The CoronaMelder app will not send warnings about potential infections for two days starting from Wednesday evening, the health ministry said on April 28, after the data leak was discovered.
The app uses the Google Apple Exposure Notification (GAEN) framework – just like many other similar apps used throughout the EU. It works using constantly changing randomly generated codes exchanged between phones close to each other – and sends warnings to those who were in contact with someone who later tested positive for Covid-19.
Third-party apps are not supposed to have access to these codes. However, it turned out that this was not the case on Android phones, and apps installed by default were very much capable of reading the data.
In a statement, the government said this was a “violation of the Temporary Act on notification application [for] Covid-19.” The breach was first discovered by an EU-wide eHealth Network and reported to the Netherlands on April 22. An investigation was launched shortly after, prompting Health Minister Hugo de Jonge to temporarily suspend the app, even though Google “indicated” that it had fixed the issue.
The government is not taking any chances, though, opting to make sure the issue is solved before allowing the app to resume functioning. It will use the two days to “investigate whether Google has actually fixed the leak,” the ministry’s statement read.
The US tech giant told AP that the problem lay with “random Bluetooth identifiers used by the Exposure Notification framework” that were “temporarily accessible to a limited number of pre-installed applications.” It also said that the data provided by the identifiers “on their own have no practical value to bad actors,” adding that the third-party apps’ developers were likely unaware the data was available.
Google also promised that the fix would be “available to all Android users in the coming days.” The Dutch app had been downloaded by 4,810,591 people as of April 27, according to its website.
In the face of the Covid-19 pandemic last year, many nations in Europe and beyond rolled out contact-tracing apps in a bid to stem the virus’ spread. Some apps used by a number of European countries, including Germany and the Netherlands, were based on systems developed by Google and Apple, despite the privacy concerns about relying on US tech companies.
Many pointed to the risks of surveillance, data leaks, and the information being stored for longer than necessary. Norway stopped using its contact-tracing app in June 2020 after the nation’s data protection watchdog criticized its continued use.
In November 2020, it turned out that Australian intelligence agencies “incidentally” collected data from its Covid-19 tracking app. The government then said that no one’s privacy had been violated.