April 16, 2020, the Norwegian COVID-19 tracking app Smittestopp was launched to great fanfare. The app was presented as crucial to the effort of saving lives and curbing infection rates. September 28 it was finally over, although the post-mortem dissection of the app has been unusually acrimonious for the Norwegian context. Smittestopp 1.0 will be replaced at the end of the year by what is provisionally known as “Smittestopp 2.0”. Because the struggles over problem-diagnoses (is the problem the app or something else); what’s at stake and who is responsible have been so contentious, greater clarity of the what, when, how and why of Smittestopp 1.0 is needed to move the debate forward. By providing a narrative timeline, this post is also a contribution to strengthen accountability and transparency in future evaluations of digital responses to COVID-19.
Following up on previous blogposts (here and here) and interventions chronicling the development and implementation of the app, this blog post maps out three moments of the life cycle of Smittestopp – here dubbed ‘game on’, ‘game over’ and ‘blame games’ – and uses this chronology to frame a set of questions on pandemic governance, digital transformation and democracy.
Back in April 2020, the Ministry of Health, the Norwegian Institute of Public Health (NIPH) and the developer of Smittestopp, Simula – a government founded research laboratory –strongly encouraged the population to download the app to get “its freedom back” On 16 April, after a few weeks of intense research and development, the Norwegian government launched the Smittestopp app. The app was designed to “see who has been in the proximity of infected persons, thus helping to curb transmission”. Smittestopp was presented as “an app that helps the health authorities to limit the transmission of Coronavirus” by producing “anonymized data about movement patterns in society” which are “used to develop effective infection control measures”. The legal basis for the app was “the Regulations on digital infection detection and epidemic control in connection with an outbreak of COVID-19” of 27 March (based on the 1994 Act relating to control of communicable diseases), which will remain in force until 1 December 2020. There was no public consultation and the app was not debated by the parliament.
Work on the app had started in early March: through a process of transnational and domestic elite networking, the NIPH and the Ministry of Health decided that a COVID-19 tracing app was required – and Simula appeared as ready and willing to contribute to the development of the app, taking immediate steps to secure legal advice on the permissibility of avoiding a public tender process. A team consisting of NIPH, Simula, Shortcut, Scienta and the directorate of E-health, with assistance from the Norwegian Research Council, developed the app. The app was tested in middle-sized urban locations –Trondheim, Drammen, Tromsø (but not in the capital Oslo) starting ten days after the nationwide launch. The prime minister, Erna Solberg, underscored the civic duty to download the app: “Personally, I believe that if we are to get our everyday life and freedom back, as many people as possible need to download the app”. Norway’s total population is 5.3 million. At the time of the launch, “enough people” was thought to be 50–60% of the population over the age of 16. At its height, the app had almost 900 000 active users. By the end in early June, it had been downloaded 1.6 million times.
As the infection rate dwindled, lockdowns were eased, the economy stayed afloat and mortality rates remained low, popular support for the app declined as well. However, despite assertions to the contrary, Smittestopp’s main problems were not primarily related to a lack of infected individuals to trace.
Starting weeks before the actual launch of the app in Mid-April, the Norwegian Data protection agency (DP), part of the media, some politicians and a large slice of the domestic tech community had grown increasingly frustrated with the procurement processes, functionalities and designated application of Smittestopp. From the launch date, the app was beset by technical problems and subjected to a deluge of criticism from self-organizing members of the Norwegian tech and data protection community for being experimental, intrusive, relying on unfounded techno-optimism and abusing trust. As succinctly phrased by a tech activist, the grievance was that NIPH /Simula did not listen to experts, and “made a surveillance app with infection tracing, not an infection tracing app”.
The app drained batteries, users had problems downloading and operating the app, it was collecting an enormous amount of data not obviously required for individual infection tracing, and there were concerns about security. Particularly three sets of issues were controversial:
- Technology: The app had a closed source code and there had been little openness about the decision to combine GPS and Bluetooth and store data centrally.
- Data protection: The app was accused of collecting and storing too much personal data, including of non-infected citizens and of performing badly with respect to anonymity – and its developers and owners of having little regard for privacy issues and a poor grasp of data protection law.
- Crisis communication There was a lack of transparency about the dual purpose of the app: while there was a significant public emphasis on life-saving infection tracing, the apps second function, data collection for research on contact-tracing, was much less communicated.
The chorus of critics of the app now grew to include government and international actors. Active resistance against the app now grew stronger. Some of the objections were directed at Simula’s perceived lack of expertise with respect to making apps and on epidemiology and data protection management. A formal complaint against the lack of tender process was submitted to the Norwegian Public Procurement Complaints Board (KOFA). Government faith in the app also seem to dwindle as it disappeared from the strategic planning for fighting the outbreak in early May. On 19 May activists and commentators from the Norwegian tech community issued an unprecedented joint statement on the app encouraging NIPH “to migrate to and only rely on a system that is privacy preserving by design. . . and that is subject to public scrutiny, as a means to ensure that the citizen’s data protection rights are upheld.” The same date, the Norwegian Data Protection authorities asked for more information about Smittestopp and subsequently opened investigations into the app. May 20, a government appointed expert group found that security, data protection and privacy guarantees were not adequate. Yet, by late May, the Minister of Health insisted that the app was to be improved not shelved. Simula on its side reacted to the criticism with fury – accusing its critics of being unpatriotic, dishonest, selfish and lacking in compassion – and the members of the expert group of being beholden to their own personal political opinions.
By June 12, the DP issued a formal warning to the NIPH that they were considering a temporary ban on the app due to the app being disproportionately intrusive with respect to personal data. By June 15, the NIPH stopped collecting data, declaring that this meant a weakness of preparedness against increased infection rates as we are ‘loosing time to develop and test the app’, and at the same time loosing our capability to fight the spread of COVID-19. Simula framed this as a consequence of the low infection rate: “Simula is very pleased with the low prevalence of infection we now have in Norway. We note that the authorities in this situation choose to suspend the collection of data from Smittestopp.” Amnesty International had met with the DP June 2 and Simula June 10 to discuss its findings regarding the app. By June 16, Amnesty published a report declaring that “Bahrain, Kuwait and Norway have run roughshod over people’s privacy, with highly invasive surveillance tools which go far beyond what is justified in efforts to tackle COVID-19.” On July 6, the DP issued a temporary ban on the app.
The government, the NIPH and Simula subsequently disagreed with Amnesty that Smittestopp’s problems were about human rights and disagreed with the DP that Smittestopp was illegal: the NIPH director stated “the pandemic isn’t over. We do not have immunity in the population, no vaccine, and no effective treatment. Without the Smittestopp app, we are less equipped to preempt new outbreaks locally or nationally”. While the parliament decided that the app was to be split in two, the Minister of Health asked people to “keep the deactivated version of the app on their phones” (It later emerged that NIPH was advised by the national committee for research ethics before the launch to have split consent for data collection on tracing and research purposes).
By August, the government was working with three scenarios: modifying Smittestopp to integrate user content for both tracing and research data collection; a new solution based on the Apple/Google API or third, an app using the Apple/Google solution with an additional app providing for health data analysis. By mid-September, Simula had still not given up, and suggested that “if NIPH still wants location data combined with infection tracing, this can be solved by launching a version of Smittestopp where the users give two separate forms of consent for infection tracing and research.
September 28 it was over. Minister of Health Bent Høie declared that 40 million Norwegian kroner of the taxpayer money and months of work had to be scrapped and that a new app would only be ready by Christmas. The preferred solution was now GAEN (Google and Apple Exposure Notification), with data stored mostly locally, and a tender process was to be initiated.
Yet, it was not quite over. The third and final phase in the Smittestopp 1.0 saga has revolved around the struggles over blame after the demise of the first version of the app. Simula has launched a concerted effort to control the post-Smittestopp narrative, through a the publication of a document they call “Sammenligning av alternative løsninger for digital smittesporing, and forceful media engagement on multiple platforms with the help of friendly reporting and ‘tell-all’ stories of how Smittestopp failed as Simula was trying to save lives. The storyline projected in these engagements is worth unpacking.
Simula seems to suggest that low infection rates were the direct precursor for the app’s demise. It has been documented how Simula contacted the NIPH on its own volition to offer its services March 11. Yet, in the post-Smittestopp narrative, on September 9 the message is that “Simula took a big risk when we agreed to assist NIPH with digital contact tracing in March, this much we knew”.
- Blaming Big Tech. According to what can best be described as a ‘blaming Big Tech narrative’ Smittestopp was on a path to become a feat of digital innovation (‘teknologisk bragd’) but was undermined by opposition from Google and Apple, effectively rendering nation states helpless in the face of the tactics and strategies of Big Tech. Simula argues that “The unique experience of developing Smittestopp in collaboration with the authorities in other countries and Europe’s top technologists has been a reminder of how helpless national states can become in the face of global IT companies”. Simula is here relying on a critical report (here) on the privacy problems with Google Play from Trinity College. However, that Google collects personal data has been public knowledge for years, and should not come as a surprise for Simula after reading the Google privacy terms when deploying Smittestopp. It’s vital for nations to regulate Big Tech – but that is a different question.
- Blaming Amnesty. Curiously and disconcertingly, Simula has also opted to get engaged in a fight with Amnesty international. – to the evident puzzlement of Amnesty itself. Here it is good to be reminded that Simula is a government founded lab. Stung by the accusation that human rights were ignored in the development and deployment of Smittestopp, Simula has suggested that the organization was not up front about its criticism when the organization initially made contact with the government and called the report from June for “absolute trash”, stating that it’s a report of “exceptionally low quality”, and that Amnesty is abusing their position and power, providing poorly documented conclusions and behaving in an unprofessional manner, letting itself be abused by activists: “the meaninglessness of their claims is high as the sky” (the audiofile in Norwegian is here). Amnesty has so far replied that they find this ‘puzzling’.
- Blaming the data protection authorities (the DP). In radio and television appearances by NIPH and the Minister of Health following the formal cancellation of Smittestopp, the minister of health blamed the DP for the Smittetopp fiasco arguing that the solution being worked on in June would have effective and complied with data protection regulations. This also meant that the health authorities did not get access to important COVID-19 tracing data. The Minister and NIPH furthermore disagreed that the app was illegal and would like «clearer advice» in the future. The head of the DP responded that it was not a lack of advice but things the stakeholders themselves did as well as the inability to document the utility of the app which made it disproportionately intrusive and thus illegal- and that the law applies, also in times of national emergencies.
Takeaways for democratic technology governance
The narrative presented above represents an initial reading of Smittestopp’s lifecycle. As activists and academics obtain access to the government correspondence on Smittestopp, and we learn more about the political priorities involved, the tale of this Norwegian COVID-19 tracing app will evolve. Here are some tentative takeaways:
Simulas observation about Big Tech has significant merit on a general level: national health authorities dependence on Silicon Valley to protect their population and the enormous regulation deficit are problematic and should be fixed. Yet this was not why Smittestopp failed. Simula has argued that data protection and effective infection tracing are intrinsically opposed but should we accept this binary? Similarly, Simula also claims that this is about trusting either the government or Big Tech. Smittestopp perhaps tells us that in the context of the digital transformation it is better to trust neither. While we don’t have a national COVID-19 infection tracing app, we seem to have several locally made or sectoral ones, with minimal if any oversight and no public scrutiny. Along with a host of other COVID-19 tracing apps, Smittestopp proved to be a mostly useless technofix. Beyond the particular legal and technical problems with the app, the linkage between testing, isolation and digital tracing needs to be better understood.
Nevertheless: The disinterest in adopting a lessons learned perspective, the absence of humility, the continued and willful misunderstanding of how GDPR – and the DP – works, and the name calling have been an extraordinary spectacle to watch.
In conclusion, the experience with Smittestopp raises important questions for the future of pandemic government as well as the digital transformation of health governance. How are tradeoffs between the risks of infectious diseases and those of digital surveillance? What should be the tradeoff between urgency and compliance with ‘ordinary’ legal regulations in pandemic governance? What do threats to the rule of law look like in the context of future ‘digidemics’? What should civic activism look like?
The chronology outlined above – and the passion with which activists, technologists, bureaucrats and scholars have fought against the app –also suggest that for the rule of law and democratic accountability, struggles over personal data and privacy will continue to get fiercer. From that perspective, perhaps the lasting legacy of Smittestopp will be “game on!”—‘ this time as a marching order for emancipatory struggle.
- This chronicling of events would not have been possible without help from a large group of capable and civic-minded tech professionals and activists. All translations from Norwegian to English and any mistakes are my own.