Since its schools closed, the Netherlands has been in what is described as an intelligent lockdown and the government is looking at technology as a means to gradually get out of this situation.
Countries have entered lockdown one by one to limit the spread of Covid-19, with the Dutch being told take protection measures against the deadly virus in mid-March.
During a recent press conference on the current coronavirus situation in the Netherlands, public health minister Hugo de Jonge said technology could help to control the spread of the virus, with an app to trace Covid-19 cases by researching contacts between people being an obvious example.
Using Bluetooth, an app user’s phone could register automatically if it has been in the vicinity of a person who has tested positive for the virus. These Bluetooth connections would be stored locally under a unique number. The corona app could then load a list of unique numbers where a virus infection has been detected.
If someone is infected, they can indicate this in the app and a message will be sent to the numbers with which their phone has recently made a Bluetooth connection.
But such an app is not without controversy in the Netherlands. For example, privacy and security are important aspects in developing the app, which has proved something of a problem. The Dutch government called on developers to submit proposals, and about 750 did so, of which seven made a short list and were presented to the public and experts in an Appathon, but experts were immediately critical.
The government has formulated important requirements covering contact research, privacy and information security, but Brenno de Winter, a well-known Dutch privacy and security expert, does not think the apps will meet these requirements. “Input has been skilfully ignored,” he said, told newspaper Algemeen Dagblad. “There are now initiatives that we have dismissed as insufficient in the area of privacy. I wasted a whole day yesterday – this is a mess.”
Peter Boncz, researcher at the Centre for Mathematics and Computer Science and professor at the Free University of Amsterdam, is also surprised by the seven short-listed apps. He says a better alternative is already available from DP-3T. “But they haven’t selected it, which is a big mistake,” he told Algemeen Dagblad. “DP-3T has launched a fairly complete app and is working towards a pilot in Switzerland next week.”
Not surprisingly, none of the seven selected apps passed the selection criteria during the Appathon. According to Benjamin Broersma of the Open State Foundation, in a message on news site NOS.nl, all the apps have design flaws.
KPMG researchers have also found many security problems in six of the seven apps – the developers did not program securely and took hardly any security measures, they said. This became painfully clear when one of the apps, Covid-19 Alert, had to report a data breach in which almost 200 names, email addresses and encrypted passwords of another app to which this app is linked were online.
“We made the source code public as soon as possible,” said a Covid-19 Alert spokesperson. “In the process, we accidentally put this data online.” This appears to illustrate that haste can lead to carelessness – which is exactly the fear of the privacy and security experts watching this development.
IT audit professional Thomas Wijsman has stated in a contribution on LinkedIn that the mix of high ambitions, a political deadline, a mindset of ICT-as-quick-fix and fragmented specifications are a proven recipe for turning an ICT project into a problem case.
Sixty Dutch scientists have written to the government ministers involved in the development of a corona app, expressing their fears. They wrote that the use of apps in the current crisis is far-reaching, so it is important to critically examine the usefulness, necessity and effectiveness of such apps, plus the social and legal impact, before the authorities decide to use them.
The scientists also stressed that technology is rarely the solution to a particular problem.
Many questions about the app have also been raised by Dutch citizens, such as will they be obliged to use it in the future, and who will be able to view the stored data? Also, how far can employers go in requiring their employees to install the app before they are allowed to return to the office?
According to Bert Hubert of IT infrastructure company PowerDNS, the big problem is the government’s lack of expertise. “If this wasn’t about software, but about a dike, things would have gone a lot better,” he told website NOS.
False alarm fears
One of the concerns raised by privacy expert Lokke Moerel, professor at Tilburg University, in the Volkskrant newspaper is that a Covid-19 app can give a lot of false alarms, or even no alarm when there should be one. She agreed that technology is only one of the tools in the fight against the virus, but it is not a holy grail. “If you lift a lockdown with the idea that an app can control the infections, you create a false sense of security,” Moerel told the Volkskrant.
But the Netherlands government will not give up on developing an app. During a press conference on 21 April about the current Covid-19 restriction measures in the Netherlands and possibly easing them, prime minister Mark Rutte said: “We don’t have to start all over again [with the app]. I see the current developments as the next step.”
Ministry of health director Ron Roozendaal, who deals with the introduction of Covid-19 apps, shared Rutte’s opinion, saying: “We don’t have to go back to square one. I see the events of the last few days as an ongoing process.”
The Dutch government expects to be able to decide in a month’s time whether, and how, an app can be used for contact research. Health minister de Jonge wrote to the Tweede Kamer (Lower House of Parliament) that he was “pleased” that the Appathon had led to a broad social debate. “I don’t take lightly the introduction of digital support for source and contact tracing,” he wrote. “I will not compromise on the preconditions. The possible introduction of apps will have to be accompanied by scientific research.”
De Jonge’s letter added that a new team is being set up to work on a new solution. “My commitment is to quickly have a team with the right builders and also with experts in the field of information security, privacy, fundamental rights, national security and inclusion,” he wrote.