COVID-19 contact tracing: At what cost to our privacy, rights, and freedoms?

Before entering the Katoomba Library in Australia, visitors must sign in via a contact tracing app. by the local government. Photo by Blue Mountains Library, used under the CC BY-SA 2.0 license.

 

Do contact tracing apps help reduce the spread of COVID-19? Or are they mere security theatre, giving us a false sense of safety while at the same time chipping away at our privacy, rights, and freedoms?

Most COVID-19 contact tracing apps in the Asia-Pacific rely on digital tokens exchanged between devices via Bluetooth Low Energy (BLE), check-in data from QR codes scanned on location, or both.

As their usage has become ubiquitous, there is a trend towards more features that are not related to or necessary for contact tracing being introduced in these apps, such as vaccine certification. It is also especially worrying when public officials are openly promoting third-party integrations with commercial services (like in Indonesia) without due regard to privacy, security, and accessibility. These additional features require more mobile data and use up more device capacity, disadvantaging users with low-end smartphones (not to mention non-smartphones).

Some of these apps (like PeduliLindungi in Indonesia) also track people using GPS to show whether they are in a “red zone”, or where there is a high rate of COVID-19 infection. Another common feature in these apps is a COVID-19 assessment tool that categorises a user as having a high, medium, or low risk to infect other people. China’s HealthCode, for example, has a “traffic light” system that designates a user’s risk status as red, yellow, or green. Many of them also provide public health information like daily COVID-19 statistics and test sites, which are already available on government websites and covered by the news media.

 

Table 1 – Contact tracing app features comparison

 BluetoothQR CodeVaccine CertificateThird-party Integration
Australia - COVIDSafe
Bangladesh – Corona Tracer BD
Brunei – BruHealth
China – HealthCode
Hong Kong – LeaveHomeSafe
Indonesia – Peduli Lindungi
Malaysia – MySejahtera
Myanmar – Saw Saw Shar
Philippines – Stay Safe PH
Singapore – TraceTogether
Vietnam – Bluezone

 

What personal data do contact tracing apps actually need?

For a contact tracing app to work, it should essentially do only three things:

  1. Store just enough exchanged Bluetooth tokens or QR code location data scanned on the user’s device
  2. Analyse the stored tokens or data for any close contact with an infected person within a reasonable period
  3. If there’s close contact, public health officials inform the user about potential exposure so that they can get tested for COVID-19 and go into self-isolation.

The app only requires very minimal personally identifiable information to facilitate health officials in implementing the find-test-trace-isolate-support (FTTIS) strategy effectively. Research by DigitalReach, however, shows that digital contact tracing initiatives have features and technical vulnerabilities that raise serious privacy concerns. The privacy policy for Brunei’s BruHealth states that it collects a wide range of data, including personal details, physical location and movement, and device system and network information (eg IMEI, IMSI, SSID, BSSID). This kind of overreach in data collection raises some serious concerns over digital security and state surveillance.

 

Table 2: Contact tracing apps and personal data protection

 Personal DataPrivacy PolicyNational Personal Data Protection Law Status
Australia – COVIDSafePhone number, name, age group, postcodeProminently displayedPrivacy Act 1988
Bangladesh – Corona Tracer BDPhone number, identity card, geolocationNot displayedNo comprehensive personal data protection law
Brunei – BruHealthName, gender, date of birth, identity card or birth certificate number, address, phone number, email address, health record number, copy of identification document, photo, device and network identifiersNot linked on the web page about the appNo comprehensive personal data protection law
Indonesia – Peduli LindungiName, identity card number, phone number or email address, geolocation, health recordsVery prominently displayed on the web, but different in the appComprehensive personal data protection bill being legislated
Malaysia – MySejahteraName, identity card or passport number, date of birth, country of origin, phone number, email, gender, device informationProminently displayedPersonal Data Protection Act 2010, not applicable to government
Myanmar – Saw Saw SharName, mobile number, device and network identifiersWebsite no longer accessibleNo comprehensive personal data protection law
Philippines – Stay Safe PHName, age, gender, contact number, photo, address, email addressProminently displayedData Privacy Act 2012
Singapore – TraceTogetherName, date of birth, phone number, identity card or passport numberProminently displayedPersonal Data Protection Act 2012
Vietnam – BluezoneName, phone number, addressDisplayed as FAQ and terms and conditionsPersonal Data Protection Decree (effective Dec 2021)

 

The lack of comprehensive national personal data protection laws in but some of these countries also means there are virtually no safeguards, especially when they do not even apply to governments (like in Malaysia). In the event of a breach of security and privacy on these apps, users are left with practically no legal recourse. For the most part, the implementation of these contact tracing apps created a compliance trap. So why has there not been more pushback against this authoritarian approach?

Do contact tracing apps really work as they should?

Consider this: Since the launch of the COVID-19 contact tracing app in your country, how many times have you actually been informed of being in close contact with someone infected?

Given the widespread impact of the pandemic, it is reasonable for you to expect to be informed of close contact more than a few times in the last 18 months. That’s not the case in countries like Malaysia, which has lifted most of its travel restrictions and promoted safe reopening of businesses to help revive its ailing economy. One lawmaker has called Malaysia’s MySejahtera contract tracing app “dysfunctional” because, despite its mandatory usage and universal adoption at all government and business premises, there is very little contact tracing actually done using the app.

Some countries also have multiple contact tracing apps. Australia’s COVIDsafe app introduced by the national government in April 2020 has largely been replaced by the different QR-based apps mandated by state governments. Malaysia developed Bluetooth-based MyTrace and practically abandoned it in favour of QR-based MySejahtera. In Thailand, members of the public rebuffed at Mor Chana app forcing the government to make a U-turn on its mandatory use. This state of disarray in public policy leadership reflects competing political and commercial interests that take away focus, energy, and resources in the whole FTTIS strategy and put individual users’ personal data, health, and safety as secondary.

How secure are these contact tracing apps?

People across the globe ought to demand more transparency on how personal data is collected, stored, and processed. So much about how the apps really function and the technology they use is not widely communicated to users. Here are some questions that you should ask your government about the contact tracing app they make you use:

  1. Is any of the data stored on the device, transferred over the network, or kept at other locations not encrypted? What is encrypted and what is not? How is encryption done?
  2. Who develops the app and how did they get picked? Who has access to the data? To what data do they have access?
  3. How long do the app and the infrastructure that supports it retain the data? What happens to the data when the app is discontinued?
  4. Is the app open source and/or audited and verified by third parties?

We should be pushing back more on these apps. Brunei’s BruHealth and Indonesia’s PeduliLindungi, for example, store health records, for which the governments have not demonstrated the need to collect and for which no adequate data protection is provided. In September this year, Indonesian media reported that President Jokowi’s own vaccine certificate was leaked from PeduliLindungi with his national identity card number shown on the electronic document. To date, there has not been a clear response to the breach and specific measures to safeguard user data on the app despite concerns raised by security experts.

The FTTIS approach is meant for public health management, and there is a legitimate purpose for mass contact tracing – with the right controls and safeguards. However, the line must be drawn at any form of state surveillance. In January, Singapore Home Minister admitted that the police may use TraceTogether data in criminal investigations, which is a blatant overreach from the purpose of the contact tracing app. Only after a huge public outcry did the Singapore parliament pass a law to limit police use of the app to investigate murder, terrorism, and other serious crimes. This built-in surveillance by default is a slippery slope and warrants extra caution. In Malaysia, human rights advocates raising similar concerns are facing harassment by the authorities. We must do more to be vigilant about and call out our governments’ creeping authoritarian tendencies.

For further reading about COVID-19 contact tracing applications, check out this resource from DigitalReach.


Khairil Zhafri is EngageMedia’s Digital Rights and Technology Manager. Learn more about him via our team page.

3 thoughts on “COVID-19 contact tracing: At what cost to our privacy, rights, and freedoms?”

  1. This text provides very important information on the issue of contact tracking apps in Southeast Asian countries. Such information is hardly known in Japan. I fear that Japanese ICT companies and development assistance funds may be involved in providing and developing such apps.
    I have translated the article into Japanese and posted it on my blog.
    https://www.alt-movements.org/no_more_capitalism/hankanshi-info/knowledge-base/engagemediacovid-19/
    If you find any problems, please let me know.

  2. Pingback: A Call for Action and Renewal: Reflections on 2021 - EngageMedia

  3. Pingback: Vaccine passports: Ineffective for curbing COVID-19 transmissions, risky for digital security - EngageMedia

Leave a Comment

Your email address will not be published. Required fields are marked *

Please type in the numbers you see. *

Subscribe to the EngageMedia newsletter!

Twice a month, get updates on EngageMedia activities and opportunities.