According to the Norwegian Data Protection Authority (Datatilsynet), the app, known as Smittenstop — Norwegian for “Infection stop” — was shown to collect “large amounts of personal information” about its users. This included their location data as well as information about their contact with others.
In response, the Norwegian Institute of Public Health (NIPH) stated that they would comply with Datatilsynet’s assessment even though they disagreed with it.
“We do not agree with [Datatilsynet’s] assessment, but now we have to delete all data and pause work as a result of the notification,” Camilla Stoltenberg, NIPH director, said in a statement.
Officially launched in April, Smittestopp was being tested in three municipalities before it got halted and the collected data deleted.
According to Stoltenberg, the decision to cut the app’s testing not only “weakens” an important part of Norway’s preparedness for an increased spread of COVID-19, but also reduces their ability to fight off the current ongoing infections.
“The pandemic is not over. We have no immunity in the population, no vaccine, and no effective treatment,” Stoltenberg said. “Without the Smittestopp app, we will be less equipped to prevent new outbreaks that may occur locally or nationally.”
Datatilsynet disagreed, noting that the restricted spread of coronavirus in Norway, as well as the app’s limited effectiveness due to its small userbase, meant that its use could no longer be justified in the face of rising privacy concerns.
According to data obtained by TechCrunch from the NIPH, the app had been downloaded 1.6 million times and had around 600,000 active users — roughly 10 percent of Norway’s population — as of early June.
The country’s caseload is also on the lower end of the scale. As of press time, Norway has a total of 8,751 confirmed infections and 248 deaths according to data from Johns Hopkins University.
“We believe that [NIPH] has not demonstrated that it is strictly necessary to use location data for infection detection,” Bjorn Erik Thon, director of Datatilsynet, said in a statement posted on their website this week.
Unlike most other national coronavirus tracking apps currently in use in Europe that use Bluetooth signals to estimate user proximity, Smittestopp tracks its users’ real-time GPS location data. (Related: The US government thinks that fighting coronavirus requires spying on your phone’s data.)
Furthermore, Datatilsynet noted that the app's developers opted to use a centralized app architecture. This means that user data is uploaded to a central server controlled by the health department, instead of being stored locally on the user’s device.
Another potential problem with the app is it’s intrusiveness.
According to the digital privacy watchdog, the app’s users currently do not have the ability to limit the use of data it harvests to coronavirus contact tracing only. Instead, users have no choice but to agree to have their personal information used for research purposes — a violation of Article 5 of the E.U.’s General Data Protection Regulation law.
UK-based rights group Amnesty International has since hailed the cancellation of Norway’s Smittestopp as a major win for privacy.
“The Norwegian app is deeply intrusive and puts people’s privacy at risk. It is the right decision to press pause and go back to the drawing board to design an app that puts privacy front and center,” Claudio Guarnieri, head of Amnesty International’s Security Lab, said in a statement published on the group’s website.
While the Norweigian government has decided to put Smittestopp on hold, other European countries, such as Germany, France, Switzerland, Latvia and Italy have pushed through with the release of their own contact tracing apps.
The latest on how different nations are handling the pandemic is available at Pandemic.news.