CoronaMelder app taken offline during data leak investigation

The government's coronavirus notification app CoronaMelder will not deliver any notifications to close contacts of those who tested positive for a coronavirus infection until at least Friday evening. The government has launched an investigation to determine whether a security issue regarding the app’s use on phones using the Google Android operating system has been solved, Caretaker Health Minister Hugo de Jonge announced on Thursday evening.

“The privacy of users always comes first. Although the solution to the problem is in the hands of Google, I can limit the consequences. That is why we are taking this decision,” said De Jonge.

The Netherlands learned a week ago that apps on Android phones were able to determine whether the phone is in the possession of someone who has previously been reported as infected in CoronaMelder, and which encounters with infected people have taken place. To do this, the code must be combined with other data sources. This was believed to be in violation of the temporary law passed last year which made it possible to introduce CoronaMelder to help with source and contact investigations when someone tests positive for the SARS-CoV-2 infection.

On Monday, the Dutch Data Protection Authority was subsequently informed of the possible data leak from Google, and two days later, Google indicated that it had solved the problem. To ensure this, the government then decided to issue a 48-hour pause on CoronaMelder.

CoronaMelder uses Bluetooth to exchange unique codes between phones which are running the app, and which have been within 1.5 meters of each other for more than 15 minutes. If someone uses the app on their phone to report they tested positive for coronavirus, the app alerts all other phones with which it exchanged codes. The codes are made up of a string of randomly selected characters, and are therefore not linked to one individual.

During the two-day suspension, no codes will be shared between app users’ phones. As soon as the government has confirmed Google resolved the problem, CoronaMelder users will be able to receive notifications again and alerts will be sent, De Jonge said.