Norway: Halt to COVID-19 contact tracing app a major win for privacy

The Norwegian government’s decision to stop using its COVID-19 contact tracing app is a major win for privacy and comes hours before Amnesty International releases a damning analysis of the app.

On Tuesday, Amnesty International is publishing analysis of contact tracing apps from Europe and the Middle East and North Africa which found the Norwegian ‘Smittestopp’ app to be one of the most alarming for privacy. This is due to its live or near-live tracking of users’ locations by frequently uploading GPS coordinates to a central server. On 2 June, Amnesty International shared its findings with the Norwegian Ministry of Justice and Public Security, the Norwegian Institute of Public Health and the country’s data protection agency. Amnesty International also met with the head of development for the ‘Smittestopp’ app on 10 June.

“The Norwegian app is deeply intrusive and put people’s privacy at risk. It is the right decision to press pause and go back to the drawing board to design an app that puts privacy front and centre,” said Claudio Guarnieri, Head of Amnesty International’s Security Lab.

“We were so alarmed by how invasive the app is in its current form that we shared our findings with the Norwegian authorities and urged them to change course. There are better options available that balance the need to trace the spread of the disease with privacy, and we hope the authorities take this opportunity to do just that.

“This episode should act as a warning to all governments rushing ahead with apps that are invasive and designed in a way that puts human rights at risk. Privacy doesn’t need to be a casualty in the roll-out of these apps.”

Background

On Tuesday, Amnesty International is publishing the key findings of analysis by its Security Lab of contract tracing apps from Europe and Middle East and North Africa, including a detailed technical analysis of 11 apps in Algeria, Bahrain, France, Iceland, Israel, Kuwait, Lebanon, Norway, Qatar, Tunisia and United Arab Emirates. 

Contact tracing is an important component of effective pandemic response, and contact tracing apps have the potential to support this objective. However, in order to be human rights compliant, contact tracing apps must, among other things, build in privacy and data protection by design, meaning any data collected must be the minimum amount necessary, and securely stored.

All data collection must be restricted to controlling the spread of COVID-19 and should not be used for any other purpose - including law enforcement, national security or immigration control. It must also not be made available to any third party or for commercial use. Any individual decision to download and use contact tracing apps must also be entirely voluntary. Any data collected must remain anonymous, including when combined with other data sets.