Three week ago (Feb 12,2021) I went to our office in Ortigas Center in Pasig and I parked in Podium Mall. When I was entering the mall the guard said do you have QR Code so I flashed my Pasig Pass QR and it accepted it and then I went to the office in front of the mall.
When I finished my errands I entered Podium Mall again and the guard said do you have a MandaTrack so before entering the mall and out of curiosity I looked at MandaTrack on the web and what I saw are the same user interface, same privacy notice except for a miniscule change.
The Logo of Pasig and Mandaluyong.
I didn’t register on MandaTrack but when I entered I presented my Pasig Pass and it went thru. Both Pasig and Mandaluyong are saying that they own the system and they developed it so it is in fact a violation or we may consider this as a data breach since two systems are now talking to each other without any consent from its data subjects. This only means that the developers are the same and both the application developer and the city government of Pasig and Mandaluyong are in violation of the RA10173 and has not reported any data breach to the National Privacy Commission.
And today (March 1, 2021) the four mayors of Antipolo, Pasig, Valenzuela and Mandaluyong had a press release that their contact tracing efforts are now interconnected. And yet the privacy notice has not changed.
We have to understand that when we collect personal information we need to protect it and the manner of collection is very important as well. The Developer of this apps are definitely a Data Controller and the LGUs are also co-data controllers. When the developer is not even being named on this applications and no data protection officer is also mentioned on the LGUs there is something wrong.
On our previous article we mentioned that Pasig Pass is in violation of the Data Privacy Act or RA10173. This applications are in fact a surveillance apps not a contact tracing application because there is no health declaration being done on the app. And if we look at the municipal / city resolution they are threading on human rights and discrimination since they are penalizing enterprises if you don’t follow and install this apps.
This is not just a violation the Data Privacy Act / RA10173 but also on our Bill of Rights on Article 3 Section 1 and 2 of the Philippine Constitution!!!
Mayor Vico Sotto has done great things for the city of Pasig and his trust rating is at the highest now for all mayors in Metro Manila and recently the City of Pasig has mandated to have a contact tracing application rolled out for the city’s populace may it be visiting or residents of the city and the establishment as well. When you visit an establishment e.g., Grocery, Supermarket or any building in Pasig and if you don’t have a Pasig Pass the guards will deny you on entering the establishment.
For the ordinary citizen it can be a good app since you can now enter an establishment without filling a health declaration and what is needed is only a QR code but what is lacking for Pasig Pass is the health declaration that is supposed to be the essence of contact tracing if you have symptom of COVID19. This alone violates privacy of the individual and it also defeat the purpose of contact tracing.
If we examine the promise of PasigPass we may presume that it was just copied on a template without even thinking of any process with regards to contact tracing. Let us look at the promise of Pasig Pass on its Privacy Notice:
Information Collection
We may collect, store and transfer the following information:
name and address
contact information including email address.
demographic information such as postcode, preferences and interests
other information relevant to individual’s request and/or offers.
But what is the 4th bullet for? Other information relevant to individual’s request and offers? We must remember that the only purpose of this kind of applications are contact tracing. Meaning that if a person visits an establishment and has acquired COVID the LGU can tag the establishment as a RED ZONE and if the establishment has no trace of COVID then it is in GREEN Zone. In RA10173 or the Data Privacy of 2012 it is explicit that any applications, process or project that collects personal data must adhere to three principles which are: TRANSPARENCY, LEGITIMATE PURPOSE and PROPORTIONALITY.
An individual can request for his / her data because the data subject has the right to his or her information in the context of contact tracing. If this kind of applications are being used on other purpose it violates its sole purpose.
They also mentioned:
Purpose of Collected Data
You consent that your collected Personal Information may be used:
To help improve our data and services and customize user experience;
To participate in and facilitate transactions;
To engage in data mining and build up activities;
To deliver the products and services that you have requested;
To perform research and analysis about your use of, or interest in, our products, services, or content, or products, services or content offered by others;
To communicate about relevant services, ads and/or advisories through whichever means are available to the City Government;
To provide better customer experience to the City Government clients and improve, develop, identify and implement services;
To follow safety, security, public service or legal requirements and processes;
To process information for statistical, analytical, and research purposes; and
To identify and prevent errors and inefficiencies due to misuse of the platform;
To enforce our terms and conditions;
The purpose stated above clearly violates the data privacy act!!!!
This only means that PasigPass is not really a contact tracing application but a city-wide application for other services of the LGU. And when a city restricts entry to an establishment to buy his food then it also discriminates people on entry because not everyone has a smart phone or even an internet connection.
For this kind of application. We must educate the head of the LGU on Data Privacy, Cyber Crime and Business Resiliency because if the city is in violation of RA10173 or RA10173 then the Mayor which is the head of the LGU will be liable for these Republic Acts. I believe that the good mayor has good intentions, but ignorance of the law and implementation of a sloppy project will be a cause of a lowering of his trust rating.
Let’s continue on the Data Sharing:
Our Disclosure of your Personal Information to Third Parties
We may share your personal information with third parties only in the ways that are described in this Privacy Statement:
we may provide your information to our sub-processors who perform functions on our behalf;
third party contractors may have access to our databases. These contractors sign a standard confidentiality agreement and data sharing agreement;
we may share your data with any parent company, subsidiaries, joint ventures, other entities under a common control or third party acquirers. We expect these other entities will honor this Privacy Policy;
we may allow a potential acquirer or merger partner to review our databases, although we would restrict their use and disclosure of this data during the diligence phase;
as required by law enforcement, government officials, or other third parties pursuant to a subpoena, court order, or other legal process or requirement applicable to our Agency;
we may transfer personal information to third parties for any legally permissible purpose at our sole discretion; and
we may share your information with third parties with your consent or direction to do so.
The above statements I assume is a copy to other privacy notice in the web. The statements must be explicit on who they are sharing this data. We also must remember that this is a privacy notice meaning this is a promise not a policy. A policy is internal to the organization on fair use, data sharing, security policies etc…
And when an organization says:
we may transfer personal information to third parties for any legally permissible purpose at our sole discretion; and
we may share your information with third parties with your consent or direction to do so.
We as citizens must know the relationship of these entities. Who are they? What is the relationship of these entities to the LGU? Who really is the Personal Information Controller and Processor? Sharing means there is a joint controller who are these? Is there a custodian of the data? And what merger-partner are they talking about? Will these data be used on election and other purpose?
As citizen we need to be mindful of our personal data and our rights as individual. Because the 8 universal rights of data privacy e.g. access, information, data portability, complain, block, indemnify etc.. are based on 4 domains which are also on the bill of rights in our constitution:
And also, on the privacy notice there is no contact information of the Data Protection Officer so in fact even if you want to exercise your right to be removed on the system you cannot do so because you cannot even email them for such request.
We must remember that all of this rights and principles has a process flow on data mapping which is illustrated below. The flow of data must comply to both data privacy principles (transparency, legitimate purpose and proportionality) and the 8 Rights of a Data Subject.
To end, LGUs or any other organization doing a privacy notice must keep in mind the criteria of good privacy notice / promise:
Must be freely given
Must be specific
purpose specification as a safeguard against function creep,
granularity in consent requests, and
clear separation of information related to obtaining consent for data processing activities from information about other matters.
Must be informed
adequate information about the processing must be communicated to the data subject “in an intelligible and easily accessible form, using clear and plain language” prior to obtaining their consent
Consent must be unambiguous
And if the above criteria are not met any data subject can easily file a complaint to a privacy commission which in this case is the National Privacy Commission.
The Philippines is UNIQUE on its efforts on combating COVID19 specifically on contact tracing. When we say unique the Philippines is the only country that has not done any effort in developing their own digital contact tracing applications.
And there are various applications that was donated by 3rd party developers that is being implemented at the moment in municipalities and other enterprises that serves as gatekeeper and contact tracing services using QR Code e.g. eSalvar, Davao QR, Traze etc…
One can just fathom on the busines model of these applications popping out. Was it really donated with no extra cost? Were these applications bought by the city council / national government? Since there is a presumed donation the application must be owned by the government and source code must be escrowed to protect the veracity and integrity of the source code in case there are breaches from internal and external factors. Before the donation were these applications had undergone a privacy impact assessment and a vulnerability and penetration testing? There are so many questions to ask with regards to project and data governance and DICT / DOH and NPC must be at the forefront to protect the data of the citizenry.
Previously, we did an analysis on Stay Safe and COVID Kaya that was featured in the ASEAN region and was picked up by different news agency e.g. Rappler, Philippine Star, Inquirer, GMA7, ABS-CBN, CNN etc. The study was based on the technical analysis / cybersecurity best practices and we found out that both are borderline SPYWARE and yet the government has not done any action on these applications on securing and making citizen safe on surveillance on this contact tracing applications.
Let’s take a look on the analysis that we did previously on Stay Safe and COVID Kaya it can read and write on your:
Contact List
SMS
Camera
Audio
Location thru triangulation on Cell Site and GPS location
Phone logs
Storage
Pictures and Videos
Calendar
It can also change your phone settings
After a few months the flavor for LGUs is the implementation of QR Codes like eSalvar in Naga, DQR in Davao and Traze that is being used on Airports. This contact tracing applications doesn’t use Bluetooth anymore but only QR Codes when you enter an establishment it serves as a gatekeeper for health declaration. But there is still some noise on implementing these technologies yet QR codes has been there for a long time and these QR are used on Retail establishment to transfer money or pay bills / merchant that can be seen on Paymaya and GCASH transactions.
Let us review some privacy notice, executive order and resolutions on the three application on QR Code and its implications:
Davao QR which is being mandated by Mayor Sarah Duterte to be used implies that DQR must be used by all citizens in Davao when you travel, going to the establishment to buy groceries / food and going in and out of the city
In effect it serves as a National ID for the citizens of Davao
The city also announced that the QR Code will be mandatory beginning November 7. The Davao Mayor said during her special hour on the Davao City Disaster Radio on Tuesday, November 3, that those without QR codes will be apprehended.
eSalvar was recently in the news due to the filing of privacy case in Naga
eSalvar uses the same tech alongside DQR and all establishment is being forced to use the application
eSalvar was developed by a 3rd Party named Nueca Tech
Establishments feel they are being forced to use the application and they feel that it is violating their right to privacy.
Traze on the other hand is being managed and maintained by Cosmotech Inc which is a an HRIS systems integrator
Traze is being used on airports
Since this is being managed and owned by Cosmotech Inc. they are functioning as Data Controllers with regards to the ownership and manner of collection of data.
Traze collects data from individuals, partners and transportation vessels based on the following:
INVIDUALS
User name/ ID
Last Name, First Name
Alias
Cell phone number
Address/ city/ country
E-mail Address
Scanned or visited establishments, businesses, government agencies
PARTNERS, ESTABLISHMENTS, GOVERNMENT AGENCIES, DELIVERY CREW AND BARANGAY
Company/ government agency/establishment’s name
Telephone/ cell phone number
Address/location/ city/ country
E-mail Address
Registered By
Scanned visitors, clients and other individuals
LAND TRANSPORTATION, AIRPLANES, TRAINS AND SHIP/VESSEL
Transportation’s name/ operator’s name
Telephone/ cell phone number
E-mail Address
City/ Country
Port of embarkation/ station/airport, flight number, route or place of operation, plate number
Scanned passengers, visitors, clients and other individuals
Based on the facts gathered on these QR Code implementation on both Naga and Davao it violated some Privacy Laws stated on the Bill of Rights in our constitution specifically on article 3 section 2 and on the Republic Act that was made into law in 2012 RA 10173 or famously known as Data Privacy Act.
While TRAZE violated RA10173 because it doesn’t have any personality in contact tracing merely for the fact that it has no legitimate purpose on being a data controller or even a data processor. The only personality that Cosmotech Inc. can be is a vendor. The entity doesn’t have any right to citizen data since it should be part of the e-governments task and its entities must be accountable to the public.
The basic principles of DPA are transparency, legitimate purpose and proportionality / fairness. When we say transparency, it is like looking in a mirror and making our promise stand. So, integrity is an issue here while we can assume that an LGU has legitimate purpose to do contact tracing it is only for the sole purpose that collection of data must be legitimately done and collected on purpose of contact tracing not functioning as a national id.
This data being collected cannot be used on other purpose e.g. election, people profiling and others. When we are done with contact tracing these data must be destroyed and the citizen must have evidence that an end-to-end destruction was done up to the entities that they have shared with e.g. WHO, DOH, DILG etc…
The principles of TLP in Data Privacy should be upheld to highest level because as Judge Brandeis of the US Supreme Court has said in the 1928 case – the highest and noblest of rights is the right to be let alone (Privacy).
We cannot put in our privacy statement / notice something like these:
We also need to adhere to the basic rights on privacy stated in GDPR, RA10173 (Data Privacy Act of 2012) and United Nations. Data Subjects or the citizenry has rights to:
Right to be informed
Right to damages
Right to access
Right to object
Right to Erasure / Blocking (to be forgotten)
Right to file a complaint
Right to rectify
Right to Data Portability
Our data subjects must be able to choose that is why the liberty to participate in this kind of process must have a buy-in with data subjects and they have the eight universal rights to do so. Another misconception of government in Asia right now specifically in the Philippines is that when a head of city or government does a resolution or pronounced policies it is the end of the road on the implementation. The legal team must understand the relationship of data subjects, data controller and processor because this will be the basis of contracts.
We need to understand that a city / municipality has the sole legitimate purpose being a data controller because they decide the manner of collection. There should also be an outsourcing agreement, service level agreement or a data processing agreement on data processor being initiated by the LGU. When they share data to the national government or other entities which is not under the LGU they need to have data sharing agreements with these entities. The 3rd parties with different purpose are considered as joint controllers (National Government and other 3rd parties).
Let’s dwell a little bit on the data sharing agreements when an LGU drafts its resolution and mandates enterprises to comply and use these applications the LGU needs to have a data sharing agreement on all enterprise. I mean ALL enterprise that they will collect in behalf of the city government so if there are no such document an enterprise doesn’t have any regulatory obligation to the LGU but they have a regulatory obligation to DOLE since there is a circular on the Department of Labor and Employment for any company to have an aggregated list to be submitted to DOLE on a monthly basis which we presume that they are sharing to DOH. We need to take note DOH only not DILG since the Department of Health has the sole responsibility on RA 11332 which is required to submit any information to the Government to enable contact tracing of suspected, probable, and confirmed COVID-19 patient due to epidemic or pandemic. The keyword here is CONFIRMED.
On the other hand what legal document does the application developers who donated their application to government should have in possession? It is a deed of donation and an escrow agreement and since they developed the application we are also presuming they are maintaining the application and they are being paid as operating expense to maintain the application and if they are maintaining the application we need to have a managed service agreement on the application developer.
We need to remember that the anti-thesis of privacy is surveillance and the right to privacy is one of the most important rights of a human being. People needs to have liberty to choose and participate in government initiative to curtail COVID but it should be voluntary, proportionate, fair and transparent.
When we talk about Privacy nowadays what comes into our minds is data privacy but what most people know about data privacy is only contextualized into me as a person and what we post online.
Let us define first what is privacy. It has been suggested that privacy can be divided into four different aspects that is related to a human or juridical person. These are:
Territorial – which concerns the setting of limits on intrusion into one’s own property such as your house, car and other environments this also includes video surveillance, ID checks on subdivision and Trespassing
Bodily – which concerns the protection of people’s physical selves against invasive procedures such as drug testing, cavity searches and other medical procedures that may violate privacy
Information – this is otherwise known as data privacy and protection; it involves the establishment of policies, process and procedures on the governance of corporation or otherwise known as data controllers and processors on collection, use, storage, handling, retention, destroying and sharing of personal data such as credit information, and medical and government records.
Communication – covers the security and privacy of communication channels and devices such as radio frequency – include telephone and media, mails – manual and electronic, telephone, and internet communication; it also involves directives on devices on internet of everything such IOT devices and Internet Protocols and other forms of communication
So, when we talk about Privacy we need to contextualized it. Privacy is not just about Data Privacy and the Data Privacy Act all over the world can only be classified or categorized into two(2) aspects which are Information and Communication.
It is well to note that Privacy has been a battle cry for oppression and since the 1600s in Europe that can be manifested in the Common Law of the United Kingdom and the landmark case in 1928 over territorial and communication privacy that Justice Louis Brandeis dissented on the case of Olmstead vs the US Government and he said that:
“The right to be let alone – the most comprehensive of rights and the right most valued by civilized men”
[Brandeis J, dissenting in Olmstead v. United States, 277 U.S. 438 (1928)]
The case revolved around the prosecution of Roy Olmstead for attempting to smuggle and sell alcohol after suspecting Olmstead for years the government gathered evidence by wiretapping his office. Olmstead argued that the police had violated his Fourth and Fifth Amendment rights since the police during that time didn’t obtained a warrant.
During that time wiretapping was legal and the Supreme Court had a 5-4 decision in favor of the US Government. The case had become a landmark case not because of the decision but because of the dissent of Justice Brandeis. He wrote an influential dissent that became the foundation for future privacy.
In it, he attacked the proposition that the government had the power to wiretap phones without warrant, arguing that there is no difference between listening to a phone call and reading a sealed letter. Brandeis argued that the Founders had “conferred against the government, the right to be let alone – the most comprehensive of rights and the right most favored by civilized men.” Furthermore Brandeis advanced the idea that the ‘unclean hands’ principle, which is the idea that courts should not aid a plaintiff who has acted unethically with regards to the subject of the case, applies to the federal government. The government should not violate the laws of states to gather evidence (wiretapping was illegal in many states, including Washington) and then use that evidence to prosecute people.
After four decades in the 1967 Katz vs U.S. case the Brandeis dissent was widely cited and the Supreme Court has overturned the Olmstead ruling that warrants were in fact required to wiretapping, with Brandeis’ dissent held as a primary influence. The Katz decision can be compared to the breaking of the Berlin wall that opened privacy as a constitutional right and has so much implications from right to live, abortion rights, press freedom, information / data privacy and now even communication privacy that deals on a connected world on the internet of everything.
Below are the chronological history from the Harvard Law Review of the “Right to Privacy” of Samuel Warren and Louis Brandeis.
The Scope of Privacy
As Professor Roger Clarke said Privacy is important from a number of different perspective:
Psychologically, people need private space. This applies in public as well as behind closed doors and drawn curtains. We need to be able to glance around, judge whether the people in the vicinity are a threat, and then perform actions that are potentially embarrassing, such as breaking wind, and jumping for joy.
Sociologically, people need to be free to behave, and to associate with others, subject to broad social mores, but without the continual threat of being observed. Otherwise we reduce ourselves to the appalling, inhuman, constrained context that was imposed on people in countries behind the Iron Curtain and the Bamboo Curtain.
Economically, people need to be free to innovate. International competition is fierce, and countries with high labor-costs need to be clever if they want to sustain their standard-of-living. And cleverness has to be continually reinvented. But the chilling effect that surveillance brings with it stifles innovation. All innovators are, by definition, ‘deviant’ from the norms of the time, and they are both at risk, and perceive themselves to be at risk, if they lack private space in which to experiment.
Politically, people need to be free to think, and argue, and act. Surveillance chills behavior and speech, and undermines democracy.
But there is a tangent for the four scope of privacy this is Philosophical. The Philosophy of Privacy goes and dives into the concept dignity and integrity. When we talk about integrity it comes from a Latin word which is “INTEGRA” in plain English it is INTEGER. An integer is always whole with no fractions so the Philosophy of Privacy is really about ETHICS, DIGNITY and INTEGRITY.
Let me have a stab on location data that will be part of the 2nd edition of the Social and Privacy Impact of Contact Tracing .
In the global standard such as the Global Data Protection Regulation (GDPR) compliance applies whenever the use of location data involves processing of personal data. It means that any data processed in an electronic form or by an electronic communication service / channel indicating geographic position of the terminal (phone, car, tablet, laptops) in public using GPS or a Cell Tower triangulation. In EU there is a directive which is called EPrivacy that deals with IOT devices and it also defined that a terminal using GPS needs to be protected and can be linked on the rights of the data subjects in any Data Privacy Act. In the Philippines and in other countries there is no EPrivacy Directive, but it can be related to the eCommerce Law which is RA 8792, Data Privacy Act of 2012 / RA 10173 and the CyberCrime Law of 2012 / RA 10175.
IOT in the context of EPrivacy Directive requires an individual to give an opt-in consent to use location data to provide a value-added service.
The information requirement for the location data needs to be itemized on a privacy notice and the purpose and duration of the processing must be explicitly stated. Since, the nature of the location is always shared to a 3rd party or a joint controller the process must also be stated on the notice and in the internal policy.
The last important aspect of location data will be based on our ability to withdraw consent. As data subjects we have the right to opt-out and the controller and processor needs to show evidence that indeed the location data has been erased on an end to end manner.
Let us relate this to contact tracing and the solutions being provided by most countries in the world to address corona virus. Digital Contact Tracing as being proposed by most countries such as Singapore, South Korea, Australia among others can be classified as either a Privacy Enhancing Technology (PET) or a Privacy Impacting Technology (PIT). PET can help us solve the problem such as corona virus with Privacy in mind and has implemented Privacy by Design while PIT is impacting our privacy as data subjects on either by Territorial, Information, Bodily or Communication.
These four domains of Privacy define how we act as a person because Territorial and Bodily answers our right as a human being that goes on our bill of rights and even on the 4th amendment of the US Constitution while the Data Privacy aspects can be answered on Information and Communication. Information Privacy involves the establishment of rules governing the collection and handling of personal data such as credit information, and medical and government records. Which is commonly know right now as Data Privacy / Data Protection.
But let us put our focus on Communication Privacy which covers the security and privacy of mail, telephones, e-mail and other forms of communication including location data.
————————————————————–
Let’s look at the two sources of location data for modelling:
Location data collected by electronic communication service providers (such as mobile telecommunication operators) during the provision of their service; and
Location data collected by application developer or what EU calls Information society service providers’ whose functionality requires the use of such data (e.g., navigation, transportation services, etc.).
The European Data Protection Board or EDPB states that location data collected from electronic communication providers may only be processed within the remits of Articles 6 and 9 of the EPrivacy Directive. This means that these data can only be transmitted to authorities or other third parties if they have been anonymized by the provider or, for data indicating the geographic position of the terminal equipment of a user, which are not traffic data, with the prior consent of the users.
The EDPB also pointed out with emphasis that when it comes to using location data, preference should always be given to the processing of anonymized data rather than personal data.
Anonymization refers to the use of a set of techniques in order to remove the ability to link the data with a natural person against a “reasonability test”. We must consider the aspect of the objective of the problem when it was first hatched and the contextual element that may vary from country to country in the case of contact tracing applications.
In contact tracing accountability is very important so the Controller of any Digital Contact Tracing Application should be clearly defined. In other countries these contact tracing apps are sponsored and made by the government and what is unique in the Philippines is that the Private Sector donated these applications without proper vetting from proper authorities (DICT) that is why there are mistrust on contact tracing. And normally, a contact tracing application is being owned by heath authorities and in the case of the Philippines there are two – the Department of Health (DOH) is using COVID Kaya and IATF / NTF / DILG is using StaySafe and definition of being a controller and processor is vague the parties involve. And If the deployment of these apps involves different actors their roles and responsibilities must be clearly established from the onset and must be explained to the users.
In addition, on the principle of purpose limitation, the purpose must be specific enough to exclude further processing to unrelated to the management of the health crisis (e.g. commercial, surveillance or law enforcement purposes). In the context of a contact tracing application, careful consideration should be given to the principle of data minimization and privacy by design:
Contact tracing apps do not require tracking the location of individual users. Instead, proximity data should be used.
As contact tracing applications can function without direct identification of individuals, mitigating measures should be employed to prevent re-identification.
The collected information should reside on the mobile / terminal of the user and only relevant information should be collected when necessary. (there must be process in place to be triggered by health or local government units)
Recommendations:
According to the PbD and data minimization, the data processed should be reduced to the strict minimum.
The application should not collect unrelated or not needed information, which may include civil status, communication identifiers, messages, call logs, location data, device identifiers, etc.
Data broadcasted by applications must only include some anonymized and pseudonymous identifiers
These identifiers must be renewed regularly with same model on RSA encrypted keys on both private and public tokens
Implementations for contact tracing can follow a centralized or a decentralized approach.
These approaches must provide adequate security measures.
Consideration must be considered weighing privacy in the process that may impact rights of individuals
Cryptographic techniques must be implemented to secure the data stored in servers and the cloud
Authentication between the application and the server must also be performed by using multi-factor authentication
The reporting of users as COVID-19 infected on the application must be subject to proper authorization. If confirmation cannot be obtained in a secure manner, no data processing should take place that presumes the validity of the user’s status.
In the end this kind of applications must be strictly voluntary, and it cannot be forced because contact tracing has a thin line on surveillance systems and Individuals must always have full control over their data and the public should be able to choose freely to use such an application.
Since I wrote the article on permissions on COVID KAYA and Stay Safe and I am the one who created the analysis and blog on the first place let me answer some of the questions on the first study. We are not singling Stay Safe, and we are not even attacking Mutlisys that is why we have a parity with COVID-Kaya that is being used by WHO and DOH. The analysis on the permission is just a first step and after the blog went viral the Data Protection Exchange (DPEX) Network of Straits Interactive (Singapore based) even had a webinar on the “Comparative Review of Contact Tracing Apps in the ASEAN countries that includes an analysis of Stay Safe. The analysis of DPEX is part of the published report of the Global Privacy Enforcement Network.
The GPENs sweep were benchmarked survey parameters which conducted a global privacy sweep of mobile apps. That sweep involved the participation of 25 privacy enforcement authorities around the world.
It assessed the following:
the types of permissions sought by a surveyed app
whether those permissions exceeded based on the app’s functionality and privacy notice
most importantly, how the app explained to consumers why it wanted the personal data and what it planned to do with it
Let us explain first what a “PERMISSION” in a mobile application is. A permission in an app protects the privacy of the user of the app. Every application developer must include an “app manifest” which is a list of permissions (libraries) that the app uses.
Every phone has an operating system like what we have in our laptops, tablets and PCs. In mobile the commonly used are IOS and Android and permissions are categorized into two:
Normal permissions
This kind of permission do not directly risk the user’s privacy
Dangerous permissions
This kind of permissions give the application access to the user’s personal data in their mobile phone, such as contacts and SMS messages, as well as certain system features, such as the camera and location data.
If a dangerous permission is requested, privacy laws do not allow personal data to be collected or disclosed unless the user gives consent
In addition, privacy laws such as the GDPR, PDPA or our RA 10173 (Data Privacy Act) generally restrict “dangerous permissions” to personal data that the app may collect, use or disclose while the user is actually using it. They do not allow apps to collect, use or disclose personal data simply because the user downloaded the app.
To illustrate we have listed the dangerous permissions:
Permission Categories
Permissions
Stay Safe
COVID KAYA
Camera
Camera
Yes
Yes
Contacts
Read Contacts Write Contacts Delete Contacts Get Accounts
Yes
Yes
Location
Access Fine Location Access Coarse Location Bluetooth
Yes
Yes
Microphone
Record Audio
Yes – as by product of Camera
Yes
Phone
Read Phone State Call Phone Read Call Log Write Call Log Add voice mail Process Outgoing Calls
Yes – even if they are not accessing it directly they have turned on Contacts and Phone Permissions that eventually using this permission
Yes
Calendar
Read Calendar Write Calendar
Yes
Storage
Read External Storage Write External Storage
Yes
Yes
Settings
Write Settings
Yes
As per DPEX and GPEN the following apps have dangerous permissions. The danger here, most of the time people just accepting the app and disregarding the privacy notice and the permissions of the app, privacy notice is really a promise of the developer to safeguard and protect the privacy of its stakeholders.
Among the ASEAN tracing apps it is good to note that Singapore’s Trace Together and Vietnam’s Blue Zone use the least permissions.
If you look at the table above the study done by DPEX only gets the direct permission and not considering the by-product of other permissions and definitely it is more than 7 for Stay Safe (11).
Below are some potential risks if these permission are abused by either its developers or threat actor (hacker):
Permissions
If abused
Camera
Even if the camera permission is accessed it can also access audio or microphone permissions. So, if abused by a threat actor the app can watch the user via the camera and can eavesdrop on conversation without you knowing it.
Device App and History
Using this permission reads sensitive phone data, retrieve system phones state – call log, call state, information browsing and history. In addition to reading accounts and logs rom other apps, apps using this permission can store usernames and passwords.
Location
Apps using this permission can identify the user’s location within several feet and track their every movement. We need to note that even if users don’t open GPS and only Bluetooth the Bluetooth uses its mother Permission Library which is part of the GPS locator Access Coarse Location – access WIFI and Cell Sites and if abused can triangulate your whereabouts This can easily be used as a surveillance app to track whereabouts
Media Storage
Apps using this permission can read the contents of the user’s shared storage (USB device and SD card) as well as format their entire external storage device.
Calendar
If abused the threat actor will know your appointments and your location as well
SMS
If abused such on what happened on the lending apps it can easily get and you contacts and send malicious intent to users contacts
The two tables below summarizes the finding of DPEX and GPEN.
On the table above DPEX assessed Stay Safe to have permission that are excessive along with Indonesia, Thailand and Malaysia’s Contact Tracing apps. But, let us go back for a while and look at how Stay Safe works:
User downloads the app and register his or her mobile phone number.
App uses OTP to authenticate user registration.
User provides name, age, location, gender, photo, company name.
The user is assigned a QR code as an ID
Optional:
Users can turn on mobile phone Bluetooth signals (option).
User’s ‘can turn on location (option).
The privacy statement and privacy notice of Stay Safe is a little bit confusing because on the splash screen they mentioned they are not getting any personal identification information and on the privacy notice they also mentioned that
“When you create an account with StaySafe.PH, we ask only for your nickname/alias, mobile number, age, gender, photo (optional), company name (optional), location (if enabled), and signs and symptoms being experienced if any.
Although not required, you may also provide nicknames and symptoms experienced by family members living with you who do not have access to StaySafe.PH.”
These information are PII in context and some may be categorized as sensitive personal information by the National Privacy Commission and in fact they are collecting personal data of the users.
Another confusing statement…
“If you provide some information and health condition of your family members to us, we will construe that you have obtained the necessary consent from them to both the disclosure and the processing of his personal information in accordance with our policy.”
These means that they mandating its users to be processors of data that bypasses consent of the user that is being nominated.
And on the retention of data…
“For as long as necessary unless you request the deletion of your information, after which these will be securely deleted. However, we may retain your information when required by law”.
This only means that opt out are not enforceable and users are not really sure if there is an evidence of erasure on the right to be forgotten. And there is no assurance that once you delete this application on your phone your personal data is deleted on the servers as well.
On Location, based on the privacy notice:
Your location, when enabled by you, is collected to facilitate the Government in contact tracing.
StaySafe.ph privacy statement does not say anything specific how it use device Bluetooth feature
The statement about location is inconsistent with the permissions listed (for which consent is sought by the app when downloading it.
approximate location (network-based)
precise location (GPS and network-based)
Bluetooth and GPS is turned on at startup even if you turn it off it will it turn back on the background
Also, based privacy statement
When you use the StaySafe.PH website and/or the StaySafe.PH mobile app, the following information may also be obtained:
Geolocation (if enabled), browser information (type, version, plug-ins), connection details (date, time, length of visit to pages, IP address), device information (device, operating system), activity (pages viewed, searches, scrolling, clicks, mouse-overs, page response time, platforms and referrers), page interaction information (e.g., scrolling, clicks, and mouse-overs), other technical details (downloads, errors) may be collected automatically;
Information contained in any communication or report that you submit to StaySafe.PH, including metadata associated with such communication; and
Information that you post to StaySafe.PH or submit for publication on the internet, including your nickname/alias, photo, and the content of your post/s.
On Camera.
The statement is lacking and with the permissions listed the manifest file :
To generate and use of the QR code
To upload photo
Based also on some interviews of Multisys that camera / QR Code is being used for a quarantine pass which in return tracks movement of a person.
To conclude we are not really saying that Contact Tracing apps are bad and are being used as a surveillance app but these dangerous permissions can be abused by threat actors / hackers and these kind of applications / systems need to employ secure coding as a best practice and if they have a privacy office they needs to brush up on their knowledge and skill due to the inconsistencies that of what is being implemented by their development team and their Data Privacy / Information Security Teams.
It is also good to note that the Philippines is unique in its strategy since they are the only one who outsourced the development to a 3rd party while other countries the government did it on their own. So, privacy notices are very important to establish the relationship of the stakeholders because people will ask:
Who owns the data
Who is the Controller? Who decides on the collection?
Is Multisys really a controller since the app is really deciding on the manner of collection?
As Processor has not personality on decision making, who is giving the instruction to teh processor? DICT? IATF?
Are data secured at rest and at motion
Are they using cloud? We presume they are because there is a database tracer from Google Firebase? Are they compliant to cross border data transfers since they have a cloud provider?
If they are using cloud services – is the source code escrowed? Is DICT the owner of the application and controller? If this really donated to DICT why is it that it is not being hosted in on a data center in the Philippines?
We need to understand that Privacy Principles must be implemented – Transparency, Legitimate Purpose and Proportionality (Not Excessive, Use Data Minimization)
And a Privacy Impact Assessment is crucial on identifying privacy and security risk
PIA must have Organizational, Physical and Technical Measures on the risk identified on Confidentiality, Integrity and Availability
We are writing a review on the two tracing apps / systems that the Philippine Government are using and mandating LGUs to use. These are Stay Safe and COVID-KAYA. Stay Safe was done Multisys and is being positioned as the official tracing app for IATF / NTF while COVID-KAYA is the official system being used by the Department of Health (DOH) and World Health Organization (WHO). We run Exodus a Privacy App that analyzes the permission of the application in Play Store. These permission are libraries that a developer access and use, the permission is then logged on a file which we call manifest.xml prior to submission to the app store for publishing.
Below are the screenshots for both Stay Safe and COVID-Kaya.
As we can see above the COVID-KAYA has 42 Permisssion and Stay Safe has 16 Permission and 1 Tracker since we are assuming that the database of Stay Safe is using Google Firebase. Permission are not really bad but we as citizen need to ask why are these apps collecting, using and accessing the libraries:
Camera – take pictures and videos without confirmation
Modify System Settings – allows the app to modify systems settings of data. Malicious apps may corrupt system configuration
Read Contacts – allows the app to read data about your contacts stored on your phone, including the frequency with which you have called, emailed or communicated. This permission allows apps to save your contact data and malicious apps may share contact data without your knowledge
Write Contacts – allows the app to modify data about your contacts stored on your phone, this permission allows apps to delete contact data
Get Accounts – allows apps to get the list of accounts known by the phone, this may include any accounts created by applications you have installed.
Access Coarse Location (Network Based) – allows the app to get your approximate location, this location is derived by location services using network location sources such as cell towers and WiFi
Access Fine Location (GPS) – allows the app to get precise location using Global Positioning System
Bluetooth – automatic pairing
Record Audio – allows the app to record audio
Read Phone State – allows the app to access the phone state if you are calling someone. This permission allows the app to determine phone number and device id
Read External Storage – allows the app to read data on SD Card is any
As we stated above we mentioned the types of permission these two applications are using and accessing and we as privacy and security practitioners are concerned on why do they need:
Camera – a tracing app doesn’t need any camera since the tracing is being done on the background using bluetooth and other high frequency
Modify System Settings – why are they modifying system settings this may be a borderline Malware
Read Contacts – Why do they need to read my contact details? The Personal Information on the contacts are sensitive enough if this is breached. We know for a fact that the National Privacy Commission has filed cases on lending apps in 2019 because of this scenario
Write Contacts – This permission should not be touched by the tracing application because they might modify and delete contacts that may even result to identity theft
Get Accounts – we don’t understand this? Why do they need to access other accounts that was created by different application on the phone?
Access Coarse Location (Network Based) – Is this even part of the privacy notice that they can triangulate the location on the cell towers?
Access Fine Location (GPS) – maybe we can ask what model are they using – centralised or decentralised approach
Bluetooth – automatic pairing – this acceptable in order to do contact tracing
Record Audio – Are these apps eavesdropping? This may result to wiretapping that needs a warrant before it is permitted
Read Phone State – Why do they need to monitor if a person is calling?
Read External Storage – and lastly why do they need to read my data on my SD Card?
These are just some questions that we as citizens need to ask….
In this time of crisis we are facing due to COVID-19 there are only two things we need to focus on:
1. Safety and 2. Protection
Safety of the individual on getting COVID-19. The prevention measures we need to put and as such cleaning, personal hygiene and social distancing are very important in the priority of each individual and our families right now. And if we contract it what are the procedures that we need to do.
Safety countermeasures are very important outside of our home from barangays, LGU and hospitals. As individuals we need to educate ourselves on these measures outside our homes.
Protection on other hand is needed on protecting the individual. In this time of COVID-19 digital risk is very high due to the fact that when we started ECQ we became 100% digital. People may argue on that we do not need privacy in this time of crisis and we just need to save lives. That is true that why in RA 10173 / Data Privacy Act has exemption if it is a matter of life and death.
But, we also need to balance this out specially on PUIs and PUMs. The call last week by PMA and IBP on the lifting of the confidentiality on PUMs and PUIs may have merit but the issue is not confidentiality it is about an honest disclosure of a patient like what happened on the case of Senator Koko Pimentel visitng Makati Medical Center a few weeks ago without disclosing that he has the virus.
RA10173 maybe a special law because of the change in times and change of business models but we need to understand that Privacy is based on our Bill of Rights in Article 3 Section 2 of the Constitution that emanates even on the 4th amendment of the US Constitution and the Common Laws of England dating back from 1630.
Article 3 of the Bill of Rights states that:
Sec. 1. No person shall be deprived of life, liberty, or property without due process of law, nor shall any person be denied the equal protection of the laws.
Sec. 2. The right of the people to be secure in their persons, houses, papers, and effects against unreasonable searches and seizures of whatever nature and for any purpose shall be inviolable, and no search warrant or warrant of arrest shall issue except upon probable cause to be determined personally by the judge after examination under oath or affirmation of the complainant and the witnesses he may produce, and particularly describing the place to be searched and the persons or things to be seized.
As Commissioner Mon Liboro has mentioned we have laws that are in place and RA 11332 (An Act Providing Policies and Prescribing Procedures on Surveillance and Response to Notifiable Diseases, Epidemics, and Health Events of Public Health Concern) can be imposed on such cases that is complementary to the Data Privacy Act / RA 10173.
To note RA 11332 mandates patients, PUIs, and PUMs to be fully transparent and truthful to DOH, hospitals, and other pertinent public authority on the personal data (travel and medical history, etc.) requested from them. Such information will be material for health and local institutions to treat them and/or properly contain the spread of the infectious disease in a timely manner. Where they may falter in cooperation, as when they refuse to provide details or conceal required information, patients can be penalized with imprisonment and hefty fines under the act .
As the late Judge Brandeis once said on the landmark case in 1928… “The right to be let alone is the most comprehensive of rights and the right most valued by civilized men”
Data Privacy had taken the banner headline in 2018 with the implementation of new GDPR last May 2018 and the adoption of Data Privacy Act in Asia specially in the Philippines that penalizes an offender to imprisonment and some penalties. But eventhough GDPR has no imprisonment attached to it the penalty can be up to 20M Euros or 4% of the Profit of the Company violating it.
But most the people or the enterprise see just the penalty but the the law actually acts as an enabler for the enterpise to be more trust-worthy with regards to their data and its integrity. The Data Privacy Act enables us as companies to be trustworthy with our clients and our customers in fact are the owner of the data not us as companies we only process and has limited control to it on a certain period(not infinity).
It also challenges our culture to not be a willing victim to our privacy. I was talking to a CEO of blockchain company and she mentioned that this is all just hype because all our data are already out there in Facebook, Twitter, SnapChat, WeChat, Viber etc… maybe she has a point but as a company we need to know the integrity of data we process may it be employee data, business partner data or customer information. As professionals and leaders of our enterprise we need to challenge ourselves on how we do business and ask the question on why are we collecting this datapoint. We need to include privacy on the projects we embark on and in our operations (BAU). It encourages us to have a risk based approach on doing our business / projects.
I invite you to look at etisphere.com
A portfolio of the world’s most ethical companies consistently outperforms the market during the period analysed by eithsphere both in times of growth and during market decline…
In the end it is not just about compliance its a trust issue. Maybe it may sound ambitious and IT leaders would say that innovation can never be a compliance game and we need to be fast and agile otherwise our competitor will crush us but the law gives us the opportunity to build privacy and security by design on our initiatives. And by doing security and privacy by design we will have that confidence and integrity that the data we process are in fact true and correct and I quote Patricia Aburdene (MegaTrends 2010)…
Transcendent values like trust and integrity literally translate into revenue, profits and prosperity.
We celebrated Data Privacy Day in January 28, 2020! And some sectors are now proposing for an amendment of the special law which we call nowadays as the “Data Privacy Act”. In 2012 the law was passed thru the efforts of the late Senator Angara and the IRR was published in 2016 and the newly formed commission started its campaign in 2017 and fast forward we are now in 2020.
Some of the suggestions based on the proposal of the good Congressman of Tarlac are stiffer penalties including administrative fines not exceeding to 5M PhP, additional classification of personal information and sensitive personal information on the different sector that is deemed sensitive on that sector, organizational structure of the commission, introduction of personal data on minors, some additional clause on offense by a public officer and the commission can launch conferences in the advancement of the general public etc…
There are good points and not so good points but my suggestion is to let the law breathe first. The implementation of RA10173 is barely two years old and let the commission flex its muscle before amending the law. Laws should be universal and the incidentals can be done on circulars that has been done in the past.
Personally, I think the most pressing matter is the development of the ecosystem, compliance and registration of the 2M companies (NPC has 35k companies registered to date only) and the education of the current pool of Data Privacy Officers and making the country as a center of excellence on Data Privacy and Protection in the region.
We need to understand that RA10173 is a special law on data that targets personal information and classifying personal data as asset both on civil law and commercial law.
CIVIL LAW because of the 8 rights of our citizen – Right to INFORMED, OBJECT, ACCESS, CORRECT / RECTIFY, BLOCK / REMOVE, DATA PORTABILITY, COMPLAINT and IMDENIFIED.
Commercial Law because we need to understand the basics and DATA is considered as an ASSET and personal information or customer information may it be intangible is one of the most important asset nowadays as the business model of each enterprise changes our classification of asset also changes.
Corporation / Juridical Entities must understand that their organization is dependent on the productivity of four assets:
People
Information / Data
Technology
Facilities
As I mentioned, as we creatively change our business model canvass our strategy changes and our data becomes bigger and bigger. We have to relate personal information to be an asset because as we collect more the data becomes more valuable and as we collect less it becomes smaller in value.
And in order to be resilient in this day we need to realize two things in corporate we need to sustain our asset and protect it
We have discussed earlier that this law is due to the change in times and due to the actions being done creatively by companies in this age. We need to understand that this is a special law and it be anchored on the bill or rights in article 3 section 2 which is was also patterned on the fourth amendment on the US constitution.
Below are a series of events on Privacy Law including the Philippine implementation.
Privacy has been in there for so long and Justice Brandeis in 1928 case mentioned:
“The right to be let alone is the most comprehensive of rights and the right most valued by civilized men”
*We can discuss the 1928 case but it will take a day of discussion…
As I mentioned law must be universal and implementation must be inputted inside the implementing rules and regulation or either as circulars and consultation can be done on giving advisories.
