The dynamics of governance capacity and legitimacy: the case of a digital tracing technology during the COVID-19 pandemic

Abstract Input, throughput, and output legitimacy of government measures are considered to be essential for governance capacity in crisis. During the COVID-19 crisis, governments around the world developed digital contact-tracing applications to support their crisis management—with varying degrees of success. While Norway is seen as a high performer in the crisis, the contact-tracing app called Smittestopp developed in Norway had little impact. Using a case study, we studied the governance capacity and legitimacy of this technology in terms of how it was developed, how much it was utilized by citizens, and its usefulness relative to other government measures. Although the app did very little to help the COVID-19 crisis management in Norway, we identify some important lessons to be learned. We argue that the initial input and throughput legitimacy is important if a government policy is to maintain output legitimacy over time and be effective in a crisis. Consequently, this study contributes to the literature on governance capacity and legitimacy in crisis management.


Introduction
When a major crisis such as the COVID-19 pandemic strikes, the government response can be evaluated in terms of preparation, mitigation, sense-making, meaning-making, and learning (Boin et al. 2005). All these aspects or phases are related to the two central concepts in crisis management: governance capacity and governance legitimacy (Christensen, Laegreid, and Rykkja 2016). Governance capacity, alluding generally to a government's ability to organize and to the resources it has, will in a pandemic include the healthcare provision available, the level of training, intraand intergovernmental structures, delegation of authority, specialized competences, etc. Lodge and Wegrich (2014) divide governance capacity into four categories-analytical, coordination, regulatory, and delivery capacity.
Governance legitimacy primarily deals with the relationship between government and citizens. How convincing is the government in meaning-making, i.e., in explaining to citizens what the crisis is about and how it plans to deal with it (Ansell, Boin, and Keller 2010)? How do citizens receive communications from the government, and how positive is their perception of how the government is coping with the crisis? Do they trust the government, overall or more specifically (Easton 1965)? Governance legitimacy can be divided into input, throughput and output legitimacy (Scharpf 1999;Schmidt 2013).
There is a dynamic relationship between governance capacity and legitimacy (Christensen et al. 2016). If governance capacity is high in all aspects, citizens are also likely to respond positively, The remainder of the study is organized as follows. We start by presenting the theoretical foundation, defining the concepts of crisis management, governance capacity and governance legitimacy. The next section elaborates on the overall COVID-19 pandemic context. This is followed by a description of our methods. We then compare the processes of developing the two versions of the contact-tracing app and discuss this in the light of governance capacity and legitimacy. Thereafter, we discuss this in relation to other crisis measures, conclude with our main results and discuss the further implications of the study as well as limitations.

Crisis management
Crisis management can be defined as the process whereby public (and private) organizations deal with a crisis before, during, and after it has occurred (Boin et al. 2005). It involves being prepared for a crisis, meaning having a contingency plan and the necessary equipment, which overall was a problem in many countries when COVID-19 struck. Crisis management also involves handling the crisis, meaning using the resources available or mobilizing more resources (Lodge and Wegrich 2014). After the crisis is over, it is important to use the experience gained from it to generate feedback and to improve the crisis management system, so that it is better equipped to deal with a new crisis. All these instrumental factors are central aspects of what is called governance capacity, which will be discussed in more detail below (Christensen et al. 2016).
However, crisis management is much more than the technical aspects. When a crisis happens, central actors must try to make sense of it for the public, but it must also be able to communicate its crisis management, otherwise it is difficult for people to know how to respond to the crisis. This sense-making process (Weick 1995) may be smooth and dominated by top executives with unambiguous means-end thinking, but it may also be characterized by a variety of interests, different perceptions of the potential consequences of choosing certain solutions and by negotiation processes that end in compromises.
Another important aspect is meaning-making. The government has to communicate what the crisis is all about externally and make sense of it for citizens (You and Ju 2019). This communication is context-based, in the sense that there are structural and temporal constraints, and it may be more or less professional. Improved reputation management in a crisis reflects such professionalization, where certain symbols are used in a systematic way (Waeraas and Maor 2014). The combined features of sense-making and meaning-making are seen as deeply related to governance legitimacy, as we will discuss below.
A growing part of modern crisis management involves the use of technology (Meijer, Lips, and Chen 2019). Technologies developed to assist combating a crisis often come about rapidly and are called emerging or disruptive technologies (Rotolo, Hicks, and Martin 2015;Taeihagh, Ramesh, and Howlett 2021). Emerging technologies can be characterized as having five key attributes: they are radically new, grow fast, spread coherently, have prominent impact, and have uncertain outcomes (Rotolo et al. 2015(Rotolo et al. :1833(Rotolo et al. -1839. During the Covid-19 pandemic emerging technologies involving artificial intelligence (AI), 5 G-enabled e-health solutions, robotics, Big Data, Internet of things, and digital contact-tracing were developed across the world (Mbunge et al. 2021). For our study, digital contact-tracing apps for mobile phones are most relevant. We will analyze the development and use of such a technology in Norway by applying the concepts of governance capacity and governance legitimacy.

Governance capacity and governance legitimacy
Governance capacity deals primarily with resources and organization, meaning formal structural design and crisis-related procedures of the government apparatus (Christensen et al. 2016). The government must decide how much resources to allocate to combat a crisis, relative to those allocated for other societal purposes, and how to distribute resources among different aspects of a crisis. For example, in the case of the COVID-19 pandemic: health, economic concerns and social aspects (Christensen and Laegreid 2020b). It must also decide how to organize the handling of the crisis. Should authority and power be concentrated centrally or delegated to lower levels? Which public body should be the lead agency? And how should the influence of political, administrative, and expert actors be balanced? Lodge and Wegrich (2014) distinguish between four types of governance capacity. Analytical capacity is a rather basic category concerning means-end thinking -what to do and how to do it. Without the ability to analyze information and without evidence-based expert advice, the risks and vulnerabilities will increase. This alludes to what is called the scientization of public decision making, which has been seen as crucial during the pandemic (Marcussen 2010). Coordination capacity is about how to cope with public organizations pulling in different directions during crises. The challenges of inter-or intra-organizational coordination, whether vertical or horizontal (Egeberg 2012), are especially important during crises that represent typical "wicked issues," meaning reaching across sectors, institutions and levels (Head and Alford 2015).
Regulatory capacity deals with control, surveillance, oversight, and auditing, and is hence tightly connected to coordination capacity, since regulatory measures imply coordination both inside the public apparatus and vis-a-vis societal stakeholders and regulatees (Alemanno 2020). It presupposes that the legal preconditions are in place and that the government is not overstepping its authority. Delivery capacity is about providing public services during a crisis, which in particular connects with coordination capacity, i.e., are services available and in what ways (Gai and Tobe 2020). Providing services means both crisis-and non-crisis-related services. Many governments have, for example, been criticized for disregarding regular medical activities, such as cancer treatment and heart surgery, because nearly all the capacity of some hospitals has been directed toward treating COVID-19 patients.
In what ways are the different types of governance capacity relevant for understanding the development and use of a contact-tracing app? Generally, governance capacity is required in order to have the resources and organizational structure to develop such an app. More specifically, it takes analytical capacity, either in the public apparatus or in collaboration with the private sector, technically to develop an app. Coordination capacity may deal with bringing together this competence and making it work in practice. Regulatory capacity is necessary regarding the legal aspects of an app, ensuring that public authorities do not violate privacy and handle personal information appropriately. Delivery capacity deals potentially with making the app available and easy to use.
Governance legitimacy is about how the attitudes and actions of a government are received by citizens (Christensen et al. 2016). Trust and legitimacy are closely connected. Following Easton (1965), one can say that trust is either general/diffuse or specific. This can mean that citizens trust the government generally, in most respects, or they trust specific institutions or particular leaders in certain situations. High legitimacy may work well in crisis situations, because it represents what in organization theory is called slack (Cyert and March 1963), i.e., a situation where the government has reserves because demands are lower than resources. People may thus accept the government's actions and make them easier to implement and more effective.
Input legitimacy, throughput legitimacy, and output legitimacy are three types of governance legitimacy (Scharpf 1999;Schmidt 2013). Input legitimacy deals with how peoples' assessment and acceptance of the actions of leaders in crises are related to how compatible they think policies of government are with their own views. Participatory quality is, however, also important (Thiele and Pruin 2021). This refers to whether citizens feel involved in policymaking and policy implementation. A common problem for citizens in many countries during the pandemic has been that they have felt unable to participate in or influence government action. Government action and the motivations behind it has in many cases been rather paternalistic and hierarchical, asking people to be collectively oriented and disciplined to get through the crisis (Christensen and Laegreid 2020b). This has led to public debates and conflicts, both concerning the initial handling of the pandemic and the vaccine programs, but also related to the development and use of contact-tracing apps.
Throughput legitimacy deals with what goes on in the "black box," meaning in the governance apparatus; it is process-oriented and focuses on the quality of interactions (Schmidt 2013), which means the efficacy of all the different processes and the rules and procedures used in decisionmaking. It also deals with transparency and accountability, including ethical governance, but also inclusiveness and deliberative quality in interactions among governmental actors, as well as openness toward society.
Output legitimacy deals with the problem-solving quality of decisions, laws and rules, and measures such as contact-tracing apps, and has several institutional mechanisms connected with it. It deals with the extent to which government decisions, policies, means and measures resonate with the norms and values of citizens, and it contributes to identity-building and commitment (Cerutti and Lucarelli 2008).
There could be interesting dynamics among the three types of legitimacy. In the best of all worlds, input legitimacy will be high, in other words, processes will be inclusive and participative. This may then translate into high throughput legitimacy, meaning high quality internal processes, including openness to the public. This may in turn lead to high output legitimacy, meaning effective goal achievement and public acceptance of and support for government tools and performance. There could also, however, be less mutual reinforcement among the different types of legitimacy. Lack of participatory quality may carry over into skepticism about internal governmental processes and low legitimacy for performance and products.
In what way are these types of legitimacy relevant for discussing the development of a contacttracing app? Input legitimacy may relate to whether citizens and civic groups affected by the policy or outside experts support the government or are participating in developing the app. Throughput legitimacy may deal with how well different governmental bodies or private firms participate in developing the app, while output legitimacy may relate to whether citizens trust the app and find it useful. Additionally, if the app undergoes different phases of development or is significantly changed in some way, there may be interaction between these phases, and between the different types of legitimacy in the phases.
Governance capacity and governance legitimacy, and the various aspects thereof, may be connected in different ways to developing a contact-tracing app. Analytical capacity may be an important precondition for overall high legitimacy through collaborating with private actors in the initial phase of input legitimacy, and for intra-governmental collaboration in the throughput legitimacy phase, not to mention for effectiveness and performance on the output legitimacy side. Coordination capacity may simply getting different public organizations to work constructively together to launch development with private providers, but also to balance and take into consideration various intra-governmental concerns in developing an app, which may increase the chances for its success, reflecting all the three types of legitimacy. From the input phase onwards, regulatory capacity may define the legal and other constraints for initiating an app and develop it further in the throughput phase, which may enhance its performance and output legitimacy. Delivery capacity may deal with working with the relevant stakeholders and the public in the input phase, coordinate different service-oriented needs among different public organizations in the throughput phase, and make the app user-friendly and available in the output phase, to increase the output legitimacy.
Although one might expect that an apparent improvement in government capacity would increase legitimacy, and specifically output legitimacy, this need not be the case, as would be a main thesis concerning the connection between Smittestopp 1 and 2. This dynamic must be seen in relation to the pandemic context and other government measures that deals with the crisis. One can expect that if other measures have been successful in the past, it is not all clear that citizens will think that the tracing technology is necessary when the Norwegian government (and society) had generally been seen as a high performer in the pandemic with its other measures (Christensen and Laegreid 2020a).
Generally, we would expect to see the dynamics between governance capacity and governance legitimacy to be reflected in how the Norwegian government worked with the contact-tracing app Smittestopp, and how the Norwegian people responded. The people's response can be seen in the number of downloads of Smittestopp 1 and Smittestopp 2, and in the number of reported infections in the apps in comparison to the number of infections in the country in general, reflecting output legitimacy.

Context
The central actors handling the pandemic in Norway has been the Prime Minister (PM), the Ministry of Health (MH), the Norwegian Directorate of Health (NDH) and the Norwegian Institute of Public Health (NIPH) (Askim and Bergstr€ om 2022). When COVID-19 broke out in China and later spread around the world, the NDH and NIPH urged the Norwegian government to stay calm and not to rush into imposing stringent regulations. This strategy seemed rational for some time but as the number of infections world-wide grew rapidly in late February and early March 2020, the government came under increasing pressure. Finally, it was decided on March 12. to "push the big button" and establish the most draconic regulatory measures since WW II. These measures, which never amounted to a real lock-down, consisted of advice on social distancing, sneezing, washing hands, etc., but also encompassed closing kindergartens, schools and universities and various kinds of businesses, stopping cultural and sports events, and restricting movement both into Norway from outside and internally (Christensen and Laegreid 2020a). In seeking to balance the main concerns, the government favored the precautionary principle and gave priority to health over economic and social considerations. Economic hardship caused by the restrictions was alleviated through various economic stimulus packages, reflecting the country's affluence, while social concerns remained in the background the whole time (Christensen and Laegreid 2020b).
In deciding on the regulatory measures, the government mainly took advice from the NDH, while the NIPH's line generally deviated from the government's line throughout the regulatory process. In the initial phase it took a more liberal approach to entry into Norway, and later it opposed the closure of kindergartens and schools. In late April 2020 Norway began to lift the restrictions, and most institutions and businesses reopened, but a few restrictions remained in place. This changed again in October, with the advent of the second wave and again from February 2021 when the third wave hit, leading to strong re-regulatory measures, before deregulation began again from May.
As of the end of September 2021, a total of 189,000 people out of a population of 5.3 million had been infected (NIPH 2021a) and a total of 861 people had died, which is fewer than in a normal flu season. Norway had one of the lowest scores in Europe with respect to most indicators of the spread of the pandemic; in the Nordic countries only Iceland scored lower, with Finland on a par, Denmark slightly higher and Sweden much higher (Pierre 2020). The overall good performance of Norway and of most of the Nordic countries has been attributed to a number of contextual factors: the Nordic region is sparsely populated and economically affluent, it has good health care systems, and its populations consist by and large of well-educated, disciplined citizens who follow government advice and regulations (Christensen and Laegreid 2020a).
So far, only the preparation and the first regulatory phase in the first wave, has been evaluated by an official corona commission (see Kvinnsland et al. 2021). Its preliminary conclusions were rather damning. First, the commission concluded that the country had generally been poorly prepared. The government had had neither comprehensive contingency plans for a pandemic nor people with the requisite training, not to mention the lack of medical equipment, even though the commission pointed out that COVID-19 had been around for a few months before it was declared a pandemic. The commission also concluded that the decisions connected to the first major draconian measures were taken in a process characterized by a lack of preparation, separate initiatives, lack of coordination, and uncertainty, and had been rushed through on a very tight timeframe. Given all this criticism, it is rather paradoxical that the commission concluded that the Norwegian government had handled the pandemic well, without really stating which criteria this conclusion was based on.
The Norwegian government's overall strategy to control the pandemic was called "testing, isolation, contact-tracing and quarantine" (TISK) (NIPH 2021b). A key part of TISK was the use of digital contact tracing, with the app "Smittestopp." As mentioned, the app came in two versions: the first, Smittestopp 1, was announced in March 2020, launched in April 2020, and eventually banned in June 2020 by the DPA. At this point approximately 1.57 million (out of 5.4 million) Norwegians had downloaded the app, with 600,000 active users (NRK 2020a). Smittestopp 2 was announced in October 2020 and launched in late December 2020. By September 2021, 1.07 million Norwegians had downloaded the app, with fewer than 100,000 downloads in the last six months. During the winter of 2021-2022, the numbers rose slightly (Table 1).

Methods
Because the two versions of the app were created using very different processes, we applied a comparative logic in this case study. We compared the two processes and their outcomes and related these to legitimacy. To do this, we used mainly qualitative data based on documents and interviews. Documents revealed the communication among the various actors involved in developing the two versions of the app. Government statements, official reports (such as the official report by the government-appointed expert evaluation commission (Kvinnsland et al. 2021)), project documents and media reports all provided general information about the management of the coronavirus and the apps. The Norwegian context is characterized by high transparency in public sector decision-making, so it was easy to gain insight into these decisions. In addition, we conducted fifteen interviews with major actors in NIPH, Simula and the DPA who were involved in developing the apps. We also relied upon the interviews conducted by the commission with thirty-five top administrative and political leaders involved in the crisis management of the pandemic in Norway. The interviews provided insight into key decisions made during the crisis and regarding the technology, and outlined the various perspectives on how to use digital technology to combat virus infection. Some quantitative data were used to display the infection numbers in Norway, the number of downloads and the number of app users, as well as how many cases of infection had been reported through the app. Legitimacy can be difficult to operationalize, and scholars often use specific empirical measures that only apply in a given context (Weatherford 1992). For a government policy to be legitimate, one would usually think that it must solve a societal problem (Wallner 2008). In our case, the effectiveness of a voluntary contact-tracing app depended first and foremost on citizens downloading it. Downloading an app is a deliberate and conscious act by a citizen who thinks that this is a necessary measure to combat the corona crisis by tracking infections more efficiently. Given that they know of the app, downloading it is an action that legitimizes the measure. If citizens refrain from downloading the app, this indicates that for various reasons they do not think this is a good policy, i.e., not a proper way of dealing with the crisis. Downloading it is thus an operationalization of legitimacy, primarily output legitimacy, because it indicates a willingness to listen to the government's recommendations, which then supposedly translates into more effective crisis management. In a crisis context, it may be the responsibility of the government to convince citizens to download the app, even if this is ultimately voluntary.
Furthermore, the Norwegian health authorities claimed that 60% of the population needed to download the app for it to have an adequate effect and make infection tracking more efficient (NRK 2020b). We can thus compare the number of downloads with this desired number and consider the difference between the two.

Main process features regarding governance capacity and legitimacy
Governance capacity in the contact-tracing apps

Smittestopp 1
At the beginning of the COVID-19 pandemic, the Norwegian government was hesitant about implementing draconic measures (Christensen and Laegreid 2020a). It eventually became clear that it would be possible to create technology which could assist infection detection and provide information that could help the government to assess the effect of the various measures, as well as establishing a knowledge base in preparation for future pandemics (Budd et al. 2020). The early stages of the crisis were a time of great uncertainty and there was no technical experience in Western countries with using mobile phones to track infections (Storeng and de Bengy Puyvall ee 2021). The only knowledge to draw on was a research article issued by Oxford University in March 2020 describing the potential of such technology (Ferretti et al. 2020).
Several actors were involved in developing the first version of Smittestopp. Simula, a public research institute in Norway, had offered its IT expertise to the NIPH the day before the draconian measures were implemented in Norway. The NIPH informed Simula about the need for an infection-tracking app and asked it urgently to develop such an app for Norway. In Norway, such requests are usually put out to tender, by law, but NIPH believed that this development had to be done quickly. Also, it became clear that privacy was an important issue in this method of dealing with the crisis, so the Data Protection Authority (DPA) was contacted. On March 27, a regulation tailored to this app was issued by the Ministry of Health (MH), which established the purposes of the app and imposed limits on which data could be collected, how long the data could be stored and what it could be used for.
Smittestopp 1 was launched on April 16. Technologically, it involved GPS tracking, Bluetooth and central data storage. This was done with the aim of both digitally track infection to partly reduce manual infection tracking, and to collect data to assess the effect of the other measures (Kvinnsland et al. 2021:196;Simula 2020). The code was not open source, meaning no outsiders could check the quality of the app. This runs counter to general IT practice and it prompted criticism from the Norwegian public and outside experts (NRK 2020c). About one month after launch, an independent expert group who got access to the code found that the app did not take sufficient account of privacy considerations. Furthermore, the DPA continually emphasized the importance of transparency, so-called "privacy-by-design," i.e., securing privacy within the technology from the start, as well as general privacy assessments. In retrospect, the head of the DPA said in an interview that "We got the opportunity to provide input, but it was probably not the case that those inputs were listened to." On June 12, the DPA notified the NIPH that it would ban the app because it did not comply with the General Data Protection Regulation (GDPR). They said that GPS tracking and central storage of data had unclear benefits for Norwegian society and that privacy protection were inadequate. Formally, it was banned in July 2020 and NIPH deleted all the data it had collected.

Smittestopp 2
After the ban, the NIPH was still keen to use infection-tracking technology and therefore sought other ways to do this. As both the development process and the technology itself had been criticized by the public and experts in Norway, it decided to take an alternative approach. NIPH lowered its ambitions and would now only digitally track infection to supplement the Norwegian municipalities' manual tracing and tracking efforts, and not collect data to assess the effects of the other measures (Kvinnsland et al. 2021:201).
In September 2020, NIPH restarted work on the app by putting it out to tender. In October, it was decided that the private firm Netcompany would be responsible for the technical development of the app (NIPH 2020). The process of creating version 2 of the app was very different, a head of department in NIPH explained in an interview. First, more actors were consulted or directly involved throughout. Various professional councils provided input for the app, for instance the Norwegian Computer Society, who were among the experts most critical of the first version. In addition, user groups such as the Norwegian Association of the Blind were also included (NIPH 2020). In interviews, actors in the DPA said that they were updated on assessments made by the NIPH throughout and stated that the DPA was satisfied with the documentation it had received regarding risk and impact assessments.
Second, the technology itself was completely different from the first version, and was now based on an Apple/Google framework (Sharon 2021). This meant that only Bluetooth (rather than GPS) was used to track infections, and the data was stored decentralized on citizens' phones (Ahmed et al. 2020;Grekousis and Liu 2021). This was in line with similar apps in other European countries (EC 2021). Additionally, open source was used, meaning anyone could check the functionality of the app. Hence, there was a high degree of transparency both in the development process and in the technology itself. As the DPA stated that it was satisfied with the data privacy provision in the app, it was launched on December 21, 2020.
The Norwegian health authorities were confident that the technology would contribute well to infection tracking and that many would download the app, as infections had increased a lot during the autumn compared with very low infection numbers during the summer. However, five months after the launch, in June 2021, only 19.2% of Norwegians had downloaded the app (NIPH 2021c).
Looking at the two apps, governance capacity improved in Smittestopp 2 compared with Smittestopp 1. The overall crisis context was a little different, since there was more uncertainty in the first phase, while in the second phase the government knew more about COVID-19, but infection numbers were also higher. As already mentioned, the first app was widely criticized by experts, making legitimacy-building extensive for the second version.
Although the time perspective was relatively short, about half a year between the two "start phases" of the apps (March vs. October 2020), a significant amount of learning related to governance capacity seems to have taken place. The Norwegian government was better prepared for the implementation of Smittestopp 2, and governance capacity appears to have been higher in all respects. Table 2 provides an overview of the comparison of the different governance capacity aspects pertaining to the two versions of the app.
Analytical capacity, meaning the government's use of expertise and knowledge (Lodge and Wegrich 2014), was developed throughout the crisis and contributed to reducing uncertainty regarding the technology. This must be understood in the context of other measures, and not just in relation to technology. Over time, the combined effects of social distancing, handwashing, quarantine and border controls had reduced the spread of infection in Norway (Christensen and Laegreid 2020a:775-777). Norway was also able to learn from other countries, both from those with more positive experiences such as China and Singapore, and those with negative experiences such as Spain and Italy (Shi et al. 2022;Tian et al. 2020). Some knowledge of the technology was country-specific, and the health authorities gradually understood what kind of surveillance mechanisms the Norwegian population would accept. While the first app was in operation, there were major debates in the media, with IT-experts contributing different perspectives on surveillance technology. They were very skeptical about the amount of monitoring the Norwegian government wanted to do (Sandvik 2020a:7). In retrospect, Simula in particular blamed these "activists," together with Amnesty International, for spreading lies about the app and disrupting crisis management (Sandvik 2020b;Digi 2020).
Furthermore, digital tracing technologies were also implemented in other countries, which provided some knowledge on their effects and on the public acceptance thereof. The effects of the Bluetooth technology were not entirely clear, even after the implementation of Smittestopp 2 (Grekousis and Liu 2021:9; Xia and Lee 2020). Nevertheless, uncertainty was not completely eliminated because, as Table 1 shows, infections in Norway increased quite a lot around the time when Smittestopp 2 was developed. Overall, analytical capacity increased somewhat from the first to the second version of the app. Concerning regulatory capacity, government surveillance of citizens changed considerably between Smittestopp 1 and Smittestopp 2. In the first version, the health authorities looked at the potential that technology could provide in terms of tracking infections if the entire population were monitored. This entailed very high capacity because the app provided an almost complete overview of every citizen's movements (Grekousis and Liu 2021). In the second version, after the Norwegian DPA deemed the first version illegal, the health authorities chose to limit this capacity, by replacing GPS with only Bluetooth technology, and centralized with decentralized data storage (NIPH 2021d). Capacity was thus limited in the second app, which can be understood in relation to legitimacy, as we discuss below.
In Smittestopp 1, coordination capacity was not high. While Simula and the NIPH appeared to be on the same wavelength in developing the technology, there was a lack of horizontal coordination with the DPA. The latter's low involvement meant it was unable to convince the developers about the privacy values and standards required for the app to be accepted. Furthermore, the lack of vertical coordination became evident when the MH issued a legislation for the technology that ended up being inconsistent with existing laws.
Coordination capacity was much higher in Smittestopp 2. Several key actors were now involved after the app was put out to tender, in order to ensure that the technological components would fulfill the efficiency, data security and privacy requirements. The involvement of outside experts, the DPA, and affected groups also ensured legitimacy.
With regard to delivery capacity, Smittestopp 1 was banned and unavailable to citizens before it could properly be used, while measures like social distancing, handwashing, quarantine, and border controls were available and in use. For this reason, capacity was slightly higher in Smittestopp 2. This version was at least available over a longer time period to the public, even though it took much longer time for the app to be available. Nevertheless, far fewer people downloaded it (see Table 1), despite the fact that its launch coincided with a rapid increase in infection in Norway, and with the strategic work of the health authorities to get people to download the app. A director in NIPH who oversaw the development of Smittestopp argued this was because "you have the infection numbers themselves, they are a deterrent," and "in Norway, we are very very good at manual infection tracking … so if you still see that you are contacted very quickly by an infection tracking team, then it is not obvious that you think you should also use the digital tool." Governance legitimacy in the contact-tracing apps Smittestopp 1 Norway is described as a high-trust society, where citizens generally trust the government. At the beginning of the crisis, major decisions were made under conditions of great uncertainty (Christensen and Laegreid 2020a). This also applied to the technology. While the general decisions were made by the political leadership in collaboration with the NIPH and the Norwegian Directorate of Health (NDH) and were over all accepted by Norwegian citizens, the decision to initiate Smittestopp 1 was made primarily by the NIPH. Director General of the NIPH Camilla Stoltenberg said in an interview with the commission that "we played a major role in the sense that we were the driving force and initiator to create this infection app." Decision-making processes in the Norwegian government are usually open and transparent, but the process of developing the first version of the app was closed with few internal participants, which could potentially undermine legitimacy. In addition, during the development phase when it became evident which technology would be used, the app was rated among the worst contact-tracing apps in the world by Amnesty International and MIT Technology Review (Amnesty 2020;MIT 2020).
Nevertheless, NIPH and Simula continued to emphasize the value such technology could have for infection tracking if many people used it. They said that up to 60% of the population would have to use it for it to have an adequate effect and efficiently assist infection tracking (NRK 2020b). Both stated publicly that it was vital to use GPS to be able to trace the transmission of the virus quickly. When asked by the media why they did not copy Singapore's app, which was based on open source and Bluetooth, the NIPH said that Smittestopp had been developed for Norwegian conditions and was based on trust between citizens and the government in Norway (NRK 2020c).
In addition, the Norwegian prime minister said at a press conference in April 2020 that "if we want to get our everyday life and freedom back, as many people as possible must download the app" (VG 2020). These measures can be interpreted as an attempt to re-legitimize a process with otherwise low legitimacy. When the technology was banned, the outcome naturally followed in the same way, with low legitimacy. After the app was banned, the Director General of the NIPH said she believed it would weaken crisis preparedness, and the Minister of Health said that he disagreed with the DPA and blamed it for the failure of Smittestopp 1 (Dagbladet 2020). This may have potentially confused citizens and weakened their support.

Smittestopp 2
Legitimacy was strengthened during the development phase for Smittestopp 2. This is evident from the openness surrounding the process, the inclusion of affected groups and privacy experts, and the approval by the DPA. In the tendering process, only one firm wanted to take on the responsibility of creating the new app. Other IT companies in Norway explained that it would pose too great a risk to their reputation to be involved in this process, which was not reassuring. After it had become clear that Netcompany would be the technology developer, it said the communication work it would now have to do was just as important as creating the app itself, and that trust must be built between the Norwegian population and the app (NRK 2020d). This shows once more the importance of public acceptance of such an app.
In Smittestopp 2, the Norwegian health authorities worked more strategically than with Smittestopp 1 to get the population to download the app, a director in the NIPH said in an interview. The leaders recognized that the communication about the previous app had not been very strategic, and that it instead had been simply one item in a long list of advice on infection control, given at daily press conferences. This time, the government hired the advertising agency Dinamo, which promised to conduct a "ruthless" campaign to get as many citizens as possible to download the app (Kampanje 2020). Together, the NIPH, the NDH and Dinamo ran many TV commercials and social media campaigns to image-build and play on people's desire to be able to meet with their families, attend events and send their children back to school. The campaign claimed that the app would help to "bring everyday life back" (Kampanje 2020). The message was conveyed in videos by everyday Norwegians, foreigners speaking other languages and celebrities enthusing about the app. In total, it was communicated in forty-three languages. The idea was to emphasize the necessity of the technology, to spread awareness of it, reach a broad audience, and gain public acceptance.
Furthermore, while there was less uncertainty about the crisis when Smittestopp 2 was developed, the infection numbers were also higher during this period. Nevertheless, Smittestopp 2 was not used very much and contributed little to infection tracking. Couched in terms of legitimacy, the output legitimacy of Smittestopp 2 remained low despite the development phase having higher legitimacy, and the health authorities making a more strategic effort to build legitimacy. Table 3 summarizes the legitimacy in Smittestopp 1 and 2. The findings regarding governance legitimacy between the two versions of the contact-tracing app are interesting. While public support for the Norwegian government and its overall crisis management was high during the crisis (Christensen and Laegreid 2020b), this was not really reflected in the technology. In the second version of the app, input and throughput legitimacy were higher than in the first, but output legitimacy remained low.
As with governance capacity, there was notable learning involved related to legitimacy between Smittestopp 1 and Smittestopp 2. In the first version, new technology was tried out and the government assumed that the public would support the app because it was a part of other measures requiring a collective effort (Christensen and Laegreid 2020a:777). After the app was banned, the health authorities learned that they had to be more strategic in trying to build, or rebuild, the legitimacy of the app.
Regarding input legitimacy, there were few key actors involved in the process of creating Smittestopp 1. No affected groups or IT experts participated. In Smittestopp 2, many of the IT experts who had been especially critical of the first version were consulted, and the inclusion of affected groups gave digitally vulnerable citizens a sense of participation in government action.
There were major changes in throughput legitimacy from Smittestopp 1 to Smittestopp 2. First, the source code was changed from being closed to open. The developers of the first version, Simula, had argued in favor of a closed code for data security reasons, but the NIPH changed this in the second version, as seen in Table 2. Furthermore, the design of the app was not put out to tender in the first version, but it was in the second. One of the main criticisms of the first version of Smittestopp by the DPA was that the NIPH had not documented the usefulness of the app or justified the necessity for GPS. In the process of developing the second version these aspects were resolved satisfactorily, according to the DPA (DPA 2021). Additionally, the NIPH worked much more strategically to get citizens to download the second version of the app. Overall, the throughput legitimacy can be regarded as much higher for the second version than for the first.
Output legitimacy was low in both versions and did not improve. Although input and throughput legitimacy together with governance capacity generally improved, output legitimacy, somewhat surprisingly did not change. Downloads of Smittestopp 2 did not reach 75% of those of Smittestopp 1 (see Table 1), even after more than nine months, meaning that citizens were not very willing to follow the government's recommendations with respect to this policy.

Discussion and conclusion
The main findings of our study are that even though there were improvements over time in the processes of governance capacity and legitimacy for the digital contact-tracing technology in Norway, the app did not have a significant role to play in the management of the pandemic, and it did not live up to the expectations of the Norwegian health authorities. If used correctly, such technology can decrease the spread of infection significantly, reduce the strain on health services and assist in crisis management (Abueg et al. 2021;Kucharski et al. 2020). While infection rates, the level of uncertainty, and government strategies all changed throughout the COVID-19 pandemic, using digital technology to combat the crisis was just one of many possible measures (Hale et al. 2020). It represented a completely new way of dealing with the spread of infection, making the intra-crisis learning curve significant in terms of knowledge gained, technical functionality, and effects. For such a new approach legitimacy is likely to be paramount when it affects fundamental values regarding the relationship between the government and its citizens. The main challenge for the government was to get citizens to download and use the app, regardless of which version. Unsurprisingly, there seems to be a connection between the capacity of the app and the level of intrusiveness, making the appropriate balance between privacy and surveillance difficult to achieve for governments, and the strategic work complex (Grekousis and Liu 2021). Looking back at Tables 1 and 2, we can see that there was a long interval between the ban of the first app and the launch of the second, meaning that there was time to assess existing knowledge, look at the experiences of other countries and evaluate alternatives over a relatively long period. The health authorities ended up aiming for moderate capacity with a higher degree of privacy in an attempt to gain legitimacy.
Looking at our empirical case, hiring a different company to develop the technology for the second version of the app for the NIPH was indicative of greater coordination, and it had effects. While Simula had continually argued in favor of its surveillance choices and claimed everything was in order, Netcompany realized that legitimacy had been lost in the first process and that it had to work proactively to restore it in the second. It drew on its experience from a similar app it had developed in Denmark where privacy considerations appeared to be vital for such an app to be accepted by citizens. Together with the health authorities' experience from the Norwegian case, this led to changes in governance capacity in Smittestopp 2, demonstrating the importance of carefully selecting who is involved in coordination, in order not only to coordinate in the right way, but also with the right actors. Overall, this shows the impact of coordination, analytical, regulation and service delivery capacity on legitimacy (Christensen et al. 2016).
Furthermore, the significant changes and improvements in capacity and input and throughput legitimacy between Smittestopp 1 and 2 would, in the best of all worlds, suggest an increase in output legitimacy in the second version. Contrary to expectations, however, this did not occur, and the downloads of the app reached only 20%, which is far from the 60% goal that the NIPH had (NRK 2020b).
As the premise of this type of technology is based on voluntariness, it is only effective when the government and citizens work together. Because of this, both governance capacity and governance legitimacy are central to the development of technology, and important prerequisites for citizens to be able to accept and use such a measure.
Viewing the two apps in relation to the other government measures within the overall TISK strategy of the Norwegian government, some interesting points are relevant to discuss. First, there are some important contextual differences between the two different time-periods when developing the apps. In the period when developing Smittestopp 2, the measures were generally less intrusive, until the end of October 2020 (NOGOV 2020). Although there was a second wave of infection from November 2020, there were many businesses still open, albeit with reduced opening hours, and requirements of distancing and the use of face masks (NOGOV 2020). Since Norway had performed relatively well so far, and vaccines began to come within reach, the country was perhaps not desperate enough for an additional tool like the app to deal with the pandemic, as the other measures had already proved their worth.
Second, one of the ideas of the first Smittestopp app was that it was also supposed to contribute with data, so that the NIPH could research and evaluate the effects of all aspects of the TISK strategy. The Norwegian government had thus aimed toward very high capacity for crisis management at the cost of some privacy, as mentioned earlier. In Smittestopp 2 the ambitions were lowered, as this was not a feature that was possible due to privacy issues, and some of the purpose from the original app vanished. As the second app was more focused on just tracing infection, it was not supposed to replace manual infection tracing, which was one of the goals in the first app, but it was supposed to supplement manual infection tracing (Kvinnsland et al. 2021:196;Simula 2020).
Overall, it does not seem like the Smittestopp apps had a huge impact on the overall TISK strategy of the Norwegian government. This is something that the official corona commission also notes (Kvinnsland et al. 2021). The fact that the commission wrote very little about the app, only about one page in total in a report of 456 pages, can be interpreted as meaning the app did not play a major role in dealing with the pandemic. The commission said that the first app never relieved the municipalities' tracing and tracking efforts, as it was intended to do (Kvinnsland et al. 2021:201). The commission did say that since there was no similar technology available, such an app was a positive initiative. However, they were critical of the fact that privacy considerations were not carried out from the start (Kvinnsland et al. 2021:201).
Nevertheless, one must be careful in declaring success or failure for such a measure in isolation. The overall measures of the Norwegian government's TISK strategy, including distancing and the use of face masks, also partly based on citizens' willingness to follow rules, seems to have worked well, according to the commission (Kvinnsland et al. 2021). While it was experimental from the outset, some lessons were learned throughout the pandemic, which may improve future crisis management. If or when a new pandemic or crisis occurs, one should on the one hand expect that governance capacity with regard to digital technology from the start of a new crisis is higher, something which may also lead to higher legitimacy and acceptance from citizens. It is conceivable that the intra-crisis learning that occurred in this situation may eventually become post-crisis learning, which can then be useful for future crisis management.
On the other hand, it may also be that since this measure did not achieve its intended goal, citizens are now more concerned about government intervention directly into their daily lives and more aware of their privacy in general. With privacy also gaining more public attention with the introduction of the EU's GDPR in 2018, in addition to the fact that citizens may be tired of the pandemic and the other government measures, this can then lead to more difficulties with the acceptance of similar measures or technologies in the future. What emerges from our study is that there may be many factors that affect whether citizens accept a measure or not, and the dynamics within a specific measure and between measures are important to understand for crisis management.
At a general level, one can imagine that capacity and legitimacy sometimes reinforce each other (Christensen and Ma 2021). We see this in our study-with increases in both capacity and some aspects of legitimacy-but there is also evidence in our analysis of legitimacy considerations getting in the way of capacity, creating an opposite effect where the need for legitimacy inhibits capacity. This is illustrated by the reduction of regulatory capacity from Smittestopp 1 to Smittestopp 2. Even though the app was approved in the second process, it had lower capacity in terms of infection tracing. The somewhat low output legitimacy, seen in the actual number of downloads compared to the desired goal of NIPH, appears to persist from the first process to the second, becoming an aspect the Norwegian health authorities had to take into account when trying to convince citizens to download the app (Christensen and Laegreid 2020b).
It is easy to think that output is the most important aspect of crisis management, but our evidence suggests that one should not underestimate input and throughput legitimacy as significant preconditions for output legitimacy. This may apply not only to the use of technology, but also to the general management of crises, where learning and adaptation throughout a crisis occur (Antonacopoulou and Sheaffer 2014;Ansell and Boin 2019).
Additionally, this may also be another argument for allocating more time and resources to the initial crisis response, in order to build analytical capacity early to increase success chance, and thus to mitigate the potentially negative consequences of failing a policy early and not getting it in place until much later in the crisis. Through experience and knowledge building the government can gain a more informed understanding of which measures can successfully be changed or reworked within a crisis (Antonacopoulou and Sheaffer 2014:10), and which measures may be more problematic to change. Along with the coordination of relevant actors and inclusion of citizens in the policymaking process at an early stage, this may more easily ensure the legitimacy of government measures, at least in terms of digital contact-tracing and possibly other potentially intrusive measures. Overall, this way of viewing legitimacy provides insights into the complex interaction between different types of governance capacity and different types of governance legitimacy (Lodge and Wegrich 2014), and suggests that under certain conditions, considerable improvement in governance capacity can still generate an unsatisfactory output that citizens do not embrace.
As Norway, with high trust in government and low population density, was seen as a high performer in the pandemic. one can question the necessity of a contact-tracing app. It is not obvious that the government should jeopardize the legitimacy of the overall crisis strategy by being more intrusive in citizens personal lives. Nevertheless, it is not known what the pandemics and crisis of the future will bring, and even if the technology itself did not reach the ambitions of the government, the lessons learned from its development process and the citizens' response can be useful.
There are some limitations of this study and opportunities for future research. Our study concerned governance capacity and legitimacy of one measure in a crisis, which has value because it is a study of a novel technology, but it would also be useful to in-depth compare this with capacity and legitimacy of other measures to gain a more holistic appreciation. Another challenge is the operationalization of output legitimacy as downloads of the app. It does not account for people who no longer use the app, meaning that the low legitimacy we have elaborated on here may be even more significant.
Viewing our study in a larger perspective, it would be interesting to do comparisons across countries and not just within a country. This would provide further insight into how governance capacity relates to legitimacy when it comes to technology development by different governments. Understanding the conditions under which such technology thrives or fails is important for future crisis management. While an app similar to Smittestopp but more intrusive was widely used in China, Singapore's app was initially more privacy focused but gradually became more intrusive (MIT 2020). In Europe, Germany greatly limited data collection from the outset. There are thus potentially many different capacity and legitimacy approaches to digital contact-tracing, and it may be interesting to see this in connection with other contextual factors such as a country's surveillance history (Bennett and Raab 2006) or administrative tradition (Painter and Peters 2010), particularly related to e-government. Finally, future research should study the governance capacity and legitimacy of other digital technologies in other crises to enhance our understanding of the use of technology in crisis and disaster management.