How to find the Norwegian prime minister in an "anonymized" contact tracing dataset

Hagen Echzell

Playlists: 'jev22' videos starting here / audio

The first version of “Smittestopp”, the Norwegian Institute
of Public Health’s (NIPH) contact tracing application, centrally stored
data about the population’s contact patterns with reference to a static
personal identifier, a decision that has been widely discussed and criti-
cised. After the Norwegian Data Protection Authority had temporarily
forbidden further data collection and processing in June 2020, NIPH an-
nounced to discontinue the app and stated that all data related to the
application would be deleted. Nevertheless, in October 2021, researchers
from an institution involved in the development of the app published
a paper called “Nationwide rollout reveals efficacy of epidemic control
through digital contact tracing”. In their paper, they analysed a de-
rived dataset based on the Smittestopp data that was announced to be
deleted. The authors claim that this derived dataset was anonymised and
therefore does not include any personal data. We challenge this assump-
tion by explaining how different external sets of personal data can be
matched with the dataset, which potentially leads to a re-identification
of persons and a disclosure of their private contacts. We conceptually
show how some of these methods can be applied on an example case
using publicly available information on Erna Solberg, Norway’s former
prime minister. We conclude that it appears reasonably likely that indi-
viduals can be re-identified and that the dataset should not be considered
anonymised.

Download

Embed

Share:

Tags