Key Findings
A. The Development of Digital Contact Tracing in Thailand
In April 2020, Thailand introduced Mor Chana, a contact tracing application that uses Bluetooth Low Energy (BLE), to the public. The app is a collaboration between state organizations and private developers, and was rolled out to public after a two-week period of development. It was developed by the Code for Public and Chuay Kan Group. Users of Mor Chana are asked to share their records only when they are contacted by the authorities as part of the contact tracing investigations. It has been reported that the data collected from the app would be analyzed using artificial intelligence (AI) systems to assist with the continuing epidemiological research conducted by Thailand’s Department of Disease Control (DCC).
While authorities claim they are concerned about the privacy of the app, the app uses the Global Positioning System (GPS) and Bluetooth technology to track the locations of users. When it was first rolled out, the app requested a mobile phone number along with a profile photo of the user. However, it stated that the picture would not be uploaded to the server. The user is required to answer a number of questions in order for the app to assess the user’s risk level. The risk level is assigned to users, which is divided into four levels: green (lowest risk), yellow (low risk), orange (risky), and red (high risk). Mor Chana stated that it will keep the data for 30 days before the data is deleted. It has also stated that the data will be deleted within 30 days after the pandemic ends.
Around a month after the release of Thai Chana, the government introduced a new approach for contact tracing. Thai Chana is a check-in and check-out system that uses a QR code. It was developed by the IT team of the state-owned Krung Thai Bank, and was adopted by the Center for COVID-19 Situation Administration (CCSA) as a national platform to fight against COVID-19. Business owners are required to register with Thai Chana before a QR code is generated for them, while users need to scan the QR code of the locations they are visiting before entry. This method of contact tracing gathers information on how many people are located in a certain place at any given time. The data collected from Thai Chana is reportedly to be kept by the app for 60 days.
Thai Chana was later developed into an app with additional functions. According to the app’s terms and conditions, users of the app permit the Ministry of Health and its related agencies to collect, use, and disclose the phone number of users. Compared to its first version, the revised app can now verify the identity of a user. Through the app, users can also check the information about the locations where they have registered with Thai Chana, including how many people are currently at the location, and the maximum capacity that the location is able to accommodate. After users check out of the location, they also have the option to evaluate the safety precautions they observe at the location, including whether the staff are wearing masks, alcohol gel is provided, social distance is practiced, as well as how often cleaning services are performed at the location.
On May 22, 2020, the government appointed a data governance committee to ensure the data privacy protection of Thai Chana. The committee is comprised of nine members with the responsibilities to provide consultation on data management to the organizations that use the Thai Chana, and to oversee and follow up on how Thai Chana handles its data. On June 4, 2020, it was reported that a team of Thai Chana developers held a meeting with the committee for the first time. During this meeting, the team provided information to the committee on how the app works, which the committee is to evaluate and provide its recommendations on how to protect personal data and privacy. It was laster discovered that the same committee is responsible for assessing privacy in Mor Chana. Only one report regarding the meeting between the committee and the developer team is available. There is no further record on the committee’s work on privacy of the app.
The two apps, Thai Chana and Mor Chana, are designed to complement each other. However, Mor Chana does not have a high adoption rate as it is not mandatory. In comparison, Thai Chana was able to gather the data of more than 2 million people within the first two days of its launch; this rate was due to the fact that people would not be allowed to enter many locations if they did not scan the QR code. One month after its launch, Thai Chana had more than 24 million users, 355,000 of whom are app users. Across the country, there have been more than 110 million check-ins; the number of check-outs was estimated to be 60% of the number of check-ins when the webpage platform was used, while the number was approximately 90% when the app was used.
Thai Chana started to permanently erase the first set of its data on July 18, 2020, which was 61 days after Thai Chana was launched. After 2 months, the users of Thai Chana rose to 37 million, while 274,887 businesses had registered with the platform. The number of downloads of the app was over 700,000 downloads. 96.3% of the check-ins were done through a website platform, and only 3.7% were done through the app.
In September, as Thailand aimed to allow visitors to entry the country again, concerns were raised about the possibility of the second wave of COVID-19 in the country. The Minister of Digital Economy and Society (DE) stated a plan to develop Mor Chana to monitor those who enter the country. According to the Minister, the retention period of personal data collected by Thai Chana has also been extended from 60 days to 90 days before the data is to be deleted. Since its launch, Thai Chana has had 44 million users and 280,000 businesses have registered with Thai Chana as of September 14, 2020.
The new version of Mor Chana app was released on January 4, 2021. The second wave of the pandemic in Thailand that started in December 2020 resulted in the government’s push for the use of the app. In this new version, the government claims the app asks for access to personal information in four areas: camera, location, photo gallery, and data storage. According to the government, the app no longer requests access to history of microphone use and the WIFI connection.
The Government claims that the app needs an access to the camera in order to verify the user via a photo. The location is used in order to track the location history of a user. The photo gallery is for the app to save the users’ photos in the phone’s photo gallery. When the phone does not have an Internet connection, the app will collect the user’s whereabouts through the phone before sending the information to the central server. The app still does not have its own privacy policy, and the links to the privacy policies on Google Play and Apple’s App Store land on a site about the general privacy policy of the Digital Government Development Agency (DGA)’s website. However, Mor Chana has its own policy privacy which can be accessed from the DGA website. According to the privacy policy, the app stores data for 30 days.
On January 7, 2021, the Center for COVID-19 Situation Administration (CCSA) announced that individual found to be infected would be guilty under the Emergency Law for not downloading Mor Chana. The situation caused a public backlash. The announcement was later changed, and the government confirmed later that those who do not download the app will not be found guilty. The number of downloads significantly increased subsequently. The Royal Gazette, however, publicly announced on January 9, 2021 that Mor Chana and Thai Chana must be download in accordance to the Emergency Law to curb the spread of COVID-19.
The developer of Mor Chana, Code for Public, later announced their withdrawal from the app on January 15, 2021. The situation has resulted in the government having a full control of the app. The team announced that the source code of Mor Chana will be divided into 2 repositories. One will be under the government, and another would be under the Code for Public. This latter repository would be under the name of SQUID. The SQUID would be the original source code of Mor Chana app, while the code given to the government would be a “forked version” of the original code. Despite all the hearsay about the team’s conflict with the government, the reason for the withdrawal given by both the developer and the government was that the widespread use of the app exceeded the developer’s capabilities.
The DGA is fully in charge of Mor Chana app following the withdrawal. Based on publicly available information, the government plans to change the storage location for information collected from the app to the government’s own Government Data Center and Cloud Service (GDCC). The GDCC was approved by the parliament in May, 2018 and the project intends to store data from government agencies using cloud computing. As of January 24, Mor Chana had over 8 million downloads with over 6 million users. 5,927 alerts were sent out to individuals from the app. However, there is still no clear assessment on the app’s effectiveness in terms of contact tracing.
B. Implications on Surveillance and the Right to Privacy
This section discusses the implications on surveillance and privacy from the adoption of the Mor Chana and Thai Chana apps. It elaborates on the technical functions that can put privacy at risk, the various gaps in privacy, and the lack of policy enforcement in Thailand to ensure the safety of personal data.
1. Technical functions do not support privacy
Although the app does not ask for users’ ID numbers or names, it is possible that the identity of users of Mor Chana may be disclosed. The app’s use of the Global Positioning System (GPS) raises concerns over privacy in which a privacy-first contact tracing app would not include this function as part of it. An analysis of the released code of Mor Chana (which is available on GitHub) found that the app essentially tracks the locations of users at all times. The Mor Chana team does not use the Exposure Notification API of Apple and Google which supports decentralized digital contact tracing and prevents location tracking. One of the reasons the team refuses to use the technology from Apple and Google is because they think location tracking is necessary.
The ID used in the BLE is anonymous. Mor Chana registers the device during the launch of the app and retrieves the ID from the server during the time of registration. However, it is unclear whether the ID is fixed or changes from time to time, in a manner similar to Singapore’s TraceTogether app. Due to this function in Mor Chana, the ID can be changed during the app’s launch; however, this does not sufficiently protect the privacy of users, since other functions of the app are privacy invasive.
Another important issue of concern is that all contacts identified by each Bluetooth scan are immediately uploaded to the server and never stored on the phone. The location is also uploaded along with the contact information. When a user of Mor Chana scans a QR code from Thai Chana directly, the user’s location from the scan is also uploaded to Mor Chana. The app also includes push notifications, such that every time a push notification is received, the user’s location is again uploaded to the server. Apart from the BLE scans, QR code scans, and push notifications, Mor Chana sends the locations of its users every few minutes to the government’s server(s), depending on whether they have moved or not. As users move around, their location is continuously updated. However, their location is not updated if users stay within a certain range of their previous uploaded location; this exception allows the app to conserve the phone’s battery. The data gathered through these functions can be used to build a social or proximity graph of a person, about whom further information can be divulged. Certain locations such as gay bars or some specialized clinics, and as a result, may face social stigmatization.
Even though Mor Chana has been updated to the new version, many of the functions that do not support privacy still remain. The app uses an anonymized ID, but there is no public information on how the ID is generated. Use of anonymized ID does not always mean that real identity would be safe. Singapore’s TraceTogether also uses an anonymized ID. However, since the ID is generated from the state’s server, the state can pair the anonymized ID with the real ID number and mobile phone numbers that the app collects.
Mor Chana: The screenshot shows the example app registering code to handle events such as when a nearby device is detected over Bluetooth Low Energy (BLE).
Mor Chana: This screenshot shows the code that is executed when the BLE advertisement message is received and when the contact user ID is received.
2. Lack of transparency
When the code was first released, the code of Mor Chana that is available on GitHub did not reveal much information on how the app actually works; the only information provided tended to be extremely basic about the User Interface (UI)or extremely crude about the contact exchange system. However, this released code should not be considered as the source code, and the app should not be considered as an open-source app. The released code is also not found to have an open-source license. While the code was later updated, the code for Thai Chana has not been revealed. Moreover, Thai Chana’s privacy policy is not yet publicly available. Even though the government announced that deletion of data collected from Thai Chana has already started, it is difficult to independently verify this claim. Regarding Mor Chana, the privacy policy is available on the website of the DGA but there is no direct link of it provided in the Apple’s App Store and Google Play where the app is available for download.
All the information that has been provided so far in response to privacy concerns have come solely from government sources; there has been an absence of verified independent source to guarantee the privacy and security of both systems. A human rights impact assessment (HRIA) and privacy impact assessment (PIA) were also not conducted before Mor Chana and Thai Chana were rolled out. An HRIA and PIA would allow those in charge of the app and the systems to identify and understand the risks of Mor Chana and Thai Chana with regards to the privacy and security of personal data. The developers of Thai Chana held a meeting with the data governance committee that was specifically set up for Thai Chana. However, it is not clear whether the committee would make the evaluation of Thai Chana and its recommendations publicly available.
There is also an absence of information on the data collected from Mor Chana that is stored in the Amazon Web Services (AWS) regarding the security of the stored data and its encryption. A well-designed encryption system would help to protect personal data from cyberattacks as well as from surveillance from those in charge of the systems, as well as from state authorities, developers, and other third-parties. If the data of Mor Chana is later moved to GDCC for storage, the security of the stored data and its encryption must be assessed as well.
All these aforementioned issues have raised concerns about whether the apps can be trusted and how privacy is treated by the Thai Chana and Mor Chana systems. The Mor Chana app was rolled out to public hastily after only two weeks of development in the efforts to combat COVID-19. This fast period of development suggests that these efforts to respond to the pandemic through technology have also resulted in an oversight of the key issues regarding the right to privacy.
A transparent contact tracing app would provide greater confidence for people when using the app. An improvement in transparency may also increase the number of users who the government is targeting in order to maximize the effectiveness of the digital contact tracing app. However, Thailand’s efforts to respond to the pandemic clearly lacks this element of transparency, as people still question the risks to their privacy from using both Thai Chana and Mor Chana.
3. Lack of policy enforcement
When Mor Chana was first rolled out in April 2020, the Minister of Digital Economy and Society claimed that an independent committee would be established to oversee the treatment of the app’s collected data. He also stated that the data collected by the app would be treated according to the Personal Data Protection Act, which had been passed in May 2019.
At that time of the Minister’s statement, the Personal Data Protection Act (PDPA) was set to come into effect in May 2020. However, when the date arrived, the government decided to postpone the enforcement of the law to 2021 instead. The reason provided for the postponement was that stakeholders were not yet prepared for this legislative change due to the COVID-19 pandemic. The government also issued the Royal Decree that excludes government entities and 22 types of businesses from the PDPA.
The committee for Thai Chana has been appointed. However, without a policy to enforce the treatment of personal data and the protection of privacy, concern has been raised about the effectiveness and authority of the committee to ensure that the app’s collected data is protected. Due to the current circumstances surrounding the PDPA, the data that is collected from Thai Chana and Mor Chana app remain vulnerable to privacy risks.
The data collected from Mor Chana will be stored in Amazon Web Services (AWS), which has raised further concern due to the 2018 Clarifying Lawful Overseas Use of Data Act (CLOUD Act). The law allows U.S. law enforcement authorities to access data stored by U.S. registered companies regardless of where the data is collected. Given that Thailand does not have robust legal protection on personal data, this U.S. law has raised concerns on how the collected data is kept safe from misuse, particularly when the data goes offshore.
When Mor Chana was first rolled out in April 2020, the Minister of Digital Economy and Society claimed that an independent committee would be established to oversee the treatment of the app’s collected data. He also stated that the data collected by the app would be treated according to the Personal Data Protection Act, which had been passed in May 2019.
At that time of the Minister’s statement, the Personal Data Protection Act (PDPA) was set to come into effect in May 2020. However, when the date arrived, the government decided to postpone the enforcement of the law to 2021 instead. The reason provided for the postponement was that stakeholders were not yet prepared for this legislative change due to the COVID-19 pandemic. The government also issued the Royal Decree that excludes government entities and 22 types of businesses from the PDPA.
The committee for Thai Chana has been appointed. However, without a policy to enforce the treatment of personal data and the protection of privacy, concern has been raised about the effectiveness and authority of the committee to ensure that the app’s collected data is protected. Due to the current circumstances surrounding the PDPA, the data that is collected from Thai Chana and Mor Chana app remain vulnerable to privacy risks.
The data collected from Mor Chana will be stored in Amazon Web Services (AWS), which has raised further concern due to the 2018 Clarifying Lawful Overseas Use of Data Act (CLOUD Act). The law allows U.S. law enforcement authorities to access data stored by U.S. registered companies regardless of where the data is collected. Given that Thailand does not have robust legal protection on personal data, this U.S. law has raised concerns on how the collected data is kept safe from misuse, particularly when the data goes offshore.
The narrative can be changed given plans to store data collected from Mor Chana in the GDCC. However, changes to the narrative may not be positive since the government is exempted from the PDPA even as it is fully in charge of Mor Chana.
C. Conclusion and Recommendations
Thailand’s latest efforts to respond to COVID-19 through contract tracing apps have overlooked people’s right to privacy in many aspects. The use of GPS to track the locations of users is not recommended for the app due to the concern over the right to privacy, especially as the monitoring of people’s locations may reveal information about their private lives. The request for a profile photo in the Mor Chana app is also not necessary for contract tracing purposes.
The code of the Mor Chana app has been released, but it cannot be sufficiently examined to identify how the app actually works. Therefore, it cannot be claimed that Mor Chana is an open-source app. The app has yet to be examined on how it securely stores its data, and specifically how its encryption works when the data is stored in the AWS. Furthermore, not much technical information is known about the Thai Chana app regarding how the data is treated. Both Mor Chana and Thai Chana also did not undergo a HRIA and PIA that are publicly available before the apps were rolled out; due to the absence of these assessments, there remains a lack of information on how human rights and privacy are treated when a person decides to use the apps.
In addition, there is currently no law enforcement for privacy and personal data protection in Thailand. Even if the PDPA is in place, it is still not sufficiently robust when compared to existing best practices, such as those provided under the General Data Protection Regulations (GDPA). The exclusion of 22 types of businesses and organizations in the PDPA, including government entities, reflects the law’s weaknesses. Concerns have also been raised about situations when the data goes offshore; as the collected data from Mor Chana is stored in AWS, U.S. law enforcement agencies are able to access the information under the 2018 CLOUD Act.
In light of these findings, the following recommendations are proposed for the government to make Mor Chana and Thai Chana more transparent and to protect privacy and personal data:
- Review the source code of Mor Chana and explore possibilities to prioritize the privacy of the app while maintaining its function for contact tracing.
- Issue a specific regulation for both Thai Chana and Mor Chana in order to ensure personal data and privacy protection. The specific regulation must stipulate the type of personal data that is allowed to collected; the data collected should be the most minimal as possible. The regulation should also detail how the personal data will be secured, and how long the data is to be retained. The consent of users should be considered at all necessary steps.
- Have clear privacy policies for both Mor Chana and Thai Chana. All the elements about how the data is collected, processed, and stored must be transparent. This should be in line with the international standards and best practices for privacy protection.
- Conduct a Human Rights Impact Assessment (HRIA) and Privacy Impact Assessment (PIA) for both Mor Chana and Thai Chana, as well as for other apps and platforms that may be implemented in the future for digital contact tracing purposes. The results should be made publicly accessible.
- Beyond providing recommendations, the governance data committee should have the authority to ensure that the apps treat personal data and privacy with standards equivalent to international best practices. This authority is necessary as Thailand does not yet have robust legislation on personal data and privacy protection. The committee’s processes and proceedings should be transparent and always made publicly available, including its evaluation of the apps and recommendations.