It's been a long time since my last post.
Lots have happened since then, but I thought I'd summarize what looks to be the end of the saga of Smittestopp, the Norwegian Covid-app.
- Norway finally has it's very own defensible Covid-app (with a responsible privacy impact), based on Google and Apple's ExposureNotification frameworkø.
- There was only one repsonse to the Request For Proposal, none of which were from any of the many vocal critics of the first app, nor any other Norwegian companies (most, when asked, stated risk of reputation and too little time to make the right people available).
- The Danish consultancy Netcompany (who made the Danish national covid-app) was chosen – which seems like a good idea given the the probability of code reusability. This project has been the total opposite of the last, with source code publicly available on GitHub and a public Slack for discussions and contributions.
- The Norwegian implementation relating to authentication post-diagnosis/pre-upload included making an indentifying login to a public service...
- This would make it possible for the authorities to connect the user identity with the uploaded data, and potentially make social graphs of identified users and so on (at least in theory) – which made me argue that the suggested token system could trace users on the Slack for people who signed the independent appeal regarding the first app (which I had no issues signing, as its suggestions were uncontroversial, based on industry best practices, and more or less in line with what our expert group had recommended to the government).
- After verifying this, Tjerand Silde and Martin Strand wrote a suggestion for an altenative, private token system. The Norwegian Consultancy Bekk has a whole blogpost about this.
- The Norwegian Institute of Public Health (FHI) and the Minister of Health has consistently made remarks that makes me think they know very little about privacy, and still hasn't understood what all the fuzz was about, feel they have done no wrong and that they think we should have kept at it with version one – even going so far as stating they disagree with our Data Protection Authority's decision to shut it down, claiming it would be immensely valuable, that privacy was well taken care of, etc.
- Simula is still peddling their nonsense at any opportunity they get, including at self-hosted seminars, in the media and at conferences:
- They keep claiming they wanted to help when asked, even though it is known that "It was Simula who contacted FHI to offer help"
- They keep claiming this was "groundbreaking work", even though neither the technologies nor the privacy issues were new in themselves (both exposure notification as well as privacy preserving techniques were not new in March) – which strengthens my suspicion that there was no privacy competency (or in some cases even knowledge) on neither customer nor supplier-side.
Though one might see this continued insistence on pushing their own narrative as an attempt of saving face, I fear Simula has such a poor understanding of privacy (and privacy engineering) that they genuinely believe that minimum effort, basic auth-measures from the security-field equals privacy.
* Insert rant about data protection != data privacy here *
Especially when looking at Olav Lysne's (Director of Simula, leader of the Lysne-comittees that proposed what amounts to metadata bulk collection / mass surveillance in Norway – which is a post for another day...) or other Simula-exec's statements from earlier last year. At the same time, some of their communications have been marked by rewriting history – which is sad, because who (that has no deep knowledge of any of the relevant subjects themselves) will be able to tell what really happened and how many things went wrong a few years from now, if Simula has gained a majority coverage in reputable media for their alternative narrative?
And that would be a big problem. Our goal must be to not get into this situation again, and to reach that goal it is important that the public debate reflects the realities of the subject. The problem of giving every side a "fair coverage" in this debate (as with e.g. climate change) is that we're left with a sort of false balance – which could be interpreted as there being two equal sides of this story...
Here's hoping this is the final time I have to hear about the embarassing initial handling of digital contact tracing in Norway.