Incident: Contact-Tracing App Failure in Norway Due to Privacy Intrusion

Published Date: 2020-06-15

Postmortem Analysis
Timeline 1. The software failure incident with the Norway's Covid-19 contact-tracing app, Smittestopp, happened in mid-April 2020 as mentioned in the article [101011].
System 1. Smittestopp app - Norway's contact-tracing app 2. Australia's CovidSafe app version 1.5 - iOS release [101011]
Responsible Organization 1. Norwegian health authority and developers of the Smittestopp app [101011] 2. Australian team of cyber-security researchers [101011]
Impacted Organization 1. Norway's health authority - The software failure incident impacted Norway's health authority as they had to delete all data gathered via its Covid-19 contact-tracing app and suspend further use of the tool due to privacy concerns raised by the Norwegian Data Protection Authority [101011]. 2. Users of Australia's CovidSafe app - The bug in the latest version of Australia's contact-tracing app meant that many iPhones failed to log matches, potentially impacting the users' ability to be notified if they were in contact with someone who tested positive for coronavirus [101011].
Software Causes 1. The failure incident in Norway's Covid-19 contact-tracing app, Smittestopp, was caused by a bug in the app's design that led to a disproportionate intrusion into users' privacy, resulting in the Norwegian Data Protection Authority ruling to delete all data gathered and suspend further use of the tool [101011]. 2. The failure incident in Australia's CovidSafe app was due to a flaw in version 1.5 of the iOS release, which prevented iPhones from being detected when locked, leading to potential missed contact tracing opportunities [101011].
Non-software Causes 1. The Norwegian Data Protection Authority ruled that the Smittestopp app represented a disproportionate intrusion into users' privacy, leading to the deletion of all data gathered and the suspension of further use of the tool [101011]. 2. The flaw in the latest version of Australia's CovidSafe app for iOS devices meant that iPhones fail to be detected when locked, potentially leading to missed contact tracing opportunities [101011].
Impacts 1. Norway had to delete all data gathered via its Covid-19 contact-tracing app and suspend further use of the tool due to a ruling by the Norwegian Data Protection Authority that the app represented a disproportionate intrusion into users' privacy [101011]. 2. A bug in the latest version of Australia's contact-tracing app caused many iPhones to fail to log matches, potentially leading to missed notifications for exposure to the coronavirus [101011].
Preventions 1. Conducting a thorough privacy impact assessment before deploying the app to ensure compliance with data protection regulations could have prevented the software failure incident in Norway [101011]. 2. Implementing a decentralized model for contact-tracing apps, such as the one proposed by Apple and Google, could have prevented privacy concerns and potential data breaches [101011]. 3. Performing rigorous testing, including testing on various devices and scenarios, could have identified and fixed the bug in the Australia CovidSafe app before its nationwide rollout [101011].
Fixes 1. Switching to a decentralised model backed by Apple and Google for contact-tracing apps like the one used in Norway could potentially fix the software failure incident [101011]. 2. Releasing updates to the CovidSafe app in Australia to address the flaw in version 1.5 of the iOS release that causes iPhones to fail to be detected when locked could help resolve the issue [101011].
References 1. Norwegian Data Protection Authority 2. Australian cyber-security researchers 3. Australia's Digital Transformation Agency 4. Singapore's government 5. Department of Health spokeswoman

Software Taxonomy of Faults

Category Option Rationale
Recurring one_organization, multiple_organization (a) The software failure incident having happened again at one_organization: In Article 101011, it is mentioned that Norway's health authority had to delete all data gathered via its Covid-19 contact-tracing app, called Smittestopp, and suspend further use of the tool due to privacy concerns raised by the Norwegian Data Protection Authority. This incident can be considered a software failure within the same organization (Norwegian health authority) as they had to pause the use of their app due to issues related to data collection and privacy concerns. (b) The software failure incident having happened again at multiple_organization: In the same article, it is highlighted that a bug in the latest version of Australia's contact-tracing app, CovidSafe, caused many iPhones to fail to log matches. This indicates a software failure incident in another organization (Australia's health authority) with their contact-tracing app. This demonstrates that similar incidents have occurred in multiple organizations with their respective contact-tracing apps.
Phase (Design/Operation) design, operation (a) The software failure incident related to the design phase is evident in the case of Norway's contact-tracing app, Smittestopp. The Norwegian Data Protection Authority ruled that the app represented a disproportionate intrusion into users' privacy due to the decision to gather both Bluetooth and GPS location data for contact-matching remotely on a centralised computer server. This design choice was criticized for not being "strictly necessary" by the regulator, leading to the suspension of the app and consideration of switching to a rival design backed by Apple and Google [101011]. (b) The software failure incident related to the operation phase is seen in Australia's CovidSafe app. Researchers discovered a flaw in the iOS release of the app (version 1.5) that caused iPhones to fail to be detected when locked. This operational issue meant that users could potentially not be contacted if they were near someone who tested positive for COVID-19, leading to concerns about the effectiveness of the app's operation [101011].
Boundary (Internal/External) within_system (a) The software failure incident related to the boundary of the system can be identified in Article 101011. In this article, it is mentioned that the Norwegian Data Protection Authority ruled that the Smittestopp app represented a disproportionate intrusion into users' privacy due to the decision to gather both Bluetooth and GPS location data and carry out contact-matches remotely on a centralised computer server. This decision to collect location data was a contributing factor originating from within the system that led to the failure of the app [101011].
Nature (Human/Non-human) non-human_actions, human_actions (a) The software failure incident related to non-human actions in the articles is the bug in the latest version of Australia's contact-tracing app. The bug in version 1.5 of the iOS release of the CovidSafe app caused iPhones to fail to be detected when locked, leading to potential missed contact tracing opportunities [101011]. (b) The software failure incident related to human actions in the articles is the decision by the Norwegian health authority to gather both Bluetooth and GPS location data for their contact-tracing app, Smittestopp. This decision was ruled by the Norwegian Data Protection Authority as a disproportionate intrusion into users' privacy, leading to the deletion of all data gathered via the app and the suspension of its further use [101011].
Dimension (Hardware/Software) hardware, software (a) The software failure incident related to hardware can be seen in the case of Australia's CovidSafe app where a flaw in the iOS release (version 1.5) caused iPhones to fail to be detected when locked. This hardware-related issue led to a failure in the contact-tracing functionality of the app, potentially impacting the effectiveness of tracking contacts accurately [101011]. (b) The software failure incident related to software can be observed in Norway's Smittestopp app. The Norwegian Data Protection Authority ruled that the app represented a disproportionate intrusion into users' privacy due to the way it collected both Bluetooth and GPS location data for contact-matching on a centralised computer server. This software design flaw led to the suspension of the app and the consideration of switching to a rival design backed by Apple and Google, which follows a decentralised model for contact tracing [101011].
Objective (Malicious/Non-malicious) non-malicious (a) The software failure incident mentioned in the articles is non-malicious. In the case of Norway's contact-tracing app, the failure was due to the Norwegian Data Protection Authority ruling that the app represented a disproportionate intrusion into users' privacy, leading to the deletion of all data gathered via the app and the suspension of its further use [101011]. Additionally, in Australia, a bug in the latest version of the contact-tracing app caused iPhones to fail to log matches, which was a non-malicious technical flaw [101011].
Intent (Poor/Accidental Decisions) poor_decisions (a) The intent of the software failure incident was related to poor_decisions. The failure of the Norwegian contact-tracing app, Smittestopp, was due to the Norwegian Data Protection Authority ruling that the app represented a disproportionate intrusion into users' privacy. The developers of the app decided to gather both Bluetooth and GPS location data for contact-matching on a centralised computer server, which was deemed unnecessary by the regulator. Additionally, the regulator suggested switching to Apple and Google's decentralised model for higher user anonymity, highlighting a poor decision in the design and implementation of the app [101011].
Capability (Incompetence/Accidental) development_incompetence, accidental (a) The software failure incident related to development incompetence can be seen in the case of Norway's contact-tracing app, Smittestopp. The Norwegian Data Protection Authority ruled that the app represented a disproportionate intrusion into users' privacy as it collected both Bluetooth and GPS location data without demonstrating it was strictly necessary. Additionally, the regulator noted that experts recommended switching to Apple and Google's decentralised model, indicating a lack of professional competence in the initial design and implementation of the app [101011]. (b) The software failure incident related to accidental factors can be observed in Australia's CovidSafe app. Cyber-security researchers discovered a flaw in the iOS release of the app (version 1.5) that caused iPhones to fail to be detected when locked. This flaw was not intentional but accidental, leading to potential gaps in contact tracing efforts [101011].
Duration temporary (a) The software failure incident mentioned in the articles is temporary. In the case of Norway's contact-tracing app, the Norwegian Data Protection Authority ruled the Smittestopp app represented a disproportionate intrusion into users' privacy, leading to the deletion of all data gathered via the app and the suspension of its further use [101011]. Additionally, in Australia, a bug in the latest version of the CovidSafe app caused iPhones to fail to be detected when locked, potentially leading to missed contact tracing opportunities [101011]. These incidents highlight temporary failures caused by specific circumstances or issues within the software systems.
Behaviour crash, omission (a) crash: The article mentions a software failure incident related to the Australia's CovidSafe contact-tracing app where iPhones fail to be detected when locked, leading to a potential failure scenario where users may not be contacted if they have been in close proximity to an infected person [101011]. (b) omission: The article discusses a bug in the latest version of Australia's contact-tracing app that causes iPhones to fail to log matches when the device is locked, potentially omitting to perform its intended function of logging close contacts for later notification in case of infection [101011]. (c) timing: There is no specific mention of a software failure incident related to timing in the provided article. (d) value: The article does not provide information about a software failure incident related to the system performing its intended functions incorrectly. (e) byzantine: The article does not mention a software failure incident related to the system behaving erroneously with inconsistent responses and interactions. (f) other: The other behavior mentioned in the article is the potential privacy intrusion issue with Norway's Smittestopp contact-tracing app, where the Norwegian Data Protection Authority ruled that the app represented a disproportionate intrusion into users' privacy, leading to the deletion of all data gathered via the app and suspension of its use [101011].

IoT System Layer

Layer Option Rationale
Perception None None
Communication None None
Application None None

Other Details

Category Option Rationale
Consequence property, theoretical_consequence (a) death: People lost their lives due to the software failure - No information in the provided article suggests that people lost their lives due to the software failure incident. [101011] (b) harm: People were physically harmed due to the software failure - There is no mention of people being physically harmed due to the software failure incident in the articles. [101011] (c) basic: People's access to food or shelter was impacted because of the software failure - The articles do not mention any impact on people's access to food or shelter due to the software failure incident. [101011] (d) property: People's material goods, money, or data was impacted due to the software failure - The software failure incident in Norway's contact-tracing app led to the deletion of all data gathered via the app, and the suspension of further use of the tool due to privacy concerns raised by the Norwegian Data Protection Authority. This could be considered an impact on data. Additionally, a flaw in Australia's CovidSafe app meant that iPhones failed to be detected when locked, potentially affecting the accuracy of contact tracing. [101011] (e) delay: People had to postpone an activity due to the software failure - The articles do not mention any activities being postponed due to the software failure incident. [101011] (f) non-human: Non-human entities were impacted due to the software failure - The software failure incidents mentioned in the articles primarily focus on issues related to contact-tracing apps and their functionality, with no specific mention of non-human entities being impacted. [101011] (g) no_consequence: There were no real observed consequences of the software failure - The software failure incidents described in the articles had observable consequences such as the deletion of data, suspension of app use, and a flaw affecting contact tracing accuracy. [101011] (h) theoretical_consequence: There were potential consequences discussed of the software failure that did not occur - The articles discuss potential consequences such as the impact on the spread of the disease due to changes in contact-tracing methods, but these consequences did not occur as they were still under consideration or evaluation. [101011] (i) other: Was there consequence(s) of the software failure not described in the (a to h) options? What is the other consequence(s)? - The articles do not mention any other specific consequences of the software failure incident beyond those related to data deletion, privacy concerns, and potential impacts on contact tracing accuracy. [101011]
Domain health (a) The failed system was intended to support the health industry. The software failure incident mentioned in the articles is related to the Covid-19 contact-tracing apps used by countries like Norway and Australia to track and notify individuals who may have been exposed to the coronavirus [101011].

Sources

Back to List