The Pandemic of Surveillance

Digital Contact Tracing in Southeast Asia

Regional Overview
Among the ten members of the Association of Southeast Asian Nations (ASEAN), six countries have adopted a digital contact tracing approach as part of their efforts to respond to the COVID-19 pandemic. Singapore was the first country in the region to introduce a contact tracing app, called TraceTogether, which uses Bluetooth Low Energy (BLE) technology; this approach garnered the attention of other countries in and outside of Southeast Asia. Later, Singapore introduced a QR code check-in system called SafeEntry, which is a type of function that other countries in the region have also adopted. As the pandemic spread throughout the region, the digital contract tracing has become a preferred approach for countries to adopt in response to the pandemic.
This regional chapter provides an overview of digital contact tracing in Southeast Asia. It provides the trends, problems, and challenges found in the use of digital contact tracing in the region, with attention to how it may put human rights, particularly personal data and privacy, at risk. This analysis is drawn from observations at the regional level as well as from the findings from the six countries that have already adopted contact tracing apps and platforms.
DIGITAL CONTACT TRACING IN SOUTHEAST ASIA
Countries Apps/Platforms/Device Open Source Privacy Policy
Indonesia
PeduliLindungi
No
No
Malaysia
MySejahtera
No
Yes
MyTrace
No
No
Gerak Malaysia (Dismissed)
No
Yes
Philippines
StaySafe.ph
No
Yes
Singapore
TraceTogether Program (App and Token)
Partial (App) / No (Token)
Yes
SafeEntry
No
Yes
Thailand
Mor Chana
Yes *
No
Thai Chana
No
No
Vietnam
Bluezone
Yes
Yes **

* There is no open-source license found with the released code of Mor Chana.
** The Policy was issued months after the app became public.

Common Characteristics

Three common characteristics are found in the digital contract approaches across the six countries in Southeast Asia: their technical vulnerabilities, lack of transparency, and lack of policy enforcement on the use of digital contact tracing. All three characteristics reflect the potential for users’ personal data to be collected and used for other purposes that are not related to public health.
1. Technical vulnerabilities

Technical vulnerabilities refers to those vulnerabilities found in the operation of the apps that may harm users’ privacy and personal data. Many of the apps in the region have privacy issues due to their technical functions. In their contact tracing apps, Southeast Asian countries have tended to adopt a centralized approach in which collected data is stored in one place for authorities to access. This is in contrast to a decentralized approach in which the collected data is usually stored in the phone of a user. Data that is stored using the centralized approach is more vulnerable to being misused, exploited, or implicated in a data breach.

An additional technical issue is related to the backend server. Singapore’s TraceTogether stores and manages its collected data in Google’s Firebase service. Apart from the central government, Google is also able to track users through Firebase Analytics. It is not known whether other apps available in the region use the same approach as TraceTogether. However, the lack of available information suggests there is a possibility that other apps use the same type of service. A thorough technical analysis is needed to identify the types of servers used on other apps in Southeast Asia. A number of vulnerabilities have also been found with the use of IDs in contact tracing apps. Contact tracing apps like Singapore’s TraceTogether use a temporary ID to operate, which changes over a period of time. Compared to a fixed ID, a temporary ID is preferable for the purpose of protecting users’ privacy; however, it is not enough to ensure the privacy of its users. Singapore’s TraceTogether uses reversible encryption which allows a user’s identity to be disclosed.

Apps in the region, including Thailand’s Mor Chana, Indonesia’s PeduliLindungi, and Philippines’s StaySafe.ph, also use location tracking. Location tracking is type of technical vulnerability, as the app’s users can be tracked and their information can be used to build a proximity graph or social graph of a person; this information can indicate where the person has been or who they have been in close contact with. This technical vulnerability may create increased risks for some groups, such as those who are LGBTQI+ or HIV positive, whose information may be exposed, making them more vulnerable due to the social stigma and discrimination they face.

2. Lack of transparency

In all countries in Southeast Asia, the lack of transparency was found to be a major issue in their digital contact tracing efforts. Malaysia, Indonesia, and the Philippines have chosen not to make their contact tracing apps and platforms open-source; as a result, the processes around the use of these apps and platforms have lacked transparency. More specifically, the apps’ architecture, functions, protocols, data management, and security design are not known and cannot be easily examined by independent tech experts to identify existing and potential technical vulnerabilities. While Indonesia and the Philippines have only one contact tracing app, Malaysia has two apps, MySehjatera and MyTrace. MySehjatera is an app that allows users to input a self-assessment of their health status; the app also includes an extension called MySehjatera Check-in which works similarly to Singapore’s SafeEntry. There is little information about these apps and their treatment of privacy and personal data.

Singapore’s TraceTogether, Vietnam’s Bluezone, and Thailand’s Mor Chana have released the source code or ‘reference implementation’ of their apps. However, in Singapore and Thailand, little information is available about the other apps and platforms that are used in these countries regarding the treatment on privacy. Aside from government sources, information on Singapore’s SafeEntry and TraceTogether Token remain limited. Thailand’s Thai Chana has a QR code platform and app that shares the same logic as Singapore’s TraceTogether, yet little information is also available about the app. Vietnam has the app, Bluezone, whose source code has been released along with its whitepaper. However, there is doubt whether the released source code and the whitepaper are reliable in light of a discovery that was made regarding an unreleased code that records the contact history of users without their permission. The issue of transparency issue has also been raised about Bluezone’s use of a fixed ID in its contact tracing. Compared to the use of temporary IDs in TraceTogether, the use of fixed ID is relatively easy to disclose the real identity of users. The app was later changed to a temporary ID, but it has not been transparent on how this change has enabled the app to operate more securely.

Compared to other countries in the region, the Philippines reflects a different situation. The country’s app, StaySafe.ph, has a transparency issue due to its suspicious links to intelligence and national security agencies. The source code of neither StaySafe.ph nor the COVID-KAYA system, where the collected data from StaySafe.ph is stored, has been released. In this case, little is known about how both StaySafe.ph and COVID-KAYA really work aside from the government’s claims. The app was developed by Multisys, a company that has a close tie to the government and is allegedly working with national intelligence agencies in the development of its technology. The adoption of StaySafe.ph also facilitated with a suspicious push from those in the national security and intelligence agencies.

TraceTogether, which was the first contact tracing app that was introduced in the region, was also the first to have its ‘reference implementation’, a software behind the app, released. However, the logic behind this practice is considered different from the traditional practice of open-source software. TraceTogether received a lot of attention when it was first introduced, with other countries including Australia and the Philippines expressing their desire to build their own app with the same technology. Australia has built its own contact tracing app, called COVIDSafe, based on the software of TraceTogether, while the Philippines has chosen to use its own model of contact tracing developed by a local software engineer company called Multisys. This decision has resulted in the country’s adoption of StaySafe.ph as its national contact tracing app. Making the code of TradeTogether open-source (the name of which is called “OpenTrace”) was likely a decision by the Government Technology Agency (GovTech) of Singapore to assist other countries who wish to follow Singapore’s lead in building their own contact tracing apps in their countries. An open-source software enables others to examine the ‘actual code’ of the app, which can be used to identify any technical vulnerabilities and therefore improve upon the app. The source code is also useful for those who would like to build an app, but may not want to start from scratch. However, having an open source code may assist others to identify the vulnerabilities of the app to a certain extent, but it is still not an actual code. The practice of having an open-source code has spread among other countries after the practice was adopted by Singapore. However, little is known whether the comments from independent individuals about Singapore’s app have been considered by the developers of other apps.

Nevertheless, having an open-source app may have a limited impact on transparency, privacy, and security. Comments from independent experts on the open-source software might not be considered at all if the project is under the authority of the government. The development of the app may be directed by the government’s own objectives, which may result in less flexibility when designing the app. In this sense, the contact tracing app may develop primarily according to the government’s own policies and objectives regarding the COVID-19 pandemic. 

In addition, none of the digital contact tracing apps or platforms adopted in Southeast Asia have conducted a Human Rights Impact Assessment (HRIA) and Privacy Impact Assessment (PIA) before they were released to the public. The apps and platforms were developed in a rush, given its immediate purpose to control the pandemic; however, in this haste, efforts to ensure personal data protection became noticeably absent. Unfortunately, the promise that “we will open-source” the source code of the apps, as often stated by the governments, has become a tactic to guarantee that transparency exists, even though when it does not. 

3. Lack of policy enforcement

Among the six countries that have adopted digital contact tracing approaches for the purpose of controlling the COVID-19 pandemic, three —Singapore, Malaysia, and the Philippines— have a law on personal data and privacy in place. However, these laws do not ensure that the apps are mandated to uphold data and privacy protection. Singapore and Malaysia have a personal data regulation that does not cover government agencies. In Singapore, the Personal Data Protection Act (PDPA) states that government agencies are not covered by the law due to the “fundamental differences” in terms of how they operate. Government agencies are covered under the Public Sector Governance Act (PSGA), yet questions remain about whether the law is able to hold the government agencies accountable. Malaysia also has Personal Data Protection Act (PDPA), but the law excludes both federal and state governments from it.

Thailand adopted the Personal Data Protection Act (PDPA) in May 2019, which was initially planned to take effect in May 2020. However, when the time arrived, the period for the law to come into effect was postponed. A further announcement was made for the act to exclude 22 types of business, includes state agencies; this announcement made the Thai PDPA inapplicable to the digital contact tracing efforts done by the government. The Philippines has the 2012 Data Privacy Act, and also established the National Privacy Commission (NPC). However, the country demonstrates that while it has mechanisms in place that cover the state agency, these cannot ensure data protection of its technology. The StaySafe.ph app was deemed to be suspicious due to the involvement of the intelligence and security agencies in its development and adoption. Many transparency issues have been raised about the app, as the NPC admitted that it was not done assessing the app when the app was rolled out to public. The NPC also reportedly did not look at the contracts between Multisys, who is a developer of the StaySafe.ph, and government agencies regarding the adoption of the app.

Indonesia and Vietnam are two countries that do not have laws on personal data protection. However, the absence of such laws in these two countries might not differentiate them situation from other countries with laws on personal data protection, but which exclude public agencies. Indonesia has even issued decrees that allow surveillance to occur with the use of digital contract tracing; there have been concerns whether these decrees are constitutional given that the 1945 Constitution has a provision related to the right to privacy.

The absence of a robust personal data protection law that is equivalent to international best practices has resulted in a large gap for personal data protection. There is lack of confidence over how the apps treat the personal data they collect, as there is no law and mechanism to regulate how personal data should be treated following the adoption of digital contact tracing efforts. Issuing a specific law as well as establishing a committee for digital contact tracing efforts in the country would be a positive approach. A law is needed to specifically address issues, such as the type of data to be collected, which should be as minimal as much as possible, as well as how long its retention period should be and how the data must be processed to protect personal data. The law should also be able to hold the government or developer accountable if the data is misused. A committee should also be established with the power to assess the products launched for digital contact tracing efforts. The results from its assessment should be made publicly since it involves the mass data of the population. In Thailand, a data governance committee has been set up to oversee the Thai Chana platform for the purpose of personal data protection; however, little is known about the work of the committee. It is also likely that the committee has the authority only to issue a recommendation, as there is no legal regulation in place to guide the work of the committee with respect to data protection.

Tracking People En Masse with More Approaches Introduced

The digital contact tracing approaches adopted in the region have raised concerns over the right to privacy, with a number of people opting to avoid using them in fear of being tracked. The repressive political environment among countries in Southeast Asia have also made it difficult for people to place their trust in the government’s efforts for the purpose of contact tracing. The low adoption rate of contact tracing apps among the population makes digital contact tracing much less effective. However, it is also difficult to make the app mandatory because it is not compatible with all models of mobile and tablet devices.

The introduction of the QR code was seen as a remedy to the low adoption of digital contact tracing apps. This approach requires people to use their devices to scan the QR code provided at the entrance of the buildings and places before they are allowed to enter. As a result, the use of the QR code appears to have a significantly larger number of users compared to the app when it was originally introduced. This increase was observed in Singapore and Thailand; the statistics of users in both countries indicates that the QR code apps/platforms were able to gather more data of users compared to TraceTogether and Mor Chana apps that were introduced before the QR code. The Philippines, Malaysia, and Indonesia have also used, or are planning to use, the QR code.

Singapore has also continued forward by developing the TraceTogether Token, a contact tracing wearable device that works using BLE; this device is designed for those who do not have mobile phones or tablets that are compatible with the TraceTogether app. However, the implementation of the tokens is considered to be difficult for other countries to follow, due to many factors including the population, geographical advantage, economic situation, and technical readiness.

Failed ASEAN

At the regional level, the personal data and privacy protection is wholly missing in the region’s digital contact tracing efforts in response to COVID-19. The Association of Southeast Asia Nations (ASEAN) has not taken a unified approach among the ASEAN members states (AMS) towards their digital contact tracing efforts to ensure the protection of personal data and privacy. A regional regulation on personal data protection, as well as other regional mechanisms that are equivalent to the international best practices, including those under the European Union’s General Data Protection Act (GDPR), would ensure the safety of personal data protection. However, these steps are unlikely to occur in the near future given the current repressive political environment and the overall lack of awareness on data protection. 

ASEAN is significantly lagging behind in ensuring data protection following the adoption of contact tracing apps in the region compared to the European Union. The EU has issued a guideline regarding the use of contact tracing apps to ensure full data protection standards of the apps tackling the COVID-19 pandemic. The EU also set up an EU toolbox for the use of mobile apps for contact tracing and warning apps; this followed the Recommendations which set out the steps and measures to develop a common EU approach for the use of mobile apps and data in response to the pandemic. The EU has also issued the interoperability guidelines for approved contact tracing apps in which interoperability refers to the ability of these approved apps to exchange minimum information when necessary. An interoperability gateway service linking national apps across the EU was set up following the agreement on a set of technical specifications to ensure a safe exchange of information between national contact tracing apps based on a decentralized architecture.

Effectiveness vs. Privacy-First

Since the launch of contact tracing apps in six countries in Southeast Asia, there has been limited publicly available information on how effective these apps are in terms of detecting clusters of individuals during digital contact tracing efforts. The low adoption rate has made digital contact tracing apps ineffective. In response, tactics have been employed, including launching more products to complement the existing products, partnering with business sectors for their users to adopt the approach, and launching an aggressive nationwide campaign to boost the adoption rate. However, one aspect has been overlooked, which is to make the apps more transparent and examinable in order to prove that the efforts are concerned about privacy. Transparency is one factor that can boost confidence among people. However, contact tracing efforts in Southeast Asia have so far raised a number of concerns over privacy. Without laws and other mechanism to ensure data protection and privacy in place, these efforts face a challenge in gaining the trust of people.

The question of whether there is a single app that can be used as a model for a privacy-first contact tracing app is still difficult to answer. It is also challenging to detail what an effective privacy-first contact tracing approach should look like. The decentralized approach, in which data is stored in the phone of a user, is considered to be better in terms of privacy compared to the centralized approach, in which data is stored in one place for government agencies to access. However, the decentralized approach does not mean that the collected data is anonymous. An example of this limitation is the Decentralized Privacy-Preserving Proximity Tracing (DP-3T) protocol, an open protocol to facilitate a contact tracing app; according to the Data Protection Impact Assessment Report, the re-identification attacks are still possible in the decentralized approach. 

Conclusion

Unfortunately, there is no single app in the region that is recommended to be adopted at the time of writing. At the national level, the digital contact tracing approaches have been adopted at a very rapid pace given the immediate need to control the COVID-19 pandemic; as a result of this haste, privacy and personal data protection were not seriously considered. The apps and platforms were rolled out without any assessment conducted on how they would affect human rights and personal data. A number of these apps have technical vulnerabilities in its design, which do not protect privacy. Furthermore, all the apps reveal issues with transparency. These issues are compounded by the absence of a robust data protection regulation and mechanism that are consistent with international best practices to regulate and guide how personal data is to be treated during the use of digital contact tracing. The regional actors within ASEAN are also completely absent in these efforts, as there has not been a single action or response in terms of how digital contact tracing in the region can put human rights and personal data at risk.

Given the widespread promotion of digital contact tracing efforts in nations in ASEAN, the adoption of digital contact tracing in Southeast Asia is based on the perception that public health is more important than personal data and privacy protection. It brings forth the perception that health surveillance is acceptable for the purpose of controlling COVID-19, and that citizens should collaborate by adopting contact tracing apps. The perception that it is permissible for citizens to give up their privacy on this matter, however, is a troublesome one, and considered as a threat to human rights. As people have the right to privacy, they have the right to know how their personal data is treated and how their privacy is ensured. The promise of the governments that the contact tracing apps or platforms are safe is not sufficient, especially as their words often cannot be proven and verified by the public.