Tracing App in the Philippines – Too much Permission.

We are writing a review on the two tracing apps / systems that the Philippine Government are using and mandating LGUs to use. These are Stay Safe and COVID-KAYA. Stay Safe was done Multisys and is being positioned as the official tracing app for IATF / NTF while COVID-KAYA is the official system being used by the Department of Health (DOH) and World Health Organization (WHO). We run Exodus a Privacy App that analyzes the permission of the application in Play Store. These permission are libraries that a developer access and use, the permission is then logged on a file which we call manifest.xml prior to submission to the app store for publishing.

Below are the screenshots for both Stay Safe and COVID-Kaya.

As we can see above the COVID-KAYA has 42 Permisssion and Stay Safe has 16 Permission and 1 Tracker since we are assuming that the database of Stay Safe is using Google Firebase. Permission are not really bad but we as citizen need to ask why are these apps collecting, using and accessing the libraries:

  • Camera – take pictures and videos without confirmation
  • Modify System Settings – allows the app to modify systems settings of data. Malicious apps may corrupt system configuration
  • Read Contacts – allows the app to read data about your contacts stored on your phone, including the frequency with which you have called, emailed or communicated. This permission allows apps to save your contact data and malicious apps may share contact data without your knowledge
  • Write Contacts – allows the app to modify data about your contacts stored on your phone, this permission allows apps to delete contact data
  • Get Accounts – allows apps to get the list of accounts known by the phone, this may include any accounts created by applications you have installed.
  • Access Coarse Location (Network Based) – allows the app to get your approximate location, this location is derived by location services using network location sources such as cell towers and WiFi
  • Access Fine Location (GPS) – allows the app to get precise location using Global Positioning System
  • Bluetooth – automatic pairing
  • Record Audio – allows the app to record audio
  • Read Phone State – allows the app to access the phone state if you are calling someone. This permission allows the app to determine phone number and device id
  • Read External Storage – allows the app to read data on SD Card is any

As we stated above we mentioned the types of permission these two applications are using and accessing and we as privacy and security practitioners are concerned on why do they need:

  • Camera – a tracing app doesn’t need any camera since the tracing is being done on the background using bluetooth and other high frequency
  • Modify System Settings – why are they modifying system settings this may be a borderline Malware
  • Read Contacts – Why do they need to read my contact details? The Personal Information on the contacts are sensitive enough if this is breached. We know for a fact that the National Privacy Commission has filed cases on lending apps in 2019 because of this scenario
  • Write Contacts – This permission should not be touched by the tracing application because they might modify and delete contacts that may even result to identity theft
  • Get Accounts – we don’t understand this? Why do they need to access other accounts that was created by different application on the phone?
  • Access Coarse Location (Network Based) – Is this even part of the privacy notice that they can triangulate the location on the cell towers?
  • Access Fine Location (GPS) – maybe we can ask what model are they using – centralised or decentralised approach
  • Bluetooth – automatic pairing – this acceptable in order to do contact tracing
  • Record Audio – Are these apps eavesdropping? This may result to wiretapping that needs a warrant before it is permitted
  • Read Phone State – Why do they need to monitor if a person is calling?
  • Read External Storage – and lastly why do they need to read my data on my SD Card?

These are just some questions that we as citizens need to ask….

COVID-19 and the right to Privacy

In this time of crisis we are facing due to COVID-19 there are only two things we need to focus on:

1. Safety and
2. Protection

Safety of the individual on getting COVID-19. The prevention measures we need to put and as such cleaning, personal hygiene and social distancing are very important in the priority of each individual and our families right now. And if we contract it what are the procedures that we need to do.

Safety countermeasures are very important outside of our home from barangays, LGU and hospitals. As individuals we need to educate ourselves on these measures outside our homes.

Protection on other hand is needed on protecting the individual. In this time of COVID-19 digital risk is very high due to the fact that when we started ECQ we became 100% digital. People may argue on that we do not need privacy in this time of crisis and we just need to save lives. That is true that why in RA 10173 / Data Privacy Act has exemption if it is a matter of life and death.

But, we also need to balance this out specially on PUIs and PUMs. The call last week by PMA and IBP on the lifting of the confidentiality on PUMs and PUIs may have merit but the issue is not confidentiality it is about an honest disclosure of a patient like what happened on the case of Senator Koko Pimentel visitng Makati Medical Center a few weeks ago without disclosing that he has the virus.

RA10173 maybe a special law because of the change in times and change of business models but we need to understand that Privacy is based on our Bill of Rights in Article 3 Section 2 of the Constitution that emanates even on the 4th amendment of the US Constitution and the Common Laws of England dating back from 1630.

Article 3 of the Bill of Rights states that:

Sec. 1. No person shall be deprived of life, liberty, or property without due process of law, nor shall any person be denied the equal protection of the laws.

Sec. 2. The right of the people to be secure in their persons, houses, papers, and effects against unreasonable searches and seizures of whatever nature and for any purpose shall be inviolable, and no search warrant or warrant of arrest shall issue except upon probable cause to be determined personally by the judge after examination under oath or affirmation of the complainant and the witnesses he may produce, and particularly describing the place to be searched and the persons or things to be seized.

As Commissioner Mon Liboro has mentioned we have laws that are in place and RA 11332 (An Act Providing Policies and Prescribing Procedures on Surveillance and Response to Notifiable Diseases, Epidemics, and Health Events of Public Health Concern) can be imposed on such cases that is complementary to the Data Privacy Act / RA 10173.

To note RA 11332 mandates patients, PUIs, and PUMs to be fully transparent and truthful to DOH, hospitals, and other pertinent public authority on the personal data (travel and medical history, etc.) requested from them. Such information will be material for health and local institutions to treat them and/or properly contain the spread of the infectious disease in a timely manner. Where they may falter in cooperation, as when they refuse to provide details or conceal required information, patients can be penalized with imprisonment and hefty fines under the act .

As the late Judge Brandeis once said on the landmark case in 1928… “The right to be let alone is the most comprehensive of rights and the right most valued by civilized men”

What is PCI DSS

PCI DSS (Payment Card Industry Data Security Standard) is a set of #cybersecurity regulations for businesses handling credit card data.

Formed in 2004 by Visa, MasterCard, Discover, and American Express, it is administered by the Payment Card Industry Security Standards Council (PCI SSC).

PCI DSS applies to all merchants dealing with cardholder data, regardless of revenue and transaction volume.
Compliance is validated either annually or quarterly, and is performed by a firm-specific Internal Security Assessor (ISA) or an external Qualified Security Assessor (QSA).

There are four levels of compliance for merchants: they all depend on the volume of transactions for a particular brand within a year. Mastercard typically uses the same values as Visa.

  • Level 4: < 20k transactions/year — Questionnaire (e-commerce only)
  • Level 3: < 1M transactions/year — Questionnaire
  • Level 2: < 6M transactions/year — Questionnaire + Quarterly vulnerability scans
  • Level 1: ≥ 6M transactions/year — Full onsite audit + Vulnerability scans2

For service providers, there are just two levels of compliance. The PCI SSC document defines them as the following:

  • Level 2: < 300k transactions/year — Questionnaire + Vulnerability scans
  • Level 1: ≥ 300k transactions/year — Full onsite audit + Vulnerability scans

There are 2 partners of ePrivacyNow that are ISA and QSA these are SISA and QRC Solutions and our Payment Partner AltPaynet(Level 1) has the highest level of certification granted by the payments industry.

For more information on how we can help you, book a consultation with us.

Data Privacy as an Enabler

Data Privacy had taken the banner headline in 2018 with the implementation of new GDPR last May 2018 and the adoption of Data Privacy Act in Asia specially in the Philippines that penalizes an offender to imprisonment and some penalties. But eventhough GDPR has no imprisonment attached to it the penalty can be up to 20M Euros or 4% of the Profit of the Company violating it.

But most the people or the enterprise see just the penalty but the the law actually acts as an enabler for the enterpise to be more trust-worthy with regards to their data and its integrity. The Data Privacy Act enables us as companies to be trustworthy with our clients and our customers in fact are the owner of the data not us as companies we only process and has limited control to it on a certain period(not infinity).

It also challenges our culture to not be a willing victim to our privacy. I was talking to a CEO of blockchain company and she mentioned that this is all just hype because all our data are already out there in Facebook, Twitter, SnapChat, WeChat, Viber etc… maybe she has a point but as a company we need to know the integrity of data we process may it be employee data, business partner data or customer information. As professionals and leaders of our enterprise we need to challenge ourselves on how we do business and ask the question on why are we collecting this datapoint. We need to include privacy on the projects we embark on and in our operations (BAU). It encourages us to have a risk based approach on doing our business / projects.

I invite you to look at etisphere.com

A portfolio of the world’s most ethical companies consistently outperforms the market during the period analysed by eithsphere both in times of growth and during market decline…

In the end it is not just about compliance its a trust issue. Maybe it may sound ambitious and IT leaders would say that innovation can never be a compliance game and we need to be fast and agile otherwise our competitor will crush us but the law gives us the opportunity to build privacy and security by design on our initiatives. And by doing security and privacy by design we will have that confidence and integrity that the data we process are in fact true and correct and I quote Patricia Aburdene (MegaTrends 2010)…

Transcendent values like trust and integrity literally translate into revenue, profits and prosperity.

Data Privacy Day – BREATHE

We celebrated Data Privacy Day in January 28, 2020! And some sectors are now proposing for an amendment of the special law which we call nowadays as the “Data Privacy Act”.  In 2012 the law was passed thru the efforts of the late Senator Angara and the IRR was published in 2016 and the newly formed commission started its campaign in 2017 and fast forward we are now in 2020.

Some of the suggestions based on the proposal of the good Congressman of Tarlac are stiffer penalties including administrative fines not exceeding to 5M PhP, additional classification of personal information and sensitive personal information on the different sector that is deemed sensitive on that sector, organizational structure of the commission, introduction of personal data on minors, some additional clause on offense by a public officer and the commission can launch conferences in the advancement of the general public etc…

There are good points and not so good points but my suggestion is to let the law breathe first.  The implementation of RA10173 is barely two years old and let the commission flex its muscle before amending the law.  Laws should be universal and the incidentals can be done on circulars that has been done in the past.  

Personally, I think the most pressing matter is the development of the ecosystem, compliance and registration of the 2M companies (NPC has 35k companies registered to date only)  and the education of the current pool of Data Privacy Officers and making the country as a center of excellence on Data Privacy and Protection in the region.

We need to understand that RA10173 is a special law on data that targets personal information and classifying personal data as asset both on civil law and commercial law.

CIVIL LAW because of the  8 rights of our citizen – Right to INFORMED, OBJECT, ACCESS, CORRECT / RECTIFY, BLOCK / REMOVE, DATA PORTABILITY, COMPLAINT and IMDENIFIED.

Commercial Law because we need to understand the basics and DATA is considered as an ASSET and personal information or customer information may it be intangible is one of the most important asset nowadays as the business model of each enterprise changes our classification of asset also changes.

Corporation / Juridical Entities must understand that their organization is dependent on the productivity of four assets: 

  • People
  • Information / Data 
  • Technology 
  • Facilities 

As I mentioned, as we creatively change our business model canvass our strategy changes and our data becomes bigger and bigger.  We have to relate personal information to be an asset because as we collect more the data becomes more valuable and as we collect less it becomes smaller in value. 

No alt text provided for this image

And in order to be resilient in this day we need to realize two things in corporate we need to sustain our asset and protect it 

We have discussed earlier that this law is due to the change in times and due to the actions being done creatively by companies in this age.  We need to understand that this is a special law and it be anchored on the bill or rights in article 3 section 2 which is was also patterned on the fourth amendment on the US constitution.

Below are a series of events on Privacy Law including the Philippine implementation.

No alt text provided for this image

Privacy has been in there for so long and Justice Brandeis in 1928 case mentioned:

“The right to be let alone is the most comprehensive of rights and the right most valued by civilized men”

*We can discuss the 1928 case but it will take a day of discussion…

As I mentioned law must be universal and implementation must be inputted inside the implementing rules and regulation or either as circulars and consultation can be done on giving advisories.

Data Breach is a story of OLD (Three Little Pigs and the BIG BAD WOLF)

The Data Privacy Act and the GDPR of EU was born due to monetization of data by companies. Time Magazine has dubbed data as the new OIL so the law is mandating us to protect the rights of our consumers.  

But the data breaches is a story of OLD. We can compare the attackers as the BIG BAD WOLF that will blow our house down. And we as the three little pigs. The story goes like this…. one takeslittle time in building the home out of straw and spends the rest of his time playing and relaxing. A second pig builds a home out of sticks, which takes slightly longer, but he too values relaxation time. A third pig chooses to build a home out of bricks, which requires a great deal of time and effort. He values taking the time to build a home properly over relaxation and recreation. When the Big Bad Wolf comes to the homes, only the third pig’s house of bricks stands up to the pressure applied by the wolf.

Moral of the story… hard work and dedication pays off. Companies nowadays are not like companies in the 1980s we need to adapt or else we will die and building our roadmap to protect the personal information of our stakeholders is vital to our survival because as the former deputy commissioner of the National Privacy Commission has said “Privacy is now a proxy of TRUST if I don’t TRUST you I will not do business with you and on the other hand if I TRUST you I will do business with you”. We need to up our skill in privacy and security since these are intangible assets of the enterprise and respect the rights of our stakeholders.

No alt text provided for this image

Our Business is evolving… why do you need a board member that has a security and a privacy mindset

Our business environment is evolving and regulation are now part of our everyday life on the enterprise not only on BIG companies that operates in a highly regulated nature but also on small and medium businesses. Through the introduction of the data privacy act and GDPR of EU people are now more conscious of privacy on data processors and their subscribers.

Our management committee and members of the board of directors are more involved than ever in discussions and strategy around their PIIs and cybersecurity and the solutions needed to prevent being the next BIG breach.

The questions we are asking are no longer as simple as “are we secure?” but more to the tune of “are we doing all we can to minimize or transfer the risk, and what do we do in the case of a breach?”

Because of regulation such as the Data Privacy Act (DPA) and EU’s General Data Protection Regulation (GDPR) our management or the board of the directors need to understand more about this regulations and INFOSEC more. Most of the time our CIOs / CTOs and if you have a CISO cannot articulate what the board needs on security and its impact to the business. As IT Executives we need to relay to the board:

  1. The assets and service that they cannot go without – this means their crown jewels
  2. The security drivers and risks.
  3. Risk Assessment and the enterprise response to the risk to ensure survival, continuity and organization’s safety

Our board should ask the questions such as:

  1. Are we demonstrating the appropriate level of due diligence, ownership, and effective management of cyber security risk that we owe to our organization and to our shareholders?
  2. What is our risk appetite if ever a breach happens to us? To what degree are we discussing cyber security risk management in relations to business continuity and the threats to our organization over the past years?
  3. Is our prioritization and level of engagement on the topic of cyber security consistent with our perceived level of overall risk to the organization?
  4. Does our Board need to play a more active role in determining our organizations cyber security strategy? If so, in what way?
  5. Have any of our board members attended formal governance training specific to cyber security risk management? Should this be a requirement/option for some or all board members?

Start your long-term search for this board member now, as it may take a long time to find the candidate with the right qualifications, cultural fit, and of course the availability to take the spot.