Privacy Review of Contact Tracing Apps in ASEAN Countries

A Comparative Review of Contact Tracing Apps in ASEAN Countries

2 Jun, 2020

The TraceTogether created by Singapore is least intrusive when judged on privacy communications and gets the highest overall privacy marks

Introduction

As governments in ASEAN relax lockdown restrictions, Covid-19 contact-tracing smartphone apps are being introduced to help limit any renewed spread of the coronavirus.

What these apps basically do is to allow their users to be better equipped when they participate in the contact tracing process. Specifically, GPS / Bluetooth technology is used to track the locations of all individuals with whom the user of the app may have been in contact.

The users' mobile phone exchanges ID-related information of their mobile phones via short-distance Bluetooth signals with other mobile phones with the same app. If a user has been exposed to an infected person who has also downloaded the app, the user is asked to share their contact history in their mobile phone with the relevant government agency.

Since users will be running such apps in the background on their Android phones, can these smart apps be trusted? How privacy-intrusive are they? Many people are reluctant to download such apps for fear of constant government surveillance. They worry the app will spy on them by extracting all kinds of personal related information from their mobile phones.

We decided to find out if these worries are justified. To do so, we assembled a local team of IAPP (International Association of Privacy Professionals) certified information privacy managers in ASEAN to do a detailed privacy sweep of contact tracing smart apps made available by the governments of five ASEAN countries.

MalaysiaMyTrace
Singapore*TraceTogether
ThailandMorChana - หมอชนะ
IndonesiaPeduliLindungi
VietnamBlue Zone
The PhilippinesStaySafe



Methodology of our Privacy Sweep

We decided to benchmark the contact tracing apps against the survey parameters used by the Global Privacy Enforcement Network (GPEN), which conducted a global privacy sweep of mobile apps back in 2014. That sweep involved the participation of 25 privacy enforcement authorities around the world. (View the full report here.) It assessed the following:

  • the types of permissions sought by a surveyed app 
  • whether those permissions exceeded what would be expected based on the app's functionality 
  • most importantly, how the app explained to consumers why it wanted the personal data and what it planned to do with it

To understand this, we will first take a look at app 'permissions' in general.


Understanding App Permissions

A 'permission' in an app protects the privacy of the user of the app. Every app must include an 'app manifest' that, amongst other things, lists the permissions that the app uses.

Every mobile phone has an operating system, most commonly the Android operating system (Google) or the iOS (Apple) operating system. The vast majority of mobile phones are 'Android phones' and they have two 'permissions' categories:

  • Normal permissions: these permissions do not directly risk the user's privacy - for example, permission to set the time zone is a normal permission. If an app lists a normal permission in its manifest, the system grants the permission automatically.
  • Dangerous permissions: these permissions give the app access to the user's personal data in their mobile phone, such as contacts and SMS messages, as well as certain system features, such as the camera. If a dangerous permission is requested, privacy laws do not allow the relevant personal data to be collected, used or disclosed unless the user gives explicit consent by 'accepting' the request for permission to do so. In addition, privacy laws generally restrict 'dangerous permissions' to personal data that the app may collect, use or disclose while the user is actually using it - they do not allow apps to collect, use or disclose personal data simply because the user downloaded the app. In addition, excessive use of permissions relative to the app's functionality and purposes may be deemed as excessive.

By way of illustration, here is a list of dangerous permissions that might be sought by an app:

Users often blindly "agree" to or "allow" these permissions without first understanding their functions. Nor do they read the privacy policies of the respective applications.

The following table shows the various dangerous permissions being used in the five contact tracing smart apps we reviewed:


Singapore’s TraceTogether and Vietnam’s Blue Zone use the least permissions to perform its contact tracing functions; Thailand’s MorChana uses the most.

We looked at whether these dangerous permissions exceeded what would be expected based on the app’s functionality. We also looked at the explanation in the privacy statement about why these permissions are needed and what will be done with the relevant personal data.

Before considering those points, here is an explanation of various permissions and some comments about potential risks if they were to be abused.

PERMISSIONS

IF ABUSED...

Camera. An app that has "Camera" permission is able to take pictures and videos on the phone. Users of the Thai MorChana App are asked to take a photo of themselves upon registration.

Apps using a "Camera" permission can also have access to record audio similar to the "Microphone" permission. In addition, the app could "watch" the user via the camera and listen to the user via the microphone when the user uses other apps or when the device's screen is off.

Device & App History. Both Malaysia's MyTrace and Thailand's MorChana App use the "Device & app history" permission to retrieve running apps.

Apps using this permission can also read sensitive phone log data, retrieve system internal state information and retrieve web bookmarks and history. In addition to reading log data from other apps, apps using this permission can store usernames and passwords in them — in plain text.

Location. All the apps use the "Location" permission that allows the app to ask for the user's approximate, network-based location. This enables the app to track the user's exact location per the device's GPS.

However, the apps do not actually track the user's location. Location permissions are mandatory when Bluetooth technology is used on an Android phone. It is an outcome of how the Bluetooth technology works - the location permission is required so that'close proximity' information can be collected.

Apps using this permission can identify the user's location within several feet and track their every movement.

Photos/Media/Files/Storage. All of the contact tracing apps use this permission to store the contact tracing history on the user's mobile phone.

Users are only asked to share their contact history if the user has come into contact with an infected person.

Apps using this permission can read the contents of the user's shared storage (USB device and SD card) as well as format their entire external storage device.


The following tables summarise our findings. The sweeper is our reviewer.

Singapore’s TraceTogether comes up tops in terms of privacy communications and overall marks. It clearly takes into account data protection by design and data minimisation principles.

The privacy statement and accompanying documents explain clearly and in simple English (that is, not in legalese) what the TraceTogether app does, what type of personal data is collected and how it may be used or disclosed. Our review shows that the permissions the app seeks do not exceed its functionality and declared purposes.

While the TraceTogether app is not subjected to Singapore’s Personal Data Protection Act (PDPA) since it is developed by the government, it is generally consistent with those obligations and principles.

The few areas where it falls short tend to reflect the nature of an app such as the TraceTogether app rather than an inadvertent or careless departure from an obligation or principle.*

Malaysia’s MyTrace is similar to Singapore’s TraceTogether in terms of functionality. However, the biggest issue is in its privacy notice which does not state how personal data is processed. It offers little explanation on how permissions are being used in the app. 

Indonesia’s PeduliLindungi offers the usual exchange of ID-related information via the mobile phone’s Bluetooth signals with other mobile phones. However, unlike the previous apps, it requires the user’s complete name during registration, The app also notifies users if they are in crowded areas or “zones” which creates concerns of constant surveillance by the government. It is unclear how users will share their contact history data with the government if there is an infected case. There is no upload button unlike the previous two apps.

In addition, the app requires the camera permissions so as to enable a QR code scan web site URL. However, it is only applicable to overseas visitors at the immigration gate and for those participating in rapid COVID19 tests. This is not clearly stated in either the privacy statement or terms and conditions. Hence, this permission would be considered excessive to the purpose of contact tracing.

Vietnam’s Blue Zone doesn’t have a specific privacy notice or statement. This is not surprising given that the country doesn’t have a data protection law. Besides the usual functionality found in contact tracing apps, what makes the app unique is that users can scan for other users although no personal information is revealed. While this may be intended to encourage participation by the government, it might cause concerns for users worried about their own privacy.

Similar to Indonesia, it is also unclear how users will share their contact history data with the government in the case of an infection.

As indicated earlier, Thailand’s Mor Chana app uses the most permissions. While there are no issues regarding its privacy notice in the pre-installation stage, there are concerns with its excessive use of permissions proportionate to its purpose of contact tracing and the additional purpose of self-assessment for any risk of infection. For example, it requires the camera permission (so that a selfie can be taken during registration). The reasons for these permissions are not explained in the privacy notice.

The Philippines’ StaySafe app requires the most information during registration (name, age, location, gender, photo, company name), although it is not mandatory. It also allows the input of the user’s family members as an option. This contradicts the privacy statement that assures that no personal information will be collected. Another potential excessive feature can be seen in the use of camera permission to allow the user to upload a photo, which is not related to the purpose of the app. Neither does the privacy statement or documentation explain what this is used for.

Unlike the contact tracing apps in the other ASEAN countries, StaySafe is the only app that is not directly developed by the local government. A check on its developer’s website – Multisys Technologies Corporation – revealed that there is no published privacy policy where there may be concern about its privacy practices and whether the developer has access to personal information of users.



By Kevin Shepherdson, CEO, Straits Interactive Pte Ltd and
Lyn Boxall, Director, Lyn Boxall LLC



Details from the webinar can be downloaded here at:
A Comparative Review of Contact Tracing Apps in ASEAN countries

* A research review of Singapore’s TraceTogether App can be found here.


Photo: Shutterstock


Become a DPEX Community member to access
data protection resouces and discussions on pertinent topics now.

Access online / in-person courses and view past training records

Join lively discussions on pertinent data protection topics

Gain access to data protection research and video resources

Receive value-added data protection updates from the region


  Related Articles
COVID-19: Pandemic Data Protection Tips for Organ…

The novel coronavirus, or COVID-19, has been receiving global attention, and co…


COVID-19: The Layman's Universal Guide to Handlin…

On Wednesday, 11 March 2020, the World Health Organisation (WHO) declared COVID…


COVID-19: Data Protection Tips and Common Princip…

Here are some general tips that your organisation can follow at each stage of i…