The CoronaMelder app will no longer notify users for two days if they have been in the vicinity of a corona infected person. Minister Hugo de Jonge decided to do this because of the surfaced privacy problem on Android.
Due to a bug in Google software, data from government corona apps, including the CoronaMelder , is accessible to the preinstalled apps on Android phones. In this way, those apps can “determine whether the phone is in the possession of someone who has previously been reported as infected in CoronaMelder and which encounters with infected persons have taken place”. In a letter to the House of Representatives , De Jonge says that Google has reported “no proof that these apps have actually collected and used data”.
The Netherlands was informed of the problem at Google last Thursday, says De Jonge. After that, the Netherlands “immediately started a technical investigation to map out the consequences”. That investigation showed Wednesday “that it is indeed the case that user data can be read by unauthorized parties”.
Google response ‘insufficient’
Google is said to have closed the leak in the so-called Google-Apple Exposure Notification (GAEN) framework, which makes the corona apps of governments possible. But it takes a while for the problem to actually be resolved on all phones. “It turned out that they were not yet aware of the possibilities for abuse reported to them by our experts,” writes De Jonge. He therefore calls the response from Google “insufficiently satisfactory”. That is why no notifications are sent for 48 hours.
During that time, it will be checked whether the leak has actually been plugged. If the problem has indeed been resolved, users of the app will receive notifications again after that time “and the warnings will still be sent”.
The Dutch Data Protection Authority already called on the Ministry of Health on Wednesday to resolve the privacy problems with the CoronaMelder app as soon as possible. Security researchers warned Google about the flaw in the system on February 19.
“This concerns health data, very sensitive information of a lot of people,” says chairman Aleid Wolfsen of the Dutch Data Protection Authority (AP). “The Ministry of Health, Welfare and Sport is responsible for ensuring that the app is completely safe to use. The Ministry has chosen to use the Google software.”
In the advice that the AP issued to the Ministry of Health, Welfare and Sport in August 2020 about the corona app, the Google Apple Exposure Notification framework was already the main concern. Wolfsen: “Unfortunately, our concerns now seem to have been justified.”
Google promises update
A spokesperson for VWS says that Google is working on an update that should solve the problem. “The app we built does not store any data, it now appears that certain codes are stored on Android phones. That is against the agreements about privacy that we have made with the company.”
According to him, the continuation of the collaboration with Google depends on the way in which and the speed with which Google offers a solution.
The CoronaMelder app has been downloaded a total of 4.8 million times on both iOS and Android. The app uses Bluetooth anonymously to monitor whether users have been close to other people for more than 15 minutes. If they then test positive, they can warn other users of the app.
Recently, a survey found that more than 144,000 people have received such a report from the app. People who got tested after reporting were significantly more likely to be infected than the rest of the population. This would show that the app does have an effect.