The adoption of StaySafe.ph is suspiciously linked to national security and intelligence agencies.
StaySafe.ph is not open-source, while available information on how the app works has been mostly provided by the developer.
Based on the government’s order in June 2020, collected data from StaySafe.ph is to be stored in the COVID-KAYA system, a system built for health authorities to submit reported COVID-19 cases, within 30 days. However, the data still remains with the developer, Multisys as of January 2021.
StaySafe.ph includes a geolocation tracking as an optional function, which a privacy-first app would not include at all.
The app was rolled out to public even though the assessment by the National Privacy Commission (NPC) had not yet been completed at the time.
A. The Development of Digital Contact Tracing in the Philippines
Following the spread of COVID-19, the Philippines first expressed its interest in working with Singapore to develop technology similar to that of TraceTogether, Singapore’s contact tracing app, in its response to the pandemic. However, the plan has since changed: the contact tracing app, called StaySafe.ph, was launched and was developed instead by a local technology company, Multisys Technologies Corp.
StaySafe.ph was first launched as a platform for visitors to report their health conditions. It was intended to assist the private sector and local government units (LGUs) to track the virus. By using the platform, users were also requested to record their medical status; this information would later be classified according to whether they are in good health, experiencing mild symptoms, or severe illness. The information submitted by users about their medical status is then used to create the “heatmap”, an interactive map that visually shows the density of COVID-19 cases. According to Multisys, when a severe case is reported, the administrator of the system would be notified of that case and would reach out to the particular individual. According to the company, LGUs and employers around the country, upon request, may have access to the backend system of the website for free of charge.
The platform was later developed into a mobile application. The app requests a user’s phone number, nickname, age, and gender; the company claims that this information is used for analytic purposes. The company further stated that the registration process is compliant with the 2012 Data Privacy Act. The request for a phone number is claimed to be necessary for enabling authorities to contact users. Staysafe.ph collects data via both GPS and Bluetooth in which the geolocation function is available as an opt-in and opt-out function. The app’s functions related to health reporting and creating the heatmap do not work when the geolocation is not enabled by users . The app’s algorithm is able to detect other devices with the installed app within a one to two-meter distance. This function also enables the app to notify users when there is a suspected or confirmed coronavirus case nearby. However, StaySafe is only to operate on newer models of devices, as it works only on 3G. As a result, the app’s contract tracing approach does not cover the entire population, as over 20 million Filipinos reportedly still use 2G devices.
StaySafe.ph’s QR code scanning was also launched, and functions similarly to Singapore’s SafeEntry and Thailand’s Thai Chana. According to Multisys, the app includes a QR code function in which private companies, organizations, and government agencies can register in order to generate a unique QR code for each location. These QR codes are placed in front of the entrance of buildings and shops, which visitors can scan before they are allowed to enter. The QR code function serves as a ‘digital logbook’ which is considered more convenient compared to manual health check forms. QR code scanning enables the identification of visitors or employees’ health status in relation to COVID-19 at different locations.
The Philippines convened the Inter-Agency Task Force on Emerging Infectious Disease (IATF-EID) to handle the COVID-19 pandemic. The IATF-EID is headed by the Department of Health (DOH) with multiple state agencies as members. The IATF-EID then created the National Task Force (NTF) COVID-19, which is comprised of three former military generals from President Rodrigo Duterte’s cabinet: Defense Secretary Delfin Lorenzana as the Head of the NTF, Interior Secretary Eduardo Año as Vice Chair, and Peace Process Secretary Carlito Galvez Jr as Chief Implementor. The NTF’s task is to implement the government’s National Action Plan (NAP) to tackle the pandemic. On April 8, 2020, the NTF and Multisys signed a Memorandum of Agreement (MOA) to launch an online emergency response system to curb the spread of the virus; the website StaySafe.ph was launched the following day. The MOA states that the NTF is to provide necessary information and operational support, while Multisys shall be responsible for the “development and technical management of the StaySafe.ph”.
On April 22, 2020, the IATF issued Resolution No.27 which states that IATF is to adopt StaySafe.ph as its official social distancing, heath condition reporting, and contact tracing system that will assist in the government’s response to COVID-19. Following the Resolution, the National Bureau of Investigation (NBI), an agency under the Department of Justice which investigates high-profile cases, announced on May 16 its adoption of StaySafe.ph. The announcement has raised concerns over surveillance as the NBI is considered an intelligence agency.
A plan was proposed to create a data warehouse overseen by the Department of Information and Communication Technology (DICT) in order to provide the government with “real-time” information and analytics so that it could respond to the crisis more effectively and quickly. This plan was included in the proposal to develop the Information Systems Task Group, which was initiated with the Undersecretary of DICT, Elisio Rio Jr. as a chairperson. The Information System Task Group would be responsible for evaluating digital solutions, including private sector proposals for contact tracing. However, Rio later resigned from his position, which led to the dismissal of the plan. Instead, the data collected from StaySafe.ph was to be handled by Multisys, the developer.
Following these events, the IATF-EID issued Resolution No. 45 on June 10, 2020. According to the Resolution, the IATF recognized the need to continue using StaySafe.ph and ordered a Memorandum of Agreement (MOA) to be made between Multisys and the DOH. Under this MOU, Multisys is required to donate the app to the DOH, which includes the source code, data, data ownership, and related intellectual property. Resolution No.45 further mandated that the version of the app donated by Multisys is required to have a Bluetooth that works with the already-available tracing technologies, such as Google and Apple. Furthermore, the app is required to serve as the frontend application system for the LGUs. Furthermore, the Resolution ordered the migration of the collected data from StaySafe.ph to be stored in the COVID-KAYA system.
The COVID-KAYA system was developed by the World Health Organization (WHO) in coordination with the DICT. It was launched in June as a platform to assist healthcare workers in submitting data from COVID-19 case reports to a data collection system. The donation of the app from Multisys to the DOH has been certified to be technically feasible and secure, as well as to ensure that its systems are compatible, and that its arrangements are compliant with the 2012 Data Privacy Law. Following the donation, StaySafe.ph became the official contact tracing app of the government, shortly after the press briefing was held on September 2, 2020.
The IATF announced the Safety Seal program on December 3, 2020, which requires both public and private venues to follow health protocols to put COVID-19 under control. One of protocol is for venues to scan QR codes generated by StaySafe app. Prior to the announcement, it is already a requirement for those who wish to enter government offices to use QR code scanning from StaySafe.ph according to the IATF’s Resolution No. 85
As of January 25, 2021, it was found that collected data from StaySafe.ph is still with Multisys. The company indicated that this was because the DICT is not ready to receive the data, as the department does not have funding to pay for the cloud services. Despite the situation, the government still promotes the use of StaySafe.ph for the public. The app is also required for all individuals who enter government offices.
B. Implications on Surveillance and the Right to Privacy
In this section, two main issues of StaySafe.ph are discussed in relation to concerns about surveillance and the right to privacy. StaySafe.ph is seen as being overly linked with national securities agencies and individuals, which has raised concern over how the collected data is used by the app. The app’s functions also do not support privacy, and there remains a lack of transparency regarding how the app actually works.
1. Suspiciously linked with national security agencies
Since the app’s launch, there has been criticism over its ability to be used for surveillance. StaySafe.ph was adopted by the ITAF as an official contact tracing app, the introduction of which was made by the former military general, Hermogenes Esperon Jr. There was also criticism raised about the role of Multisys in working with government agencies, such as National Intelligence Coordinating Agency (NICA) or National Security Council (NSC), due to its close ties to the government. Esperon is the National Security Advisor who heads the NSC. The MOA between Multisys and NTF was signed on April 8 without the signatures of the DICT; it featured only three government signatories, who were Esperon, NTF’s Delfin Lorenzana and Carlito Galvez Jr.
Concerns about surveillance were also expressed when the National Bureau of Investigation (NBI) announced that it would adopt StaySafe.ph. The NBI is a government agency under the Department of Justice which typically handles high-profile cases. The agency has been criticized for its handling of cases related to the misinformation on COVID-19; according to this criticism, the pandemic issue has been weaponized and used to threaten human rights and civil liberties. Concerns have been expressed about the rationale for an agency under the Department of Justice to adopt StaySafe.ph, and the amount of data that can be accessed by the NBI and other security agencies. These concerns persist despite the protections provided by the 2012 Data Privacy Act (DPA). The adoption of the 2020 Anti-Terror Act provides authorities with greater surveillance power, which has further raised concerns over StaySafe.ph’s potential to be used for surveillance.
In addition, there has yet to be a technical evaluation of the app by the DICT and the National Privacy Commission (NPC). In June, two months after StaySafe.ph was officially adopted by the government, the NPC commissioner reportedly admitted that its Data Security and Compliance Office had not yet completed its assessment of the app. The NPC also reportedly did not examine the contracts between Multisys and government agencies.
2. Technical vulnerabilities and lack of transparency
Even though Multisys has claimed that the app is not intended for surveillance, it has designed the app in such a way that does not reflect a concern for data protection. The geolocation, while optional, should not be included, because it enables location tracking. The data collected from the location tracking can be used to build a social graph of a person, and reveal information about the person’s whereabouts and their lifestyles. If not protected, this information could increase the vulnerability of members of groups, including LGBTQI+ and HIV positive people, due to their social stigmatization. The app also request permission from users to access their information; however, this request appears to be unnecessary for the purpose of the app.
As the app is not open-source, there is an absence of transparency regarding the app’s operations. Releasing the source code would enable independent technical experts to examine the app’s code to identify any technical vulnerabilities. This analysis includes the app’s architecture, functions, protocols, data management, and security design. Under an open-source license, having a complete source code would provide transparency about the app’s key features; this information should include how the encryption of the app’s data works, how the ID for contact tracing is generated, and whether the ID is fixed or temporary. Following Resolution No.45, the collected data from StaySafe.ph was ordered to be stored in the COVID-KAYA system; to increase transparency, it is also important that the source code of the COVID-KAYA system be released as well. At present, limited information from independent sources has been made publicly available about the manner in which StaySafe.ph and COVID-KAYA work.
C. Conclusion and Recommendations
StaySafe.ph is a private sector-turned-government initiative. Despite the claim that StaySafe.ph is compliant with the 2012 Data Privacy Act, there are many elements that undermine public trust in the app. Among these concerns are that the app is overly linked with national security agencies, its lack of transparency, its lack of a data retention period, and the controversial functions of the app. Compared to other countries in Southeast Asia, the Philippines has the Data Privacy Act in place; this legislation is considered an improvement when compared to the laws in other countries in the region, as Philippines’s legislation also covers government agencies. The country also has the National Privacy Commission (NPC), which is considered to be active. However, these laws and institutions do not necessarily mean that data collected from initiatives like StaySafe.ph would follow the aforementioned data protection and privacy regulations.
Among the chief concerns is that an app that protects privacy should not be overly linked to security agencies. Since taking office, President Rodrigo Duterte’s administration also has a record of serious human rights abuses, including the crackdown on political dissent. The state’s surveillance efforts have also been on the rise, as evident in the recent adoption of the 2020 Anti-Terror Act. In the case of the Philippines, there remains no guarantee that the app will not be used for surveillance purposes. However, the app’s operation must be made transparent in order to increase the general public’s trust. The lack of trust in the app has led people to avoid using the app due to these concerns. As a large number of people must adopt the app in order for it to work effectively, the lack of transparency and trust in the app has hindered the governments’ need to protect the public health of its citizens.
In response to COVID-19, the Philippines must protect the right to privacy and the personal data of its people in its digital contact tracing efforts. Therefore, it is recommended that the Philippines take the following actions:
- Release the white paper and the source code of StaySafe.ph. The white paper should contain all the necessary details of the system’s architecture, functions, protocols, data management and security design. The source code should be that of the deployed system; it should be complete, up-to-date, and buildable so that the system’s security and privacy treatment can be independently verified. The white paper and the source code must be regularly updated along with the app.
- Provide transparency of the COVID-KAYA system regarding its architecture, functions, protocols, data management, and security design by releasing the system’s white paper and source code under the open-source license. The white paper should contain all the necessary details of the system’s architecture, functions, protocols, data management and security design. The source code should be that of the deployed system; it should be complete, up-to-date, and buildable. The white paper and the source code must be regularly updated along with the app.
- Publish and make publicly available the assessment of StaySafe.ph done by the NPC’s Data Security and Compliance Office. The assessment should also include COVID-KAYA as well for transparency. If there are elements that are seen to be a threat to privacy and personal data, actions and measures should be made to eliminate the risks.
- Provide the clear retention period of StaySafe.ph instead of authorizing the data to be stored “as long as necessary”, in order to lessen the chance of a data breach and the collected data being misused.