Tuesday, 3 November 2020

The Norwegian Covid-19 tracing app experiment revisited

by Kristin B Sandvik

In my Big Data & Society commentary ‘Smittestopp: If you want your freedom back download now’ (published on July 28, 2020 within the Viral Data symposium) I mapped out the first phase of the Norwegian version of a Covid-19 tracing app. My goal in the commentary was to “engage critically with the Smittestopp app as a specifically Norwegian technofix ... co-created by the mobilization of trust and dugnaðr, resulting in the launch of an incomplete and poorly defined data-hoarding product with significant vulnerabilities.” Since I submitted my final version of the commentary the app went down in flames and a rancorous domestic blame game ensued, only for the app to be rescheduled for a phoenix-like rebirth in late 2020.

In this blog post, I want to contemplate a set of issues pertaining specifically to the legacy of Smittestopp, but of relevance to other Covid-19 tracing apps. This relates to how democratic government actors respond to criticism of digital initiatives in the context of emergencies; and the type of challenges civil society actors face in holding public and private sector actors accountable. For context, I begin by giving a recap (a longer version here) of the rise and fall of Smittestopp. All translations from Norwegian are my own.

The rise and fall of Smittestopp

April 16, 2020, the Norwegian COVID-19 tracking app Smittestopp was launched to great fanfare. The Ministry of Health, the Norwegian Institute of Public Health (NIPH), the developer of Smittestopp, Simula – a government founded research laboratory (and thus a public entity) – and the prime minister, Erna Solberg, underscored the civic duty to download the app. Norway’s total population is 5.3 million. At the time of the launch, “enough people” was thought to be 50–60% of the population over the age of 16. At its height, the app had almost 900 000 active users. By the end in early June, it had been downloaded 1.6 million times.

Starting weeks before the actual launch of the app in Mid-April, the Norwegian Data protection Authorities (DPA), part of the media, some politicians and a large slice of the domestic tech community had grown exasperated with the procurement processes, functionalities, and designated application of Smittestopp. From the launch date, the app was hampered by technical problems and subjected to a deluge of criticism from self-organizing members of the Norwegian tech and data protection community for being experimental, intrusive, non-transparent, relying on unfounded techno-optimism and abusing trust. As succinctly phrased by a tech activist, the grievance was that NIPH /Simula did not listen to experts, and “made a surveillance app with infection tracing, not an infection tracing app”.

By June 12, DPA issued a formal warning to the NIPH that they were considering a temporary ban on the app due to the app being disproportionately intrusive with respect to personal data. By June 15, the NIPH stopped collecting data, declaring that this meant a weakness of preparedness against increased infection rates as we are ‘loosing time to develop and test the app’, and at the same time loosing our capability to fight the spread of COVID-19. By June 16, Amnesty published a report declaring that “Bahrain, Kuwait and Norway have run roughshod over people’s privacy, with highly invasive surveillance tools which go far beyond what is justified in efforts to tackle COVID-19”. On July 6, the DPA issued a temporary ban on the app. September 28 it was finally over. The Minister of Health, Bent Høie, clarified that 40 million Norwegian kroner of the taxpayer money and months of work had to be scrapped and that a new app would only be ready by Christmas.

Dealing with criticism while Norwegian

While the heated online and offline exchanges over why Smittestopp failed and who was to blame are best described as mudslinging, they also shed light on how Norwegian government actors – rightly praised for the Covid-19 response and generally unaccustomed to international condemnation – respond to criticism of digital initiatives in the context of emergencies. After the cancellation of Smittestopp, Simula launched a determined effort to manage the post-Smittestopp narrative, through the publication of a document dedicated to absolving themselves of most criticism, and forceful media engagement, including friendly reporting and less friendly tirades at twitter and elsewhere about the flaws of both criticisms and critics. Similarly, the health authorities have also been curiously unwilling to accept the legitimacy of the criticism of the legality of the app and the reasons for why it was banned. The storyline projected in these engagements is worth summarizing.

Blaming Big Tech. According to what can best be described as a ‘blaming Big Tech narrative’, Smittestopp was on a path to become a feat of digital innovation but was undermined by opposition from Google and Apple, effectively rendering nation states helpless in the face of the tactics and strategies of Big Tech. Simula contends that “The unique experience of developing Smittestopp in collaboration with the authorities in other countries and Europe's top technologists has been a reminder of how helpless national states can become in the face of global IT companies”, with reference to a critical report (here) on the privacy problems with Google Play from Trinity College. It’s vital for nations to regulate Big Tech – but the lack of adequate regulation was not why Smittestopp failed.

Blaming Amnesty. For a country that prides itself of being a humanitarian superpower and human rights trailblazer, the domestic human rights sector has been curiously silent with respect to the governments Covid-19 efforts, and Smittestopp in particular. When international actors entered the ranks of the critics, further acrimony ensued. Simula has tussled with Amnesty international, suggesting that the organization was not up front about its criticism when the organization initially made contact with the government and called the report from June for “absolute trash”, stating that it’s a report of “exceptionally low quality”, and that Amnesty is abusing their position and power, providing poorly documented conclusions and behaving in an unprofessional manner, letting itself be abused by activists (!), stating that “the meaninglessness of their claims is high as the sky” (the audio file in Norwegian is here).

Blaming the DPA. In radio and television appearances by NIPH and the Minister of Health following the formal cancellation of Smittestopp, the minister of health blamed the DPA for the Smittestopp fiasco arguing that the solution being worked on in June would have effective and complied with data protection regulations. This also meant that the health authorities did not get access to important COVID-19 tracing data. The Minister and NIPH furthermore disagreed that the app was illegal and would like “clearer advice” in the future. The head of the DPA replied that it was not a lack of advice but things the stakeholders themselves did as well as the inability to document the utility of the app which made it disproportionately intrusive and thus illegal- and that the law applies, also in times of national emergencies.

The future of civic activism in emergencies

The passion with which activists, technologists, bureaucrats and scholars have fought against the app, and the strongly worded accusations flying from both sides also suggest that for the rule of law and democratic accountability, struggles over personal data and privacy will continue to get fiercer. The lack of interest in adopting a lessons learned perspective, the absence of humility, the governments continued and willful misunderstanding of how GDPR – and the DPA – works, and the branding of critics as selfish, abusive and cowardly have been an extraordinary spectacle to watch. As observed by a tech activist:

“We have a high level of trust in the state and the government – because the government rarely demands more of its citizenry than is deemed reasonable. Simula, on the other hand, acts if this trust gives us the opportunity to intervene into the private sphere in ways we would call scary if undertaken by a country like Russia or even Great Britain.”

However, an important takeaway from this controversy is what this suggests about the future of civic activism in a country like Norway, which is not historically home to strong foundations, labs, non-profits or grassroots NGOs focusing on holding actors democratically accountable in the digital domain. From early March, individual data activists have been using the Freedom of Information Act to painstakingly map government, Health authorities and DPA interaction on Smittestopp. The focus has subsequently turned to efforts to get access to code and to data sets. At present, work is ongoing to clarify what exactly is going on with the remnants of the Smittestopp infrastructure. This attention to the zombification of data structures post-app is important: Across the globe, Covid-19 apps have collected an enormous amount of data. Governments must be held accountable for mission and function creeps – and for what happens when the apps are set on the path to digital graveyards. This creates questions about what new types of challenges to competencies and methods the established civil society and academia are facing and should be ready to meet.

Smittestopp is dead! Long live Smittestopp!

What have we learned from all of this? While Smittestopp is small fry, it is also an instructive illustration of the affordances of the crisis-label and the pitfalls of digital transformation in a highly digitized society. The experiment now continues. The preferred solution for the new Norwegian app is GAEN (Google and Apple Exposure Notification), with data stored mostly locally. Possibly due to the public brouhaha, the tender process only received one offer – which was accepted – from the Danish NetCompany, the developer of the Danish Covid-19 tracing app also called ‘Smittestopp’. After a public vote of sorts, it is clear that the second installment of the Norwegian app-experiment will also be called Smittestopp. The regulations for the initial app were repealed October 9 and no regulations have been issued for the new app. Netcompany has emphasized the importance of better public communication – but as this blog has illustrated, public engagement on the legality and legitimacy of digital interventions and figuring out the how-to of this – remains more important than ever.