Another privacy risk uncovered in Dutch Covid app
Researchers from Radically Open Security uncovered another privacy risk with the Dutch government's coronavirus warning app CoronaMelder. Citizens may feel pressured by the GGD to use the app, even though its supposed to be completely voluntary. And GGD workers could be able to link app data to patient, while the app is supposed to be anonymous, NU.nl reports.
GGD employees can check whether someone who just tested positive for Covid-19 is using the app, and then use the app to warn their close contacts. In this way, the health service could theoretically convince or force someone to upload the codes the app collected of their close contacts.
CoronaMelder exchanges codes with other app users that were in its close vicinity for 15 minutes or more. Once an app user tests positive for Covid-19, the app can send a notification to all these other apps, to warn them that they too may be infected. To prevent people sending codes unnecessarily, this can only be done with the GGD.
The GGD employee being able to check whether the patient sent out the notification, also endangers the anonymous nature of the app, according to Radically Open Security. The GGD employee is in contact with the infected person and knows their name and telephone number. This data can be combined with whether someone uploaded their codes.
In a letter to parliament on August 28, Health Minister Hugo de Jonge suggested that the app does not contain any privacy or coercion risks that would prevent the national roll-out. There are no "so-called showstoppers", he wrote.
Despite this assurance, it is definitely not the intention that the issues found by Radically Open Security are in the final version of the app, Brenno de Winter, a privacy expert hired by the government, said to NU.nl.
Experiments with the CoronaMelder were launched in five GGD regions on August 17. The idea was to launch the app nationally on September 1, but De Jonge postponed this because the law that will regulate the use of the app had not yet been approved.