‘All the corona apps have flaws’

Minister Hugo de Jonge of Health, Welfare and Sport said two weeks ago that the Cabinet wanted to issue two apps – one for tracking and one to monitor health – that would help contain the further spread of the coronavirus. The plan met immediate resistance. A group of more than 60 scientists called on the government to look critically at the purpose and the need for corona apps. In an open letter, they pointed out the social, societal and legal impacts of the apps. They believed that not enough thought had been given to the purpose and need.

It seemed to be an over hasty effort. That impression was confirmed last Thursday. A chaotic selection procedure resulted in a shortlist of the seven apps with the most potential. About 40 experts helped the Ministry sift through a list of 63 proposals. One of them was Professor of Cyber Security Michel van Eeten (TPM).

You say that the selection procedure was chaotic. In what way?
“It was completely unclear what the apps were supposed to do. We did not have a list of criteria so it was really hard to assess them. And the descriptions of the apps were so sketchy, often just a few A4s. There were no source codes which you need to check how privacy would be secured. We were put under tremendous pressure – we were in a pressure cooker. We only had one day in which to assess all the apps. Some chose the apps that collect the personal data of users and send them to the Government. They thought that this was useful, but I don’t think that that was the intention. In short, everyone just did what they thought was best. All the apps have flaws. There are a couple of real amateurs on the shortlist. To give you an example, a data leak was immediately found on the Covid19 Alert corona app.”

Who were the experts with whom you worked?
“We were divided into groups of five. My group included someone from the GGD (Community Health Services) and from the patient federation. I was the only one who knew anything about technology. I think that some groups did not even have any IT experts, judging by the comments that I heard. Each group was given seven or eight proposals to assess. My group ultimately had double that as we were short of one group. So I saw 15 of the 63 proposals. We didn’t see the others, not even a list. There were originally 700 submissions which the Ministry itself had cut down – how, I don’t know. I do know that there were large professional groups in the submissions such as Fox-IT. A company like that really has the relevant expertise. But to my surprise they were dropped quickly.”

The Data Protection Authority questions whether it would actually accept an app. And it needs to give its authorisation. Do you understand their position?
“Yes, the Data Protection Authority must check that everything is done in proportion. And you can only do that if you have clearly defined what the purpose of an app is. That has not yet been defined. And this applies to other legal criteria too. Too little is known about the apps, and they’re not even ready yet, to decide if they fall within the legal framework.”

What is the position in terms of privacy guarantees, do you think? Can privacy be guaranteed with a corona app?
“Yes, in principle. There is a promising protocol, the DP3T [this allows data to be stored locally and only after confirmation of infection sent to a server without supplying personal data, ed. TvD]. Apple and Google have not yet built this into their operating systems so apps with DP3T technology won’t work on iOS and will only work on Android with confusing app authorisations. But Apple and Google are working on this. Their operating systems must be adapted by mid-May. I asked some civil servants at the Ministry why we were not developing the apps in parallel with Apple and Google. The answer was that it would take too long. The apps had to be ready before that. This is utterly unrealistic. Apple and Google have the best programmers in the world and are many, many times bigger than the developers with whom the Ministry is working. And the two companies say that they themselves need at least one-and-a-half months to just develop one part of the software required. But the Ministry thinks that we can have an entire app ready in a couple of weeks and that’s why they don’t want to wait for Apple and Google. It’s crazy. I think the Ministry realises this now and is starting to change its mind.”

Update 22-4:

The minister of Health, Welfare and Sport informed parliament today that a new app will be developed over the coming four weeks. The source code of this app will be made public and the app shoud not harm privacy.