he did not provide an exact date for the release.

Germany initially favored a homegrown, centralized model similar to Norway's, the UK's and France's apps. Because of the technical constraints of creating an independent tool, however, the country then switched its plans to develop an app based on Apple and Google's API.

France released its StopCovid app at the start of the month, while the UK, after a series of delays, is yet to announce an official launch date for its own technology.