Proposed government coronavirus tracking app falls at the first hurdle due to data breach

The source code of a proposed app for tracing COVID-19 exposed user data after being published online.
Written by Charlie Osborne, Contributing Writer

A mobile application proposed to the government of the Netherlands as a means to track COVID-19 has already fallen short of acceptable security standards by leaking user data.

The app, Covid19 Alert, was one of seven applications presented to the Ministry of Health, Welfare, and Sport, as reported by RTL Nieuws

The shortlisted mobile app's source code was published online over the weekend for scrutiny as the government decides which solution to back. It was not long before developers realized that the source files contained user data -- originating from another application. 

According to the publication, the app contained close to 200 full names, email addresses, and hashed user passwords stored in a database from another project linked to an Immotef developer. 

See also: Coronavirus: Business and technology in a pandemic

The source code was quickly pulled, but the damage was already done, with one developer criticizing the leak as "amateurish." 

A spokesperson for the Covid19 Alert app said the information was "accidentally put online" due to the haste in which the team wanted to make the source code available for analysis. 

The developers are working on improvements, but it remains to be seen if Covid19 Alert will go any further in the selection process, which is ongoing. 

CNET: Judge rules against Twitter transparency effort, citing national security

Mobile technology, specifically our smartphones and tablets, provides an opportunity for healthcare providers, governments, and researchers to be able to accurately track the spread of the novel coronavirus moving through populations. 

However, forcing the general public to install these kinds of applications has prompted a number of privacy and security concerns, including how geolocation data is stored and could otherwise be used, whether or not information can be anonymized properly, and how tracking individuals in the future could erode rights to free movement, speech, and association. 

At the beginning of April, 130 scientists, academics, and technology experts launched the Pan-European Privacy Preserving Proximity Tracing (PEPP-PT) initiative, a European scheme designed to oversee the development of COVID-19 tracker apps

TechRepublic: Subscription businesses proving resilient as economy contracts due to coronavirus

Earlier this month, researchers from Boston University proposed an alternative method for tracking COVID-19 that does not impede our privacy. A voluntary mobile application is installed on our smartphones that leverages short-range broadcast technology -- such as NFC or Bluetooth -- and blasts out ID numbers, that change on a frequent basis, to those nearby. 

These numbers are stored on the device itself and users can choose to share them if they are diagnosed with COVID-19 to alert others that they have been in contact with a confirmed case. 

Innovative projects now online to combat coronavirus outbreak

Previous and related coverage

Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0

Editorial standards