The TraceTogether created by Singapore is least intrusive when judged on privacy communications and gets the highest overall privacy marks
As governments in ASEAN relax lockdown restrictions, Covid-19 contact-tracing smartphone apps are being introduced to help limit any renewed spread of the coronavirus.
What these apps basically do is to allow their users to be better equipped when they participate in the contact tracing process. Specifically, GPS / Bluetooth technology is used to track the locations of all individuals with whom the user of the app may have been in contact.
The users' mobile phone exchanges ID-related information of their mobile phones via short-distance Bluetooth signals with other mobile phones with the same app. If a user has been exposed to an infected person who has also downloaded the app, the user is asked to share their contact history in their mobile phone with the relevant government agency.
Since users will be running such apps in the background on their Android phones, can these smart apps be trusted? How privacy-intrusive are they? Many people are reluctant to download such apps for fear of constant government surveillance. They worry the app will spy on them by extracting all kinds of personal related information from their mobile phones.
We decided to find out if these worries are justified. To do so, we assembled a local team of IAPP (International Association of Privacy Professionals) certified information privacy managers in ASEAN to do a detailed privacy sweep of contact tracing smart apps made available by the governments of five ASEAN countries.
|Thailand||MorChana - หมอชนะ|
We decided to benchmark the contact tracing apps against the survey parameters used by the Global Privacy Enforcement Network (GPEN), which conducted a global privacy sweep of mobile apps back in 2014. That sweep involved the participation of 25 privacy enforcement authorities around the world. (View the full report here.) It assessed the following:
To understand this, we will first take a look at app 'permissions' in general.
A 'permission' in an app protects the privacy of the user of the app. Every app must include an 'app manifest' that, amongst other things, lists the permissions that the app uses.
Every mobile phone has an operating system, most commonly the Android operating system (Google) or the iOS (Apple) operating system. The vast majority of mobile phones are 'Android phones' and they have two 'permissions' categories:
By way of illustration, here is a list of dangerous permissions that might be sought by an app:
Users often blindly "agree" to or "allow" these permissions without first understanding their functions. Nor do they read the privacy policies of the respective applications.
The following table shows the various dangerous permissions being used in the five contact tracing smart apps we reviewed:
Singapore’s TraceTogether and Vietnam’s Blue Zone use the least permissions to perform its contact tracing functions; Thailand’s MorChana uses the most.
We looked at whether these dangerous permissions exceeded what would be expected based on the app’s functionality. We also looked at the explanation in the privacy statement about why these permissions are needed and what will be done with the relevant personal data.
Before considering those points, here is an explanation of various permissions and some comments about potential risks if they were to be abused.
Camera. An app that has "Camera" permission is able to take pictures and videos on the phone. Users of the Thai MorChana App are asked to take a photo of themselves upon registration.
Apps using a "Camera" permission can also have access to record audio similar to the "Microphone" permission. In addition, the app could "watch" the user via the camera and listen to the user via the microphone when the user uses other apps or when the device's screen is off.
Device & App History. Both Malaysia's MyTrace and Thailand's MorChana App use the "Device & app history" permission to retrieve running apps.
Apps using this permission can also read sensitive phone log data, retrieve system internal state information and retrieve web bookmarks and history. In addition to reading log data from other apps, apps using this permission can store usernames and passwords in them — in plain text.
Location. All the apps use the "Location" permission that allows the app to ask for the user's approximate, network-based location. This enables the app to track the user's exact location per the device's GPS.
However, the apps do not actually track the user's location. Location permissions are mandatory when Bluetooth technology is used on an Android phone. It is an outcome of how the Bluetooth technology works - the location permission is required so that'close proximity' information can be collected.
Apps using this permission can identify the user's location within several feet and track their every movement.
Photos/Media/Files/Storage. All of the contact tracing apps use this permission to store the contact tracing history on the user's mobile phone.
Users are only asked to share their contact history if the user has come into contact with an infected person.
Apps using this permission can read the contents of the user's shared storage (USB device and SD card) as well as format their entire external storage device.
The following tables summarise our findings. The sweeper is our reviewer.
Singapore’s TraceTogether comes up tops in terms of privacy communications and overall marks. It clearly takes into account data protection by design and data minimisation principles.
The privacy statement and accompanying documents explain clearly and in simple English (that is, not in legalese) what the TraceTogether app does, what type of personal data is collected and how it may be used or disclosed. Our review shows that the permissions the app seeks do not exceed its functionality and declared purposes.
While the TraceTogether app is not subjected to Singapore’s Personal Data Protection Act (PDPA) since it is developed by the government, it is generally consistent with those obligations and principles.
The few areas where it falls short tend to reflect the nature of an app such as the TraceTogether app rather than an inadvertent or careless departure from an obligation or principle.*
Malaysia’s MyTrace is similar to Singapore’s TraceTogether in terms of functionality. However, the biggest issue is in its privacy notice which does not state how personal data is processed. It offers little explanation on how permissions are being used in the app.
Indonesia’s PeduliLindungi offers the usual exchange of ID-related information via the mobile phone’s Bluetooth signals with other mobile phones. However, unlike the previous apps, it requires the user’s complete name during registration, The app also notifies users if they are in crowded areas or “zones” which creates concerns of constant surveillance by the government. It is unclear how users will share their contact history data with the government if there is an infected case. There is no upload button unlike the previous two apps.
In addition, the app requires the camera permissions so as to enable a QR code scan web site URL. However, it is only applicable to overseas visitors at the immigration gate and for those participating in rapid COVID19 tests. This is not clearly stated in either the privacy statement or terms and conditions. Hence, this permission would be considered excessive to the purpose of contact tracing.
Vietnam’s Blue Zone doesn’t have a specific privacy notice or statement. This is not surprising given that the country doesn’t have a data protection law. Besides the usual functionality found in contact tracing apps, what makes the app unique is that users can scan for other users although no personal information is revealed. While this may be intended to encourage participation by the government, it might cause concerns for users worried about their own privacy.
Similar to Indonesia, it is also unclear how users will share their contact history data with the government in the case of an infection.
As indicated earlier, Thailand’s Mor Chana app uses the most permissions. While there are no issues regarding its privacy notice in the pre-installation stage, there are concerns with its excessive use of permissions proportionate to its purpose of contact tracing and the additional purpose of self-assessment for any risk of infection. For example, it requires the camera permission (so that a selfie can be taken during registration). The reasons for these permissions are not explained in the privacy notice.
The Philippines’ StaySafe app requires the most information during registration (name, age, location, gender, photo, company name), although it is not mandatory. It also allows the input of the user’s family members as an option. This contradicts the privacy statement that assures that no personal information will be collected. Another potential excessive feature can be seen in the use of camera permission to allow the user to upload a photo, which is not related to the purpose of the app. Neither does the privacy statement or documentation explain what this is used for.
By Kevin Shepherdson, CEO, Straits Interactive Pte Ltd and
Lyn Boxall, Director, Lyn Boxall LLC
Details from the webinar can be downloaded here at:
A Comparative Review of Contact Tracing Apps in ASEAN countries.
* A research review of Singapore’s TraceTogether App can be found here.
Access online / in-person courses and view past training records
Join lively discussions on pertinent data protection topics
Gain access to data protection research and video resources
Receive value-added data protection updates from the region
The novel coronavirus, or COVID-19, has been receiving global attention, and co…
On Wednesday, 11 March 2020, the World Health Organisation (WHO) declared COVID…
Here are some general tips that your organisation can follow at each stage of i…