The legend never dies

Simula attempts to recover, rewrite history

Most of us thought Smittestopp – the Norwegian COVID-19 app – was dead and gone after international media attention following Amnesty's ranking it among the three apps "most dangerous for privacy", and being shut down by the Norwegian Data Protection Authority... not so!

A little while ago, Simula (who were the producer/supplier of Smittestopp on behalf of the Norwegian Institute of Public Health) released a "report" (only available in Norwegian) initiated by themselves entitled "Comparison of alternative solutions for digital contact tracing" (directly translated from Norwegian) – basically evaluating their own work. In it, they attempt to absolve themselves of any responsibility or wrongdoing.

The report makes several claims, including:

  • That Google collects data that identifies person and location; This references a paper from Trinity college detailing potentially problematic analytics/telemetry collected via Google Play Services – including IMEI, WiFi MAC, email address, handset IP, etc.
  • That "the criticism was always based on views related to privacy, but was to a small extent related to the question of whether a distributed solution would work as well as a centralized solution. The technological challenge associated with digital infection detection is finding a good balance between effective infection detection and privacy, but the Norwegian debate was mainly about privacy. Thus, the problem appeared to be significantly narrower than it actually is." (translated)
  • "The driving factor behind the criticism of Smittestopp was the potential for harm that lies in the fact that data on the population's way of life was stored centrally for up to a month. There was a fear that data would fall into the hands of unauthorized persons, or that the authorities would use the data for purposes other than those authorized by law and regulations."
  • With regards to Play Services: "... and with a potential future version of Smittestopp not using GPS, the data collected by Google will be clearly more intrusive than a future Smittestopp will be."
  • "The risk that data may go astray from Smittestopp or from Google appears to be comparable. Google is one of the most professional players in the world when it comes to data security. Data from Infection Control was stored in Microsoft's server park in Ireland, and was monitored 24 hours a day by Mnemonic."
  • "The big difference between the solutions, however, lies in what data is allowed to be used for. Data from the Smittestopp could only be used for contact tracing and for the acquisition of knowledge to combat the pandemic. Furthermore, it was required through regulations that all data from the Smittestopp should be deleted after one month. We are not aware that similar restrictions apply to data collected by Google."
  • The dedicate a chapter to "Technology power and technology risk"
  • With regards to monitoring the population: "There is reason to assume that integration of these functionalities in the same app will lead to the functionality for monitoring being used more than if it were a separate app only for monitoring. This is because monitoring alone will to a small extent provide an incentive for the individual citizen to download another app. Furthermore, there is reason to fear that it will give a significant skew in the data, in that only those who are basically inclined to follow orders and wishes from the authorities who would download the app. The ideal would therefore be if these two functionalities are integrated in the same app also in the future."
  • Regarding efficacy: "The assessment of how intrusive Smittestopp and other tracking solutions are in the individual's privacy must be seen in relation to the potential value they have in fighting the pandemic."
  • They appear to attempt to connect the problematic data sent via Play Services to the GAEN-protocol itself, and to compare this with the design and architecture of Smittestopp – beyond compiling and correlating between datasets (even though Google itself does not have acces to infection keys, from my understanding) – to then problematize this politically
  • "As of today, the solutions appear to be quite similar in terms of both performance and the data that is collected [...] However, the most crucial questions are of an administrative and political nature."

In other words: quite a lot of errors and questionable statements. They're clearly trying to save face and clear their name. And there still appears to be basic stuff they have not understood.

They keep referring to the potential for abuse; That is certainly a part of the privacy impact assessment, but they seem to still not understand that the privacy intervention happens at data collection itself.

Telemetry/analytics is nothing new, nor in the case of Google Play Services – though this data is clearly identifiable, and a pretty bad case.

It might be true that a version of Smittestopp that does not use GPS-data could be less invasive than a GAEN (Google Apple Notification Exposure) solution running on Google's platform (as this data collection is only seen on Android) – but this would only be true for certain if it were a decentralized app; Not collecting location data is surely less invasive, but collecting everyone's data all the time (as opposed to data from those with confirmed infection) is still more invasive than what seems to be strictly necessary for contact tracing, and in breach with numerous recommendations and best practices.

As for the claim that there is a comparable risk of data going astray between Smittestopp and "from Google" – it doesn't really make sense. Under the GAEN protocol, Google has no data. If they're talking about what is collected via the Play Services, that is another, unrelated matter – but it's still not necessarily comparable, as Google both owns their storage platform (which could be comparable to the cloud platform upon which Smittestopp's services ran), and has extensive experience and competency within building these sorts of solutions, as well as privacy engineering and security engineering itself. The same can not be said for Simula, as can be gleamed from publicly available documentation and reports.

With regards to what the collected data is allowed to be used for, GAEN does not provide Apple and Google with any data; To my knowledge, health authorities themselves must provide servers under GAEN, to which the infection keys are uploaded. What is collected via Play Services is another matter.

Claiming that "the ideal" would be an app that both does contact tracing and monitoring of the population betrays their perspective: From a purely functional point of view (i.e. in a hypothetical void imposing no other requirements) this might be true – but it's telling of what they've understood of the criticism so far.

Even their description of assessing the invasiveness of the solution is too simplistic –there is a trade-off between individual privacy and societal utility, but this isn't the whole picture. Even in the case that mobile apps could undoubtably solve the problem they attempt to solve (which is not certain) and even replace manual contact tracing entirely (no signs point to this, but to the contrary), one might not need 100% correctness to perform contact tracing to a sufficient extent.

There is an interesting discussion to be had about international power dynamics, private companies dictating nation state's technical approach to contact tracing (even though I personally think the practical outcome in the case of GAEN was good, realpolitikally speaking), etc. – but this is a whole other discussion.

The fact that they construct a problem by connecting this with a separate and unrelated (though admiteddly problematic) instance of data collection by Google, and try to play some speculative, political game is just ridiculous... especially given the fact that they infamously attacked the expert group's integrity when we delivered our public report – claiming that our conclusions were based on personal opinions, and that our recommendations were politically motivated.

Their report got some (English Google Translate) media attention, but also a couple of responses pointing out:

The last of these pointed to Amnesty International's damning report on Smittestopp, which prompted a response (English Google Translate) from Kyrre Lekve (Simula), which – of course – attacked both Amnesty and the author of the piece.

He has since held a presentation for the students at University of Oslo, where he was asked what Simula though of Amnesty's report. His reponse was:

We think it was garbage! It is a lousy piece of work on Amnesty's part. They are abusing their power. They are very credible. They have abused that credibility. In our view, those conclusions from Amnesty are very ill-founded. Either they have been influenced by an activist agenda or they have done it to get attention, and both are both unprofessional and indefensible. Both we and the [Norwegian Institute of Public Health] perceived Amnesty's report as academically extremely weak.

He also announced that they would hold a seminar next month called "Smittestopp and experiences from digital contact tracing" (English Google Translate).

I think this looks extremely unprofessional, to put it mildly. Much of Amnesty's criticism was already well known, and is very similar to e.g. the EU commision's recommendations on apps for contact tracing, the EU resolution on coordinated work against COVID-19, and guidelines from the European Data Protection Board (EPDB). as well as issues pointed out both in the expert group's final public report and in the independent petition. Part of this is basic privacy engineering and privacy as a subject. Unfortunately, the statement joins the ranks of attacks, accusations and excuses that have formed a large part of the response to critical input - perhaps in an attempt to save reputation. The question is: Is it most likely that the rest of the world is wrong, or that there may be some of the criticism that is worth addressing?

It is all made more difficult by the fact that it seems people are discussing using different premises, or understands privacy differently on a basic level (see, for instance, earlier statements that suggests that interventions become less serious in regimes that can be trusted, etc.) Given the strong emotions we see in this extended debate, seems difficult.

One would think everyone would like to put Smittestopp "1.0" behind us – and that this is in everyone's best interest. Attempting to solve the problem and make a decent app, rather than bickering about the past is undoubtably our most productive alternative. And it is pretty remarkable to want to antagonize Amnesty.

Newer post
A final post about Smittestopp
Older post
Data leakage via ambient light