Attack vectors to re-identify individuals from the anonymised Smittestopp dataset
AbstractThe first version of “Smittestopp”, the Norwegian Institute of Public Health’s (NIPH) contact tracing application, centrally stored data about the population’s contact patterns with reference to a static personal identifier, a decision that has been widely discussed and criticised. After the Norwegian Data Protection Authority had temporarily forbidden further data collection and processing in June 2020, NIPH announced to discontinue the app and stated that all data related to the application would be deleted. Nevertheless, in October 2021, researchers from an institution involved in the development of the app published a paper called “Nationwide rollout reveals efficacy of epidemic control through digital contact tracing” . In their paper, they analysed a derived dataset based on the Smittestopp data that was announced to be deleted. The authors claim that this derived dataset was anonymised and therefore does not include any personal data. We challenge this assumption by explaining how different external sets of personal data can be matched with the dataset, which potentially leads to a re-identification of persons and a disclosure of their private contacts. We conceptually show how some of these methods can be applied on an example case using publicly available information on Erna Solberg, Norway’s former prime minister. We conclude that it appears reasonably likely that individuals can be re-identified and that the dataset should not be considered anonymised.