Experts find privacy and security issues in Norwegian contact tracing app


In its final report, the expert group appointed by the Norwegian Ministry of Health and Care Services to assess the security and privacy of the country's COVID-19 contact tracing app, "Smittestopp", concluded that the app handles neither responsibly. The group recommended removing all data once it's not needed (15 to 16 days for location data, for example), implement differential privacy, open the source code wherever possible, and regularly reevaluate the app against its two purposes: contact tracing and evaluating government actions to lower infection rates. A statement signed by Norwegian security and privacy experts provided principles for going forward in order to ensure public trust: split contact tracing and research apps; minimise data collection; embrace transparency; and implement privacy by design. Although 1.5 million people downloaded the app in April, only 900,000 were active users by the end of that month, and by mid-May that had dropped to 750,000.

Writer: Eivind Arvesen; Joint Statement; Bjørn Ihler
Publication: Eivind Arvesen blog; Joint Statement Norway; Twitter