Month: November 2020

The new flavor in Contact Tracing – QR Code

The Philippines is UNIQUE on its efforts on combating COVID19 specifically on contact tracing.  When we say unique the Philippines is the only country that has not done any effort in developing their own digital contact tracing applications. 

And there are various applications that was donated by 3rd party developers that is being implemented at the moment in municipalities and other enterprises that serves as gatekeeper and contact tracing services using QR Code e.g. eSalvar, Davao QR, Traze etc…

One can just fathom on the busines model of these applications popping out.  Was it really donated with no extra cost?  Were these applications bought by the city council / national government?  Since there is a presumed donation the application must be owned by the government and source code must be escrowed to protect the veracity and integrity of the source code in case there are breaches from internal and external factors.  Before the donation were these applications had undergone a privacy impact assessment and a vulnerability and penetration testing?  There are so many questions to ask with regards to project and data governance and DICT / DOH and NPC must be at the forefront to protect the data of the citizenry.

Previously, we did an analysis on Stay Safe and COVID Kaya that was featured in the ASEAN region and was picked up by different news agency e.g. Rappler, Philippine Star, Inquirer, GMA7, ABS-CBN, CNN etc.  The study was based on the technical analysis / cybersecurity best practices and we found out that both are borderline SPYWARE and yet the government has not done any action on these applications on securing and making citizen safe on surveillance on this contact tracing applications.

Let’s take a look on the analysis that we did previously on Stay Safe and COVID Kaya it can read and write on your:

  1. Contact List
  2. SMS
  3. Camera
  4. Audio
  5. Location thru triangulation on Cell Site and GPS location
  6. Phone logs
  7. Storage
  8. Pictures and Videos
  9. Calendar
  10. It can also change your phone settings

After a few months the flavor for LGUs is the implementation of QR Codes like eSalvar in Naga, DQR in Davao and Traze that is being used on Airports.  This contact tracing applications doesn’t use Bluetooth anymore but only QR Codes when you enter an establishment it serves as a gatekeeper for health declaration.  But there is still some noise on implementing these technologies yet QR codes has been there for a long time and these QR are used on Retail establishment to transfer money or pay bills / merchant that can be seen on Paymaya and GCASH transactions.

Let us review some privacy notice, executive order and resolutions on the three application on QR Code and its implications:

  1. Davao QR which is being mandated by Mayor Sarah Duterte to be used implies that DQR must be used by all citizens in Davao when you travel, going to the establishment to buy groceries / food and going in and out of the city
  2. In effect it serves as a National ID for the citizens of Davao
  3. The city also announced that the QR Code will be mandatory beginning November 7. The Davao Mayor said during her special hour on the Davao City Disaster Radio on Tuesday, November 3, that those without QR codes will be apprehended.
  1. eSalvar was recently in the news due to the filing of privacy case in Naga
  2. eSalvar uses the same tech alongside DQR and all establishment is being forced to use the application
  3. eSalvar was developed by a 3rd Party named Nueca Tech
  4. Establishments feel they are being forced to use the application and they feel that it is violating their right to privacy.
  1. Traze on the other hand is being managed and maintained by Cosmotech Inc which is a an HRIS systems integrator
  2. Traze is being used on airports
  3. Since this is being managed and owned by Cosmotech Inc. they are functioning as Data Controllers with regards to the ownership and manner of collection of data.
  4. Traze collects data from individuals, partners and transportation vessels based on the following:
    1. INVIDUALS
      1. User name/ ID
      2. Last Name, First Name
      3. Alias
      4. Cell phone number
      5. Address/ city/ country
      6. E-mail Address
      7. Scanned or visited establishments, businesses, government agencies
    2. PARTNERS, ESTABLISHMENTS, GOVERNMENT AGENCIES, DELIVERY CREW AND BARANGAY
      1. Company/ government agency/establishment’s name
      2. Telephone/ cell phone number
      3. Address/location/ city/ country
      4. E-mail Address
      5. Registered By
      6. Scanned visitors, clients and other individuals
    3. LAND TRANSPORTATION, AIRPLANES, TRAINS AND SHIP/VESSEL
      1. Transportation’s name/ operator’s name
      2. Telephone/ cell phone number
      3. E-mail Address
      4. City/ Country
      5. Port of embarkation/ station/airport, flight number, route or place of operation, plate number
      6. Scanned passengers, visitors, clients and other individuals

Based on the facts gathered on these QR Code implementation on both Naga and Davao it violated some Privacy Laws stated on the Bill of Rights in our constitution specifically on article 3 section 2 and on the Republic Act that was made into law in 2012 RA 10173 or famously known as Data Privacy Act.

While TRAZE violated RA10173 because it doesn’t have any personality in contact tracing merely for the fact that it has no legitimate purpose on being a data controller or even a data processor.  The only personality that Cosmotech Inc. can be is a vendor.  The entity doesn’t have any right to citizen data since it should be part of the e-governments task and its entities must be accountable to the public.

The basic principles of DPA are transparency, legitimate purpose and proportionality / fairness.  When we say transparency, it is like looking in a mirror and making our promise stand.  So, integrity is an issue here while we can assume that an LGU has legitimate purpose to do contact tracing it is only for the sole purpose that collection of data must be legitimately done and collected on purpose of contact tracing not functioning as a national id. 

This data being collected cannot be used on other purpose e.g. election, people profiling and others.  When we are done with contact tracing these data must be destroyed and the citizen must have evidence that an end-to-end destruction was done up to the entities that they have shared with e.g. WHO, DOH, DILG etc…

The principles of TLP in Data Privacy should be upheld to highest level because as Judge Brandeis of the US Supreme Court has said in the 1928 case – the highest and noblest of rights is the right to be let alone (Privacy).

We cannot put in our privacy statement / notice something like these:

We also need to adhere to the basic rights on privacy stated in GDPR, RA10173 (Data Privacy Act of 2012) and United Nations.  Data Subjects or the citizenry has rights to:

  1. Right to be informed
  2. Right to damages
  3. Right to access
  4. Right to object
  5. Right to Erasure / Blocking (to be forgotten)
  6. Right to file a complaint
  7. Right to rectify
  8. Right to Data Portability

Our data subjects must be able to choose that is why the liberty to participate in this kind of process must have a buy-in with data subjects and they have the eight universal rights to do so.  Another misconception of government in Asia right now specifically in the Philippines is that when a head of city or government does a resolution or pronounced policies it is the end of the road on the implementation.  The legal team must understand the relationship of data subjects, data controller and processor because this will be the basis of contracts.

We need to understand that a city / municipality has the sole legitimate purpose being a data controller because they decide the manner of collection.   There should also be an outsourcing agreement, service level agreement or a data processing agreement on data processor being initiated by the LGU.  When they share data to the national government or other entities which is not under the LGU they need to have data sharing agreements with these entities.  The 3rd parties with different purpose are considered as joint controllers (National Government and other 3rd parties).

Let’s dwell a little bit on the data sharing agreements when an LGU drafts its resolution and mandates enterprises to comply and use these applications the LGU needs to have a data sharing agreement on all enterprise.  I mean ALL enterprise that they will collect in behalf of the city government so if there are no such document an enterprise doesn’t have any regulatory obligation to the LGU but they have a regulatory obligation to DOLE since there is a circular on the Department of Labor and Employment for any company to have an aggregated list to be submitted to DOLE on a monthly basis which we presume that they are sharing to DOH.  We need to take note DOH only not DILG since the Department of Health has the sole responsibility on RA 11332 which is required to submit any information to the Government to enable contact tracing of suspected, probable, and confirmed COVID-19 patient due to epidemic or pandemic.  The keyword here is CONFIRMED.

On the other hand what legal document does the application developers who donated their application to government should have in possession?  It is a deed of donation and an escrow agreement and since they developed the application we are also presuming they are maintaining the application and they are being paid as operating expense to maintain the application and if they are maintaining the application we need to have a managed service agreement on the application developer.

We need to remember that the anti-thesis of privacy is surveillance and the right to privacy is one of the most important rights of a human being.  People needs to have liberty to choose and participate in government initiative to curtail COVID but it should be voluntary, proportionate, fair and transparent.