The Norwegian Institute of Public Health (FHI) has stopped all collection of personal data in the contact tracing app “Smittestopp” after the Norwegian Data Protection Authority announced they will ban data collection by the app for violation of privacy principles. The Data Protection Authority told the FHI that they will introduce a temporary ban on data processing until changes in the processing and collection have been made. The current practice in the app has been deemed “unreasonable” for the current situation as the app is very invasive.
Poor privacy choices in contact tracing apps
The app has received heavy criticism from the Norwegian tech community as well as from legal experts. Similar criticism was voiced against a German plan of a similar app but they changed their design to avoid centralised storage, in contrast to the Norwegian app where the developers refused to change architectural decisions.
In an interview with NRK, the well-known lawyer and privacy expert Jon Wessel-Aas warned against installing the app because of its privacy weaknesses. On May 19th, the Norwegian tech community made a joint statement on the app in a Medium article: https://medium.com/@jointstatementnorway/joint-statement-on-contact-tracing-for-norway-331ee49fc6f6.
It is vital that in coming out of the current crisis, we have not created a tool that enables large scale data collection on the population or laid ground for acceptance of such after the pandemic. Thus, solutions which allow reconstruction of invasive information about the population should be rejected. Such information can include the “social graph” of who someone has physically met over a period of time as well as the locations every person in Norway has visited.@jointstatementnorway on Medium
Although criticism has been vocal and a constant factor, the organization developing the Smittestopp app has been defiant, and has chosen to respond to critical voices by dismissing them as “feelings” and “showing a lack of empathy for those in risk groups of being harmed or killed by COVID-19”.
The key problem here is centralised storage of contact tracing and location data. There are other solutions for contact tracing that do not support mass-scale surveillance.
Privacy by design
This shows that privacy by design is necessary in every type of application development, including for noble causes like stopping a pandemic. The Data Protection Authority has come to the same conclusion as the tech community and privacy experts; mass surveillance is not acceptable even when under a serious threat. The danger of abuse is simply too big. Some lessons learned from this discussion should include:
- When creating a data protection impact assessment, include cases where malicious actors take control over the asset, as well as abuse by the collector directly. The impact on privacy from the intended use of the data processing is not sufficient. Building a threat model should be considered an important step in risk impact for processing of personal data.
- Collect opinions of the data subjects in early phases of the project. For privacy trade-offs to be valid and trusted among data subjects, it is important that opinions are heard and taken into account. When you have made a plan that affects the lives of others, you may not see all possible disadvantages internally. When creating technical solutions we need to involve the users in the design process.
- Transparency: when creating a potentially controversial solution, be transparent about choices that are made. Be transparent about technology choices, and about security engineering principles and methods. Not every app needs to be open source but to claim an app is safe because the source code is closed is not a valid or good argument.