The unique codes can also be received without the CoronaMelder app. If you can link a code to a name, you will later know who it is when that person is tested positive and indicates this in the app.
Linking a code to a name is easier with smaller numbers of people around you. To help you distinguish who is who, the website shows how far someone is from you, and even whether they are moving towards you or away from you.
The ministry recognizes the risk. Tijmen Schep: “This cannot be prevented, because this app simply cannot work completely anonymously”. The app relies on unique, personal codes: the opposite of total anonymity.
‘Small risk’
The Schep site contains measures to prevent people from actually identifying other app users for a longer period of time. But on the internet you can find software that can do that.
Nevertheless, the ministry considers it unlikely that this will lead to serious privacy risks. To do this, someone would have to collect codes from app users on a large scale and link them to a location, for example, according to the ministry. That is not allowed, so the chance is “small that this will happen on any scale”, was the estimate of the ministry.
“However small that chance is: if someone finds out that you have the corona virus without your wanting to, because you use the app, that is still annoying”, says Schep.
In theory, companies can find out on a larger scale
The greatest risk is that someone intercepts codes on an individual level: few people are able to intercept Bluetooth signals on a large scale. But some companies can. These are companies that install sensors everywhere to measure visitor flows via WiFi and Bluetooth. This happens, for example, in shops, at street level and at NS stations.
One of those companies, BlueMark, is interested in CoronaMelder’s signals. In a now-deleted blog post, BlueMark describes how its technology can also intercept those signals. This way, entrepreneurs can see how many people have installed the CoronaMelder. But the CoronaMelder data can also help to better measure crowds, the company says.
According to Roel Schiphorst of BlueMark, there are no customers who use CoronaMelder signals yet. In the deleted blog post, however, BlueMark writes about a pilot in which the use of CoronaMelder in a shopping street was reported for a month and a half. When asked, Schiphorst says that this was “fake data”, intended “to explain to our customers what is technologically possible”.
Those involved consider that reading unlikely. The Ministry of Health has filed a complaint against BlueMark with the Dutch Data Protection Authority. Schiphorst does not want to enter the discussion in the media.
According to lawyers, the company operates within the limits of the law, as long as it does not intercept the unique CoronaMelder codes.
The company’s technology does support that capability. Whether customers comply with the law is up to them, says Schiphorst of BlueMark. “We just supply the technology, it’s up to our customers to comply with the law.”
‘Very small risk’
Schep emphasizes that he thinks the app is generally well put together. “This is a very small risk, but I think it is important that people know that this can happen,” says Schep.
Whether he uses the app himself? “My Android phone has too many privacy options enabled for that,” said Schep. “So now I occasionally bring a spare phone with the app installed.”
–
