Close this search box.

From contact tracing to voter tracing? Risk of data misuse in the Philippines

Almost two years into the COVID-19 pandemic, the Philippine government has yet to address privacy and digital rights concerns about its national contact tracing program. In fact, these concerns have mostly been ignored, and the promotion of the controversial StaySafe.PH contact tracing app has carried on as if it’s business as usual.

This inaction is all the more concerning as the Philippine elections in May 2022 draw near. Much is at stake for the country, as the results of the elections can determine the trajectory of Philippine democracy. It is therefore troubling that various tech experts have said it is possible that information collected through the StaySafe.PH app could be used to reach (and maybe even sway) voters.

Based on how the app is currently being used – and misused – Filipinos need to be vigilant with the information they are providing and how this is being used by a government flagged for “numerous systematic human rights violations“.

StaySafe exhibits red flags for data privacy, digital rights

The Philippine government signed a deal with Multisys Technologies in April 2020 to use StaySafe as the official “contact tracing, health condition reporting, and social distancing system” application. A quick review of the Multisys website shows its past work mostly consisted of business solutions, aside from MeGov which aims to “streamline government services”.

Two months after the deal signing and app launch, StaySafe faced criticism from tech experts due to “excessive permissions and unclear parameters” on how collected information will be used after the COVID-19 crisis, with some law enforcement government agencies like the National Bureau of Investigation having access to the data. An analysis from the Toronto-based Citizen Lab revealed major vulnerabilities in the app, including one which allowed an ordinary user to access other users’ geolocation data. Amid these data privacy concerns, the app was reportedly approved without technical vetting.

By mid-June 2020, Multisys signed an agreement to transfer data ownership to the Department of Health. But in January 2021 Rappler reported that the data transfer has not been facilitated – which meant contact tracing data remained in Multisys servers months after the agreed transfer date – despite claims from the official presidential spokesperson that it has been “assigned” to the Department of Health as of September 2020. Despite this delay, government promotions of StaySafe as the official contact tracing platform continued.

Some local governments, despite discouragement from the Department of the Interior and Local Government, also opted to build their own contact tracing applications due to concerns raised against StaySafe and the pace at which it was rolled out. In Metro Manila, for example, one might need two contact tracing applications if traveling between cities. Private companies later followed suit and started rolling out their own branded contact tracing applications. For example, supermarket chain Puregold applied a two-type contact tracing system – either use the online application or fill out a manual form when entering their stores.

As of writing, there is little to no information on what is done with these separate contact tracing initiatives, such as whether information collected from these businesses is forwarded to StaySafe or government agencies, what the protocol is around data sharing, and how much data has been forwarded so far.

The main justification for StaySafe and a national contact tracing program is to mitigate the spread of COVID-19. However, notifications about possible COVID-19 exposure through these various contact tracing systems (and especially through StaySafe) have been inconsistent at best. In practice, the bulk of the monitoring and notification work has been passed on to community leaders and local governments that lack comprehensive training on data protection practices, presenting a possible vulnerability to the data they have in custody.

Pandemic data collection spells possibilities for data misuse, danger to democracy

If contact tracing is not happening on the national level, what then is the point of these contact tracing systems and what is the purpose of collecting personal data? Already, there have been complaints on unsolicited calls and text messages, which can be traced to the contact tracing system. The Foundation for Media Alternatives warns that this situation may worsen, reporting that proposals to have the contact tracing system latch on to other systems with different functions “will surely increase the chances of data abuse or misuse, absent any meaningful set of regulations”.

Tech experts have also pointed out another worrying possibility: that the database could be used to reach out to voters for the 2022 elections or to target government critics. In June 2021, voters from different parts of the country reported receiving text messages on COVID-19 vaccinations supposedly from Philippine President Rodrigo Duterte and his daughter Sara Duterte, who were then widely rumoured to run for the elections. (The presidential daughter has since announced her bid for the vice presidency.) While the text blasts were disowned by the presidential spokesperson, the incident fueled further concerns from the general public on the use of information supposedly only meant to help curb the pandemic. As the official campaign period draws closer, similar incidents must be closely monitored and called out.

EngageMedia is also concerned that contact tracing data could be used to target government critics. By cross-referencing the StaySafe database with information from government security agencies, tracking and monitoring of government critics could be made easier. These fears may not be unfounded; over the course of the pandemic, the Philippine government has:

  1. Targeted ordinary citizens for airing their sentiments on the government’s pandemic response;
  2. Closed down a national broadcast network;
  3. Passed the Anti-Terror Law, which can be used to threaten freedom of speech and dissent; and,
  4. Weaponised the cyberlibel law against journalist and Nobel laureate Maria Ressa to suppress freedom of speech

One might wonder: where is the Philippines’ National Privacy Commission amid these concerns? While the commission has released statements and claimed to be monitoring these issues, the data protection government agency has lacked action in bringing responsible parties to line or, in the case of violators, to justice. It is unclear if data privacy and digital rights violations related to the pandemic response have been acted upon, regardless of support from the commission. The commission has also failed to adequately ensure that personal data privacy is upheld by both government and private sector, and that the general public understands how the Data Privacy Act of 2012 protects them against privacy violations.

Two years into the pandemic, public interest questions on the contact tracing system remain unanswered: How does StaySafe contribute to curbing COVID-19 cases? How can we improve the protection of people’s data privacy and digital rights? And how can the National Privacy Commission play a more active role in enforcing Filipinos’ digital rights to privacy?

If the government cannot answer these definitively sooner rather than later, it might be time to rethink the digital privacy implications of technology in the pandemic response. And with the 2022 Philippine elections just months away, addressing concerns about repurposing collected COVID-19 data for electoral campaigns should be top priority. Having access to such a massive – and potentially vulnerable – database may undermine Philippine democracy.