Checking Myths and Facts: COVID-19 Contact Tracing Apps

As tracing apps have become a hype in many countries, governments have been urging people to use them. However, due to privacy concerns, the rate of adoption is still low. As a result, there are some narratives being used to encourage people to download such apps; some of these narratives can be misleading. As we are monitoring the development and use of tracing apps, we would like to clear up some of the common myths from a human rights perspective.

Myth#1: You should give up your personal data for the public good.

Your personal data is yours, and you have the right to protect it. People should not succumb to social pressure to download tracing apps without knowing in advance how their personal data will be protected. Informed consent should be given by the users before they proceed to use the app; they should know where their data will be stored, how it will be processed, who will have access to it and for how long their personal data will be kept.  

Marginalized communities such as refugees, ethnic minorities, LGBTQI+, or stateless people can be the most vulnerable groups to personal data breaches, especially if they are already discriminated by the state. This is the reason why there has to be robust regulation and enforcement of data protection laws.

Myth #2: If people can give their personal data to Big Tech like Facebook and Google, they should be able to give it to tracing apps, too.

We need robust personal data regulation and enforcement mechanisms in the region to hold non-state actors, especially Big Tech companies like Facebook, Google, and Twitter, accountable for any data misuse or privacy breaches. Weak regulatory environments make it easier for multinational companies to treat data as per their own judgement. For example, Twitter has disabled the feature that allows users to choose whether or not they want to share their personal data with advertisers. However, this function is still available for European users who are protected under the General Data Protection Regulations (GDPR). In Southeast Asia, governments have not questioned Big Tech companies or held them accountable for their actions and human rights responsibilities. This is because most of the existing regulations do not meet the international standards themselves.

Furthermore, while the products of these companies are widely used, there is limited digital literacy amongst users. If people were well informed about how their data were being used, and if they knew how to opt-in and opt-out of privacy disclosures, they might very well choose to opt-out and keep their information private. People have the right to be concerned about their privacy and security of their personal data.

In addition, some tracing apps might use third-party services to store their data. For example, the collected data of TraceTogether users are stored in a server run by Google, while Thailand’s Mor Chana stores users’ information using the Amazon Web Service (AWS). Such third-party companies may be under the legal jurisdiction of another country where the laws may require disclosure of data. When there is no regulation and enforcement mechanism to protect their personal information, the public has the right to decline using such apps.

Myth #3: Tracing apps are a data-driven initiative in which data is used to improve society.

Open data is data that is available for all to access, modify, reuse, and share. Many initiatives to solve common problems have benefited from the access to open data. Over the years, organizations and companies such as the World Bank, the World Health Organization (WHO), Amazon (through Registry of Open Data on AWS (RODA)), the European Union (through the European Union Open Data Portal) and Google (through Google Public Data Explorer), have made their data open-source  so that researchers and policymakers can analyze and use already available information for various purposes such as resilient city planning, ensuring transparency and accountability, and developing healthcare services.

Open data should not be confused with personal identifiable information (PII) because the concepts are totally different. Open data does not reveal personal information about individuals, but PII does; an individual’s identity, address and location can be revealed from PII.  Data collected from contact tracing apps can be identified as PII if the security and privacy of the app are overlooked. Tracing apps that track users’ geolocation can reveal sensitive information about where a person lives or has visited (such as a gay bar, a specialized clinic, or a strip club).

There are also questions about the efficiency of tracing apps. Some apps rely on Bluetooth technology which does not work well in an obscured environment. Older Android and iOS phone might not be able to support the tracing apps at all or may offer only limited functionality. Apps that use the centralized approach of data collection will not work well on iOS devices. These concerns raise the question of whether tracing apps will work efficiently on all devices.

 Myth #4: Open-sourced tracing apps will ensure security.

Open-source apps refer to those apps where the code behind their operation is openly available to the public. People can freely review the code in order to improve the security and functionality of the app. Being open-source is currently a claim governments in Southeast Asia make about the security of their contact tracing apps.

However, it is usually not the actual code of the app that is open-source. The code that has been released is just the source code or software behind the app which is called “reference implementation”. Often, the making the reference implementation available is still useful in making the app easier to examine.

In this case, the problems regarding security and privacy has less to do with the reference implementation and more with larger issues relating to the overall design of the app, including the protocol on which it is built upon, its functions, and where the data is stored. Making an app’s actual code open-source does not not mitigate these risks.

Myth #5: Tech is a Solution for COVID-19.

Neither data nor tech alone will solve COVID-19. Tracing apps should not replace conventional contact tracing: on average, it is estimated that 60% of the target population would need to download the app in order for it to work successfully. While people are already concerned about protecting their personal data when using tracing apps, there is also concern about the accuracy of the Bluetooth tech behind the tracing apps, which do not work well in an obscured environment.

The collaboration between Apple and Google on the pandemic tracing app is unlikely to prove the ultimate solution either, even though both companies are considered as a duopoly. People can still turn off their phones, put it on the flight mode, run out of battery, or simply forget their phones at home. Also, not all the phones can use the technology: older generation phones in particular will not be able to use the Application Programming Interface (API) rolled out by the two companies. Apple phones older than the iPhone 6S, and Android devices older than version 6 will be incompatible with the app.


Latest Updates

May 15, 2020
Should We be Worried about a Tracing App during the COVID-19?
The situation of the novel coronavirus (COVID-19) has prompted many states as well as non-state actors to launch—or consider launching— a contact tracing application (app). While […]
April 2, 2020
TraceTogether: Not Easy to Verify the State’s Privacy Claims
Update as of May 7, 2020: Some of the content in this article is outdated. The ‘reference implementation’ of the BlueTrace protocol called OpenTrace has been […]
July 9, 2020
Open Letter to Request for Strong User Privacy Protections in the Philippines’ COVID-19 Contact Tracing Efforts
08 July, 2020 The Inter-Agency Task Force for the Management of Emerging Infectious Diseases (IATF-EID) Department of Health (DOH) Department of Information and Communications Technology (DICT) […]