GGD employees can check whether someone who is infected with the corona virus and has downloaded the CoronaMelder app is using the app to actually warn his close contacts. That way, the GGD could theoretically convince or force someone to upload their collected codes of close contacts. This goes against the wish of the Ministry of Health that the CoronaMelder should be completely voluntary.
CoronaMelder is waiting for approval by the Senate
The issue was discovered by Radically Open Security (ROS) researchers, who estimate the risk to be medium. The research has now been published (pdf), but was completed before the corona app and the accompanying law were discussed in the House of Representatives in early September.
In the meantime, Minister Hugo de Jonge (Public Health) suggested a Letter to Parliament that the app does not contain any risks that would prevent the national rollout. There are “no so-called”showstoppers” wrote De Jonge.
While it is certainly not the intention that the issue found by ROS is in the final version of the app, says privacy expert Brenno de Winter hired by the ministry in a response to Press.
“The function was necessary in the test to make sure the app works,” he says. CoronaMelder has been tested at five GGDs since 17 August. De Winter ensures that the risk found by ROS will not be reflected in the app as soon as it becomes nationally available. He also emphasizes that the researchers did a good job in raising the issue.
The corona app exchanges signals with other smartphones in its vicinity. In this way an anonymous log of codes is created. If someone turns out to be infected with the COVID-19 virus, the GGD asks whether that person wants to upload these codes. Anyone who has been in the vicinity of the corona patient will receive a notification via their own app.
At the moment, people can only share these codes via GGDs in Overijssel, Drenthe and Gelderland, where the app is being tested. As soon as the app becomes available nationally, any infected app user can upload his codes. To prevent people from uploading their codes unnecessarily en masse, this can only be done together with the GGD.
The possibility of the GGD employee to check whether this has actually happened, in addition to risks of control or coercion, also endangers the anonymous nature of the app, according to ROS. The GGD employee is on the line with the infected person and knows his name and telephone number. This data can be combined with whether or not someone uploads their codes.
CoronaMelder itself does not collect names or telephone numbers, nor does it collect location data. The ministry has said it considers this an important condition before the app becomes nationally available.
Because the introduction of the app is regulated by law, CoronaMelder cannot be available nationwide at this time. Following the agreement of the Lower House earlier this month, the law is expected to be discussed in the Upper House on 6 October.