None of seven proposed corona apps meets privacy criteria, says legal advisor
None of the seven apps proposed by the government as potential solutions for tracking corona patients meets the criteria for privacy, according to the attorney general Reimer Veldhuis.
Veldhuis was asked to assess all seven contenders against Dutch privacy law as part of the evaluation over the weekend. He said the speed of the process and the limited information available made it impossible to say if the proposed apps met the legal standards.
‘That doesn’t mean that they are unable to meet the requirements of the [privacy law] AVG,’ he wrote in a six-page report. ‘That would require further development and more detailed implementation of the proposals.’
Around 750 companies responded to the government’s request for help developing a ‘track and trace’ app which will alert people if they have been in the vicinity of a Covid-19 patient. Health minister Hugo de Jonge plans to make the final selection known in the next update on the coronavirus restrictions on Tuesday evening.
De Jonge has said that maintaining privacy will be a key condition of any corona tracking app. The cabinet wants the software to be used on a voluntary basis, but has not ruled out making the app compulsory to meet its target of 60% take-up.
Privacy campaigners have raised concerns about whether the app will protect users’ anonymity and have queried its effectiveness, while security experts say the speed at which the app is being rolled out could leave it vulnerable to hackers.
On Saturday a group of nine experts dropped out of the assessment process, complaining of a lack of transparency and guidelines. RTL Nieuws reported that the source code for one of the contenders, Covid19Alert, included links to the personal details of 200 users of another app.
Veldhuis was asked to assess the seven contenders against a number of criteria including anonymity, accuracy, transparency and whether the app would be deleted once it was no longer required.
He said all the apps met the standards for anonymity, transparency – whether users could report mistakes and weaknesses in the system – and data deletion.
However, the use of Bluetooth networks could lead to ‘false positives’ as Bluetooth signals can be transmitted through walls and glass panels, raising questions about accuracy.
Veldhuis also said the risk assessment process needed to be developed further to see if it met the standards for data minimalisation. Some proposed apps alerted users directly if they had been in contact with an infected person, which risked identifying the patient, while others issued general alerts about where patients had visited. The latter carried a smaller risk of breaching privacy, the attorney general said.
All the proposed apps kept central databases of users’ contacts which could be shared with local health boards (GGDs). Veldhuis said more development was needed before he could assess if these processes complied with the rules about seeking users’ consent and limiting data sharing.
Thank you for donating to DutchNews.nl.
We could not provide the Dutch News service, and keep it free of charge, without the generous support of our readers. Your donations allow us to report on issues you tell us matter, and provide you with a summary of the most important Dutch news each day.
Make a donation