Do contact tracing apps help reduce the spread of COVID-19? Or are they mere security theatre, giving us a false sense of safety while at the same time chipping away at our privacy, rights, and freedoms?
Most COVID-19 contact tracing apps in the Asia-Pacific rely on digital tokens exchanged between devices via Bluetooth Low Energy (BLE), check-in data from QR codes scanned on location, or both.
As their usage has become ubiquitous, there is a trend towards more features that are not related to or necessary for contact tracing being introduced in these apps, such as vaccine certification. It is also especially worrying when public officials are openly promoting third-party integrations with commercial services (like in Indonesia) without due regard to privacy, security, and accessibility. These additional features require more mobile data and use up more device capacity, disadvantaging users with low-end smartphones (not to mention non-smartphones).
Some of these apps (like PeduliLindungi in Indonesia) also track people using GPS to show whether they are in a “red zone”, or where there is a high rate of COVID-19 infection. Another common feature in these apps is a COVID-19 assessment tool that categorises a user as having a high, medium, or low risk to infect other people. China’s HealthCode, for example, has a “traffic light” system that designates a user’s risk status as red, yellow, or green. Many of them also provide public health information like daily COVID-19 statistics and test sites, which are already available on government websites and covered by the news media.
Table 1 – Contact tracing app features comparison
|Bluetooth||QR Code||Vaccine Certificate||Third-party Integration|
|Australia - COVIDSafe||⬤|
|Bangladesh – Corona Tracer BD||⬤|
|Brunei – BruHealth||⬤||⬤||⬤|
|China – HealthCode||⬤||⬤|
|Hong Kong – LeaveHomeSafe||⬤|
|Indonesia – Peduli Lindungi||⬤||⬤||⬤||⬤|
|Malaysia – MySejahtera||⬤||⬤||⬤||⬤|
|Myanmar – Saw Saw Shar||⬤||⬤|
|Philippines – Stay Safe PH||⬤|
|Singapore – TraceTogether||⬤||⬤||⬤|
|Vietnam – Bluezone||⬤|
What personal data do contact tracing apps actually need?
For a contact tracing app to work, it should essentially do only three things:
- Store just enough exchanged Bluetooth tokens or QR code location data scanned on the user’s device
- Analyse the stored tokens or data for any close contact with an infected person within a reasonable period
- If there’s close contact, public health officials inform the user about potential exposure so that they can get tested for COVID-19 and go into self-isolation.
Table 2: Contact tracing apps and personal data protection
|Australia – COVIDSafe||Phone number, name, age group, postcode||Prominently displayed||Privacy Act 1988|
|Bangladesh – Corona Tracer BD||Phone number, identity card, geolocation||Not displayed||No comprehensive personal data protection law|
|Brunei – BruHealth||Name, gender, date of birth, identity card or birth certificate number, address, phone number, email address, health record number, copy of identification document, photo, device and network identifiers||Not linked on the web page about the app||No comprehensive personal data protection law|
|Indonesia – Peduli Lindungi||Name, identity card number, phone number or email address, geolocation, health records||Very prominently displayed on the web, but different in the app||Comprehensive personal data protection bill being legislated|
|Malaysia – MySejahtera||Name, identity card or passport number, date of birth, country of origin, phone number, email, gender, device information||Prominently displayed||Personal Data Protection Act 2010, not applicable to government|
|Myanmar – Saw Saw Shar||Name, mobile number, device and network identifiers||Website no longer accessible||No comprehensive personal data protection law|
|Philippines – Stay Safe PH||Name, age, gender, contact number, photo, address, email address||Prominently displayed||Data Privacy Act 2012|
|Singapore – TraceTogether||Name, date of birth, phone number, identity card or passport number||Prominently displayed||Personal Data Protection Act 2012|
|Vietnam – Bluezone||Name, phone number, address||Displayed as FAQ and terms and conditions||Personal Data Protection Decree (effective Dec 2021)|
The lack of comprehensive national personal data protection laws in but some of these countries also means there are virtually no safeguards, especially when they do not even apply to governments (like in Malaysia). In the event of a breach of security and privacy on these apps, users are left with practically no legal recourse. For the most part, the implementation of these contact tracing apps created a compliance trap. So why has there not been more pushback against this authoritarian approach?
Do contact tracing apps really work as they should?
Consider this: Since the launch of the COVID-19 contact tracing app in your country, how many times have you actually been informed of being in close contact with someone infected?
Given the widespread impact of the pandemic, it is reasonable for you to expect to be informed of close contact more than a few times in the last 18 months. That’s not the case in countries like Malaysia, which has lifted most of its travel restrictions and promoted safe reopening of businesses to help revive its ailing economy. One lawmaker has called Malaysia’s MySejahtera contract tracing app “dysfunctional” because, despite its mandatory usage and universal adoption at all government and business premises, there is very little contact tracing actually done using the app.
Some countries also have multiple contact tracing apps. Australia’s COVIDsafe app introduced by the national government in April 2020 has largely been replaced by the different QR-based apps mandated by state governments. Malaysia developed Bluetooth-based MyTrace and practically abandoned it in favour of QR-based MySejahtera. In Thailand, members of the public rebuffed at Mor Chana app forcing the government to make a U-turn on its mandatory use. This state of disarray in public policy leadership reflects competing political and commercial interests that take away focus, energy, and resources in the whole FTTIS strategy and put individual users’ personal data, health, and safety as secondary.
How secure are these contact tracing apps?
People across the globe ought to demand more transparency on how personal data is collected, stored, and processed. So much about how the apps really function and the technology they use is not widely communicated to users. Here are some questions that you should ask your government about the contact tracing app they make you use:
- Is any of the data stored on the device, transferred over the network, or kept at other locations not encrypted? What is encrypted and what is not? How is encryption done?
- Who develops the app and how did they get picked? Who has access to the data? To what data do they have access?
- How long do the app and the infrastructure that supports it retain the data? What happens to the data when the app is discontinued?
- Is the app open source and/or audited and verified by third parties?
We should be pushing back more on these apps. Brunei’s BruHealth and Indonesia’s PeduliLindungi, for example, store health records, for which the governments have not demonstrated the need to collect and for which no adequate data protection is provided. In September this year, Indonesian media reported that President Jokowi’s own vaccine certificate was leaked from PeduliLindungi with his national identity card number shown on the electronic document. To date, there has not been a clear response to the breach and specific measures to safeguard user data on the app despite concerns raised by security experts.
The FTTIS approach is meant for public health management, and there is a legitimate purpose for mass contact tracing – with the right controls and safeguards. However, the line must be drawn at any form of state surveillance. In January, Singapore Home Minister admitted that the police may use TraceTogether data in criminal investigations, which is a blatant overreach from the purpose of the contact tracing app. Only after a huge public outcry did the Singapore parliament pass a law to limit police use of the app to investigate murder, terrorism, and other serious crimes. This built-in surveillance by default is a slippery slope and warrants extra caution. In Malaysia, human rights advocates raising similar concerns are facing harassment by the authorities. We must do more to be vigilant about and call out our governments’ creeping authoritarian tendencies.
For further reading about COVID-19 contact tracing applications, check out this resource from DigitalReach.
Khairil Zhafri is EngageMedia’s Digital Rights and Technology Manager. Learn more about him via our team page.