As a range of contact-tracing apps are launched across the ASEAN region, Straits Interactive CEO Kevin Shepherdson and legal consultant Lyn Boxall investigate and test them in a range of privacy and security areas
Governments across ASEAN are beginning to ease lockdown restrictions, however, there is a worry that these steps may result in a ‘second wave’. In order to combat this, a lot of countries have adapted a COVID-19 contact-tracing app for smartphones to help limit the spread of this virus.
Through GPS or Bluetooth technology the locations of all individuals with whom the user of the app has been in contact with can be tracked. The users’ mobile phone exchanges unique ID-related information from their mobile phones via short-distance Bluetooth signals with other mobile phones with the same app. This means if a user has been exposed to an infected person who has also downloaded the app, the contact history is then shared with the relevant government agency.
Similar to a lot of apps on the market, these contact-tracing apps will be running in the background of users’ android phones, which begs the question, just how intrusive are there?
Straits Interactive assembled a local team of IAPP (International Association of Privacy Professionals) certified privacy managers from the region to do a detailed privacy sweep of contact tracing smart apps from the governments of five ASEAN countries. (At the point of publication, the Philippines had yet to release a contact tracing mobile application).
|
Malaysia |
MyTrace |
|
Singapore |
TraceTogether |
|
Thailand |
MorChana – หมอชนะ |
|
Indonesia |
PeduliLindungi |
|
Vietnam |
Blue Zone |
These contact-tracing apps were benchmarked against the survey parameters used by the Global Privacy Enforcement Network (GPEN), which conducted a global privacy sweep of mobile apps back in 2014. That sweep involved the participation of 25 privacy enforcement authorities around the world. (View the full report here.) It assessed the following:
-
the types of permissions sought by a surveyed app
-
whether those permissions exceeded what would be expected based on the app’s functionality
-
most importantly, how the app explained to consumers why it wanted the personal data and what it planned to do with it
A ‘permission’ in an app protects the privacy of the user of the app. Every app must include ‘app manifest’ that, amongst other things, lists the permissions that the app uses.
Every mobile phone has an operating system, most commonly the Android operating system (Google) or the iOS (Apple) operating system. The vast majority of mobile phones are ‘Android phones’ and they have two ‘permissions’ categories:
-
Normal permissions: these permissions do not directly risk the user’s privacy, for example, permission to set the time zone is a normal permission. If an app lists a normal permission in its manifest, the system grants the permission automatically.
-
Dangerous permissions: these permissions give the app access to the user’s personal data in their mobile phone, such as contacts and SMS messages, as well as certain system features, such as the camera. If a dangerous permission is requested, privacy laws do not allow the relevant personal data to be collected, used or disclosed unless the user gives explicit consent by ‘accepting’ the request for permission to do so. In addition, privacy laws generally restrict ‘dangerous permissions’ to personal data that the app may collect, use or disclose while the user is actually using it. They do not allow apps to collect, use or disclose personal data simply because the user downloaded the app.
By way of illustration, here is a list of dangerous permissions that might be sought by an app:
Users often blindly “agree” to or “allow” these permissions without first understanding their functions. Nor do they read the privacy policies of the respective applications.
The following table shows the various dangerous permissions being used in the five contact tracing smart apps we reviewed:
Singapore’s TraceTogether and Vietnam’s Blue Zone use the least permissions to perform its contact tracing functions; Thailand’s MorChana uses the most.
Straits Interactive looked at whether these dangerous permissions exceeded what would be expected based on the app’s functionality. They also looked at the explanation in the privacy statement about why these permissions are needed and what will be done with the relevant personal data.
Before considering those points, here is an explanation of various permissions and some comments about potential risks if they were to be abused.
|
Permissions |
If abused…. |
|
Camera. An app that has “Camera” permission is able to take pictures and videos on the phone. Users of the Thai MorChana App are asked to take a photo of themselves upon registration. |
Apps using a “Camera” permission can also have access to record audio similar to the “Microphone” permission. In addition, the app could “watch” the user via the camera and listen to the user via the microphone when the user uses other apps or when the device’s screen is off. |
|
Device & App History. Both Malaysia’s MyTrace and Thailand’s MorChana App use the “Device & app history” permission to retrieve running apps. |
Apps using this permission can also read sensitive phone log data, retrieve system internal state information and retrieve web bookmarks and history. In addition to reading log data from other apps, apps using this permission can store usernames and passwords in them — in plain text. |
|
Location. All the apps use the “Location” permission that allows the app to ask for the user’s approximate, network-based location. This enables the app to track the user’s exact location per the device’s GPS. However, the apps do not actually track the user’s location. Location permissions are mandatory when Bluetooth technology is used on an Android phone. It is an outcome of how the Bluetooth technology works – the location permission is required so that ‘close proximity’ information can be collected. |
Apps using this permission can identify the user’s location within several feet and track their every movement. |
|
Photos/Media/Files/Storage. All of the contact tracing apps use this permission to store the contact tracing history on the user’s mobile phone. Users are only asked to share their contact history in the events the user has come into contact with an infected person. |
Apps using this permission can read the contents of the user’s shared storage (USB device and SD card) as well as format their entire external storage device. |
The following tables summarise our findings. The sweeper is our reviewer.
Singapore’s TraceTogether comes up tops in terms of privacy communications and overall marks.
The privacy statement and accompanying documents explain clearly and in simple English what the TraceTogether app does, what type of personal data is collected and how it may be used or disclosed. Our review shows that the permissions the app seeks do not exceed its functionality and declared purposes.
While the TraceTogether app does not comply with all of the nine obligations under Singapore’s Personal Data Protection Act (PDPA) or all of the six processing principles under the GDPR, it is generally consistent with those obligations and principles. The few areas where it falls short tend to reflect the nature of an app such as the TraceTogether app rather than an inadvertent or careless departure from an obligation or principle.
