Tag: Contact Tracing App

The Sensitivity of Location Data on Digital Contact Tracing

Let me have a stab on location data that will be part of the 2nd edition of the Social and Privacy Impact of Contact Tracing .

In the global standard such as the Global Data Protection Regulation (GDPR) compliance applies whenever the use of location data involves processing of personal data.  It means that any data processed in an electronic form or by an electronic communication service / channel indicating geographic position of the terminal (phone, car, tablet, laptops) in public using GPS or a Cell Tower triangulation.  In EU there is a directive which is called EPrivacy that deals with IOT devices and it also defined that a terminal using GPS needs to be protected and can be linked on the rights of the data subjects in any Data Privacy Act.  In the Philippines and in other countries there is no EPrivacy Directive, but it can be related to the eCommerce Law which is RA 8792, Data Privacy Act of 2012 / RA 10173 and the CyberCrime Law of 2012 / RA 10175.

IOT in the context of EPrivacy Directive requires an individual to give an opt-in consent to use location data to provide a value-added service.

The information requirement for the location data needs to be itemized on a privacy notice and the purpose and duration of the processing must be explicitly stated.  Since, the nature of the location is always shared to a 3rd party or a joint controller the process must also be stated on the notice and in the internal policy.

The last important aspect of location data will be based on our ability to withdraw consent.  As data subjects we have the right to opt-out and the controller and processor needs to show evidence that indeed the location data has been erased on an end to end manner.

Let us relate this to contact tracing and the solutions being provided by most countries in the world to address corona virus.  Digital Contact Tracing as being proposed by most countries such as Singapore, South Korea, Australia among others can be classified as either a Privacy Enhancing Technology (PET) or a Privacy Impacting Technology (PIT).  PET can help us solve the problem such as corona virus with Privacy in mind and has implemented Privacy by Design while PIT is impacting our privacy as data subjects on either by Territorial, Information, Bodily or Communication.

These four domains of Privacy define how we act as a person because Territorial and Bodily answers our right as a human being that goes on our bill of rights and even on the 4th amendment of the US Constitution while the Data Privacy aspects can be answered on Information and Communication.  Information Privacy involves the establishment of rules governing the collection and handling of personal data such as credit information, and medical and government records. Which is commonly know right now as Data Privacy / Data Protection.

But let us put our focus on Communication Privacy which covers the security and privacy of mail, telephones, e-mail and other forms of communication including location data.

————————————————————–

Let’s look at the two sources of location data for modelling:

  1. Location data collected by electronic communication service providers (such as mobile telecommunication operators) during the provision of their service; and
  2. Location data collected by application developer or what EU calls Information society service providers’ whose functionality requires the use of such data (e.g., navigation, transportation services, etc.).

The European Data Protection Board or EDPB states that location data collected from electronic communication providers may only be processed within the remits of Articles 6 and 9 of the EPrivacy Directive. This means that these data can only be transmitted to authorities or other third parties if they have been anonymized by the provider or, for data indicating the geographic position of the terminal equipment of a user, which are not traffic data, with the prior consent of the users.

The EDPB also pointed out with emphasis that when it comes to using location data, preference should always be given to the processing of anonymized data rather than personal data.

Anonymization refers to the use of a set of techniques in order to remove the ability to link the data with a natural person against a “reasonability test”.   We must consider the aspect of the objective of the problem when it was first hatched and the contextual element that may vary from country to country in the case of contact tracing applications.

In contact tracing accountability is very important so the Controller of any Digital Contact Tracing Application should be clearly defined. In other countries these contact tracing apps are sponsored and made by the government and what is unique in the Philippines is that the Private Sector donated these applications without proper vetting from proper authorities (DICT) that is why there are mistrust on contact tracing.  And normally, a contact tracing application is being owned by heath authorities and in the case of the Philippines there are two – the Department of Health (DOH) is using COVID Kaya and IATF / NTF / DILG is using StaySafe and definition of being a controller and processor is vague the parties involve.   And If the  deployment of these apps involves different actors their roles and responsibilities must be clearly established from the onset and must be explained to the users.

In addition, on the principle of purpose limitation, the purpose must be specific enough to exclude further processing to unrelated to the management of the health crisis (e.g. commercial, surveillance or law enforcement purposes).    In the context of a contact tracing application, careful consideration should be given to the principle of data minimization and privacy by design:

  1. Contact tracing apps do not require tracking the location of individual users. Instead, proximity data should be used.
  2. As contact tracing applications can function without direct identification of individuals, mitigating measures should be employed to prevent re-identification.
  3. The collected information should reside on the mobile / terminal of the user and only relevant information should be collected when necessary. (there must be process in place to be triggered by health or local government units)

Recommendations:

  1. According to the PbD and data minimization, the data processed should be reduced to the strict minimum.
  2. The application should not collect unrelated or not needed information, which may include civil status, communication identifiers, messages, call logs, location data, device identifiers, etc.
  3. Data broadcasted by applications must only include some anonymized and pseudonymous identifiers
  4. These identifiers must be renewed regularly with same model on RSA encrypted keys on both private and public tokens
  5. Implementations for contact tracing can follow a centralized or a decentralized approach. 
  6. These approaches must provide adequate security measures.
  7. Consideration must be considered weighing privacy in the process that may impact rights of individuals
  8. Cryptographic techniques must be implemented to secure the data stored in servers and the cloud
  9. Authentication between the application and the server must also be performed by using multi-factor authentication
  10. The reporting of users as COVID-19 infected on the application must be subject to proper authorization.  If confirmation cannot be obtained in a secure manner, no data processing should take place that presumes the validity of the user’s status.

In the end this kind of applications must be strictly voluntary, and it cannot be forced because contact tracing has a thin line on surveillance systems and Individuals must always have full control over their data and the public should be able to choose freely to use such an application.

2nd Series on Permissions on Contact Tracing App mandated by PH Government

Since I wrote the article on permissions on COVID KAYA and Stay Safe and I am the one who created the analysis and blog on the first place let me answer some of the questions on the first study.  We are not singling Stay Safe, and we are not even attacking Mutlisys that is why we have a parity with COVID-Kaya that is being used by WHO and DOH.  The analysis on the permission is just a first step and after the blog went viral the Data Protection Exchange (DPEX) Network of Straits Interactive (Singapore based) even had a webinar on the “Comparative Review of Contact Tracing Apps in the ASEAN countries that includes an analysis of Stay Safe.  The analysis of DPEX is part of the published report of the Global Privacy Enforcement Network.

The GPENs sweep were benchmarked survey parameters which conducted a global privacy sweep of mobile apps. That sweep involved the participation of 25 privacy enforcement authorities around the world.

It assessed the following:

  • the types of permissions sought by a surveyed app
  • whether those permissions exceeded based on the app’s functionality and privacy notice
  • most importantly, how the app explained to consumers why it wanted the personal data and what it planned to do with it

Let us explain first what a “PERMISSION” in a mobile application is.   A permission in an app protects the privacy of the user of the app. Every application developer must include an “app manifest” which is a list of permissions (libraries) that the app uses.

Every phone has an operating system like what we have in our laptops, tablets and PCs.  In mobile the commonly used are IOS and Android and permissions are categorized into two:

  • Normal permissions
    • This kind of permission do not directly risk the user’s privacy
  • Dangerous permissions
    • This kind of permissions give the application access to the user’s personal data in their mobile phone, such as contacts and SMS messages, as well as certain system features, such as the camera and location data.
    • If a dangerous permission is requested, privacy laws do not allow personal data to be collected or disclosed unless the user gives consent
    • In addition, privacy laws such as the GDPR, PDPA or our RA 10173 (Data Privacy Act) generally restrict “dangerous permissions” to personal data that the app may collect, use or disclose while the user is actually using it. They do not allow apps to collect, use or disclose personal data simply because the user downloaded the app.

To illustrate we have listed the dangerous permissions:

Permission CategoriesPermissionsStay SafeCOVID KAYA
CameraCameraYesYes
ContactsRead Contacts Write Contacts Delete Contacts Get AccountsYesYes
LocationAccess Fine Location Access Coarse Location BluetoothYesYes
MicrophoneRecord AudioYes – as by product of CameraYes
PhoneRead Phone State Call Phone Read Call Log Write Call Log Add voice mail Process Outgoing CallsYesYes
SMSSend SMS Receive SMS Read SMS Receive WAP Push Receive MMSYes – even if they are not accessing it directly they have turned on Contacts and Phone Permissions that eventually using this permissionYes
CalendarRead Calendar Write Calendar Yes
StorageRead External Storage Write External StorageYesYes
SettingsWrite Settings Yes

As per DPEX and GPEN the following apps have dangerous permissions.  The danger here, most of the time people just accepting the app and disregarding the privacy notice and the permissions of the app, privacy notice is really a promise of the developer to safeguard and protect the privacy of its stakeholders. 

Among the ASEAN tracing apps it is good to note that Singapore’s Trace Together and Vietnam’s Blue Zone  use the least permissions.

  • A picture containing screenshot Description automatically generated

If you look at the table above the study done by DPEX only gets the direct permission and not considering the by-product of other permissions and definitely it is more than 7 for Stay Safe (11).

Below are some potential risks if these permission are abused by either its developers or threat actor (hacker):

PermissionsIf abused
CameraEven if the camera permission is accessed it can also access audio or microphone permissions.  So, if abused by a threat actor the app can watch the user via the camera and can eavesdrop on conversation without you knowing it.  
Device App and HistoryUsing this permission reads sensitive phone data, retrieve system phones state – call log, call state, information browsing and history.  In addition to reading accounts and logs rom other apps, apps using this permission can store usernames and passwords.
LocationApps using this permission can identify the user’s location within several feet and track their every movement.  We need to note that even if users don’t open GPS and only Bluetooth the Bluetooth uses its mother Permission Library which is part of the GPS locator   Access Coarse Location – access WIFI and Cell Sites and if abused can triangulate your whereabouts This can easily be used as a surveillance app to track whereabouts  
Media StorageApps using this permission can read the contents of the user’s shared storage (USB device and SD card) as well as format their entire external storage device.  
CalendarIf abused the threat actor will know your appointments and your location as well
SMSIf abused such on what happened on the lending apps it can easily get and you contacts and send malicious intent to users contacts

The two tables below summarizes the finding of DPEX and GPEN.

A screenshot of a cell phone Description automatically generated

 On the table above DPEX assessed Stay Safe to have permission that are excessive along with Indonesia, Thailand and Malaysia’s Contact Tracing apps.  But, let us go back for a while and look at how Stay Safe works:

  1. User downloads the app and register his or her mobile phone number.
  2. App uses OTP to authenticate user registration.
  3. User provides name, age, location, gender, photo, company name.
  4. The user is assigned a QR code as an ID  
  5. Optional:
    1. Users can turn on mobile phone Bluetooth signals (option).
    2. User’s ‘can turn on location (option).

The privacy statement and privacy notice of Stay Safe is a little bit confusing because on the splash screen they mentioned they are not getting any personal identification information and on the privacy notice they also mentioned that

“When you create an account with StaySafe.PH, we ask only for your nickname/alias, mobile number, age, gender, photo (optional), company name (optional), location (if enabled), and signs and symptoms being experienced if any.

Although not required, you may also provide nicknames and symptoms experienced by family members living with you who do not have access to StaySafe.PH.”

These information are PII in context and some may be categorized as sensitive personal information by the National Privacy Commission and in fact they are collecting personal data of the users.

Another confusing statement…

“If you provide some information and health condition of your family members to us, we will construe that you have obtained the necessary consent from them to both the disclosure and the processing of his personal information in accordance with our policy.”

These means that they mandating its users to be processors of data that bypasses consent of the user that is being nominated.

And on the retention of data…

“For as long as necessary unless you request the deletion of your information, after which these will be securely deleted. However, we may retain your information when required by law”.

This only means that opt out are not enforceable and users are not really sure if there is an evidence of erasure on the right to be forgotten. And there is no assurance that once you delete this application on your phone your personal data is deleted on the servers as well.

On Location, based on the privacy notice:

  1. Your location, when enabled by you, is collected to facilitate the Government in contact tracing.
  2. StaySafe.ph privacy statement does not say anything specific how it use device Bluetooth feature

The statement about location is inconsistent with the permissions listed (for which consent is sought by the app when downloading it.

  1. approximate location (network-based)
  2. precise location (GPS and network-based)
  3. Bluetooth and GPS is turned on at startup even if you turn it off it will it turn back on the background

Also, based privacy statement

When you use the StaySafe.PH website and/or the StaySafe.PH mobile app, the following information may also be obtained:

  1. Geolocation (if enabled), browser information (type, version, plug-ins), connection details (date, time, length of visit to pages, IP address), device information (device, operating system), activity (pages viewed, searches, scrolling, clicks, mouse-overs, page response time, platforms and referrers), page interaction information (e.g., scrolling, clicks, and mouse-overs), other technical details (downloads, errors) may be collected automatically;
  2. Information contained in any communication or report that you submit to StaySafe.PH, including metadata associated with such communication; and
  3. Information that you post to StaySafe.PH or submit for publication on the internet, including your nickname/alias, photo, and the content of your post/s.

On Camera.

The statement is lacking and with the permissions listed the manifest file :

  1. To generate and use of the QR code
  2. To upload photo

Based also on some interviews of Multisys that camera / QR Code is being used for a quarantine pass which in return tracks movement of a person.  

To conclude we are not really saying that Contact Tracing apps are bad and are being used as a surveillance app but these dangerous permissions can be abused by threat actors / hackers and these kind of applications / systems need to employ secure coding as a best practice and if they have a privacy office they needs to brush up on their knowledge and skill due to the inconsistencies that of what is being implemented by their development team and their Data Privacy / Information Security Teams.

It is also good to note that the Philippines is unique in its strategy since they are the only one who outsourced the development to a 3rd party while other countries the government did it on their own.  So, privacy notices are very important to establish the relationship of the stakeholders because people will ask:

  1. Who owns the data
  2. Who is the Controller?  Who decides on the collection?
  3. Is Multisys really a controller since the app is really deciding on the manner of collection?
  4. As Processor has not personality on decision making, who is giving the instruction to teh processor? DICT? IATF?
  5. Are data secured at rest and at motion
  6. Are they using cloud? We presume they are because there is a database tracer from Google Firebase?  Are they compliant to cross border data transfers since they have a cloud provider?
  7. If they are using cloud services – is the source code escrowed? Is DICT the owner of the application and controller? If this really donated to DICT why is it that it is not being hosted in on a data center in the Philippines?
  8. We need to understand that Privacy Principles must be implemented – Transparency, Legitimate Purpose and Proportionality (Not Excessive, Use Data Minimization)
  9. And a Privacy Impact Assessment is crucial on identifying privacy and security risk
  10. PIA must have Organizational, Physical and Technical Measures on the risk identified on Confidentiality, Integrity and Availability 

Tracing App in the Philippines – Too much Permission.

We are writing a review on the two tracing apps / systems that the Philippine Government are using and mandating LGUs to use. These are Stay Safe and COVID-KAYA. Stay Safe was done Multisys and is being positioned as the official tracing app for IATF / NTF while COVID-KAYA is the official system being used by the Department of Health (DOH) and World Health Organization (WHO). We run Exodus a Privacy App that analyzes the permission of the application in Play Store. These permission are libraries that a developer access and use, the permission is then logged on a file which we call manifest.xml prior to submission to the app store for publishing.

Below are the screenshots for both Stay Safe and COVID-Kaya.

As we can see above the COVID-KAYA has 42 Permisssion and Stay Safe has 16 Permission and 1 Tracker since we are assuming that the database of Stay Safe is using Google Firebase. Permission are not really bad but we as citizen need to ask why are these apps collecting, using and accessing the libraries:

  • Camera – take pictures and videos without confirmation
  • Modify System Settings – allows the app to modify systems settings of data. Malicious apps may corrupt system configuration
  • Read Contacts – allows the app to read data about your contacts stored on your phone, including the frequency with which you have called, emailed or communicated. This permission allows apps to save your contact data and malicious apps may share contact data without your knowledge
  • Write Contacts – allows the app to modify data about your contacts stored on your phone, this permission allows apps to delete contact data
  • Get Accounts – allows apps to get the list of accounts known by the phone, this may include any accounts created by applications you have installed.
  • Access Coarse Location (Network Based) – allows the app to get your approximate location, this location is derived by location services using network location sources such as cell towers and WiFi
  • Access Fine Location (GPS) – allows the app to get precise location using Global Positioning System
  • Bluetooth – automatic pairing
  • Record Audio – allows the app to record audio
  • Read Phone State – allows the app to access the phone state if you are calling someone. This permission allows the app to determine phone number and device id
  • Read External Storage – allows the app to read data on SD Card is any

As we stated above we mentioned the types of permission these two applications are using and accessing and we as privacy and security practitioners are concerned on why do they need:

  • Camera – a tracing app doesn’t need any camera since the tracing is being done on the background using bluetooth and other high frequency
  • Modify System Settings – why are they modifying system settings this may be a borderline Malware
  • Read Contacts – Why do they need to read my contact details? The Personal Information on the contacts are sensitive enough if this is breached. We know for a fact that the National Privacy Commission has filed cases on lending apps in 2019 because of this scenario
  • Write Contacts – This permission should not be touched by the tracing application because they might modify and delete contacts that may even result to identity theft
  • Get Accounts – we don’t understand this? Why do they need to access other accounts that was created by different application on the phone?
  • Access Coarse Location (Network Based) – Is this even part of the privacy notice that they can triangulate the location on the cell towers?
  • Access Fine Location (GPS) – maybe we can ask what model are they using – centralised or decentralised approach
  • Bluetooth – automatic pairing – this acceptable in order to do contact tracing
  • Record Audio – Are these apps eavesdropping? This may result to wiretapping that needs a warrant before it is permitted
  • Read Phone State – Why do they need to monitor if a person is calling?
  • Read External Storage – and lastly why do they need to read my data on my SD Card?

These are just some questions that we as citizens need to ask….