April 24, 2020 - Comments Off on How private is the COVID 19 App
How private is the COVID 19 App
Around the world, governments have taken to technology to stop the spread of COVID 19. The experiences and the success of this strategy differed in each area, however, it seems the world is in agreement- we need to employ technology to help with handling the novel coronavirus. Singapore, Taiwan, South Korea and China all used technology in their fight against the disease. They all used mobile apps in some form or the other, to track the movement of the disease and to find out who might have come into contact with a victim. These countries credit technology for helping them understand how the virus moved and where to implement harsh lockdowns and quarantines. As the virus has spread across the globe, more countries are seeing these applications as their way out and are beginning to adopt these technologies also.
The Ministry of Information Technology and Telecommunication (MOITT) along with the National IT Board (NITB) recently launched an app called ‘COVID-19 Gov PK’. This application gives people up to date information about the spread of the novel Corona virus in Pakistan. However, the app has a feature that allows people to trace the disease, and allows the Government to track the trajectory by tracking the movement of its citizens. The app itself is based on a global trend towards using mobile applications for the mapping of the novel coronavirus.
While countries the world over are engaging in health surveillance, we believe this is a problematic approach to the current situation given that such features are intruding on the privacy of citizens, as well as providing unfettered access to users' data. Contact tracing has been faced with backlash across the globe for its invasive approach to countering the spread of COVID 19.
While the situation concerning the virus is an emergency, it is still important for the Pakistani government to establish boundaries and limitations for its activities and be transparent, especially if they involve tracking the movements of its citizens and saving their health information on a mobile application. We would welcome the release of SOPs regarding how the data available on the app is being kept and processed.
Data related to an individual’s health is extremely private information, and it is information that affects not only them, but those whom they live with. This is extremely important to remember especially in such times, with a pandemic on our hands. Having sensitive information about where cases have been confirmed on a mobile application is dangerous as it puts families of victims at risk, as well as exposes their location and data regarding their health. The stigmatising of those with this particular disease has only made matters in this regard, worse.
Additionally, as the virus spreads, the Government needs documentation of confirmed cases, however, this information should only be collected as long as COVID 19 continues to be a threat to Pakistan. Some key elements here that would be comforting would be transparency in how patients’ data is being collected, as well as how it is being stored and lastly, what the data destruction policy, if any, is in this regard, as the Privacy Policy contained with the app is not very illuminating.
As people have moved towards remotely working and communicating, there has been a lot of activity online which has subsequently made cyber criminals and hackers more active. In light of this, the app does not address heightened concerns regarding the ‘security’ of the app and the personal data they are saving. In a White Paper, titled ‘Decentralized Privacy-Preserving Proximity Tracking’ (D3PT) (https://github.com/DP-3T/documents/blob/master/DP3T%20White%20Paper.pdf) , experts in the field highlighted that databases made about patients are at a high risk of being attacked and leaked. If intelligent decisions are not made about how this data is saved, attackers can access all the information, thereby affecting the patients themselves, as well as the doctors and scientists working against the spread of the virus.
In the same white paper, the experts explained how their databases should be constructed and maintained, as well as how the transmission of new data works. They gave two case scenarios to the construction of databases. One being a centralized database, and the other being a decentralized one. They made the case for a decentralized database since it offers a more stringent security policy and quicker response to any attempted data breaches.
Lastly, they talked about how the transmission of data works in such apps. COVID 19 tracking apps have a feature called the ‘Radius Map’. It tells the user if their immediate surroundings have had a reported case of the novel coronavirus. It does this by using bluetooth signals that bounce off of other users of similar apps. Because of this, specific locations of patients can be pinpointed to the average user. The White Paper does highlight this as a privacy concern. Additionally, they also highlight the fact that these signals can be manipulated by hackers to create false alerts of nearby COVID 19 patients, spreading panic in an already panicked situation.
We submit that the Government of Pakistan share their detailed SOPs regarding the COVID 19 app launched by them. These should detail their privacy policy in full, detailing data retention and destruction. Also, we maintain that the Government should share with the public as to who exactly has access to this database. While we appreciate that this is an unprecedented situation, the Government still must act in a manner that best protects its citizens' data and their right to privacy, a right enshrined in the very Constitution of Pakistan.
Published by: Digital Rights Foundation in Blog
Comments are closed.