The situation of the novel coronavirus (COVID-19) has prompted many states as well as non-state actors to launch—or consider launching— a contact tracing application (app). While a large number of its supporters see the app as a necessary way to bring COVID-19 under control, for many, the use of this type of app raises concerns regarding privacy.
In many cases, people who have been tested positive for COVID-19 cannot recall all the people they have been exposed to during the previous 14 days of the incubation period. As countries start to loosen the lockdown as well as relax social distancing, more people are starting to spend more time outside of their residences again and gradually return to social activities. In such situations, different governments have proposed a tracing app as a solution to help keep COVID-19 under control.
A contact tracing app works when a phone with the installed app sends a signal to other phones that also have the installed app; all the phones within a certain range will respond back. If the app uses Bluetooth technology, phones need to have Bluetooth turned on at all the times in order for the app to communicate with other phones. In a centralized tracing model, when a person has the tracing app installed on their phone, and is later found to be infected with COVID-19, all the signals from other phones stored on the infected person’s phone will be sent to a database controlled by authorities. However, in a decentralized tracing model, information will be kept in the phone only. When a person is tested positive with COVID-19, s/he will have to upload the information stored on the phone to the relevant database themselves.
A Centralized Model versus a Decentralized Model
A tracing app must be developed based on a protocol. A communication protocol is a set of rules where at least two entities in a communication system can transmit information via any kind of variation of a physical quantity. A protocol for a COVID-19 tracing app can be classified into two categories which are (1) a protocol that uses a centralized model and (2) a protocol that uses a decentralized model.
In the centralized model, data collected from the app is stored in one place. Concerns arise around the circumstances in which that data will be stored or accessed. Since such databases are usually owned or managed by state authorities, trust in this app is primarily based on the notion that the government or its contractors who run the backend server will not de-anonymize the data to identify the individuals behind it. Despite the privacy concerns, this model is considered to be more effective than the decentralized model.
Regarding the decentralized model, data from the tracing app will be kept on the phone of the app users only. When two devices with the same app are in a certain range of each other, they will collect data from each other, but the collected data does not leave the phone itself (i.e. it is not uploaded automatically to any centralized database). There are many decentralized protocols available, such as the Decentralized Privacy-Preserving Proximity Tracing (DP-3T) and Temporary Contact Numbers (TCN). The comic below, which is from the GitHub page of the DP-3T, shows how a decentralized tracing app works.
As the comic illustrates, a phone with an installed app broadcasts a random signal and exchanges messages with other phones that also have the app installed within a certain range. Both phones remember the signal exchange for 14 days. If, in those 14 days, a person with the app has been tested positive, that person will then have to send the information collected on his or her phone to the health authorities. Any person whose phone was in contact with the phone of the infected person will be alerted.
Even though the decentralized model has been praised for respecting people’s privacy more than the centralized app model, it does face criticism over its efficiency in terms of contact tracing, which is the objective of the app. In the centralized model, the server knows the identities of those who were in contact with any person who have been tested positive for COVID-19; therefore, health authorities can target their attention on those who were in direct contact. However, in the decentralized model, the server relies on the information uploaded by the individuals who have been tested positive for COVID-19; the identifications of those who the person had encountered is then broadcast. It is up to individual devices to upload the information continually and notify other users if there are matches. In this case, there may be situation arising when app users may not have the opportunity to upload the information regularly, which makes contact tracing less efficient.
Bluetooth-based Apps v. GPS Tracking Techniques
Contact tracing apps in some countries also gather GPS locations to track people, which puts individual privacy at risk. An astonishing amount of personal information about a person can be learned from the location data of an individual. It can reveal details about the places where the person lives, work, and likes to frequent. Sensitive information can be revealed. For example, for LGBTQI+ people, particularly for those living in conservative societies and may not want to voluntarily disclose their gender or sexual identity due to personal security concerns, they may find their privacy breached from the use of tracing apps which collects their geolocation information. They can be identified from their geolocation information, which can reveal details about the places where they are frequent visitors and their lifestyles.
Ideally, contract tracing apps should only collect the minimum information required, and no other personally identifiable information (PII). Precise location information is not needed. According to one study, the only information that is needed for a contact tracing app to be successful is (1) information that can identify whether an individual has been in physical proximity of an infected person for a sufficiently long time, and (2) whether the interaction took place during a time period when transmission from the infected person could have occurred. It is not necessary for a contact tracing app to collect personal information about the infected person, their other contacts, the location in which that contact took place, the context for that contact, or any other information. The app can work by identifying whether two people were in close proximity with each other or not, without having to collect PII, such as the place where the encounter occurred.
Bluetooth-based contact tracing techniques are relatively better than using GPS data location to track people, and the majority of tracing apps that are currently available use Bluetooth Low Energy (BLE). However, there are concerns about the accuracy of BLE-supported tracing apps as the technology might not work well in an obscured environment. There are also other vulnerabilities. For the app to be effective, it requires users to enable Bluetooth at all times, but this exposes them to serious security concerns, especially in light of two recent major vulnerability disclosures (BlueBorne in late 2017 and SweynTooth in February 2020). Some have suggested that attackers might use this situation to hack into people’ s mobile phones and steal their personal data; as the use of tracing apps are growing around the world so does the opportunity for criminal breaches of data.
Apple and Google’s Collaboration on Contact Tracing Technology
It is an unusual occurrence that Apple and Google decided to collaborate as the two companies have always stood on the opposite spectrums of the privacy scale. For example, a centralized tracing app does not work well on Apple’s Application Programming Interface (API). This is because Apple does not support apps with features that allow data to leave the phone after it is collected. However, in the current global health crisis, Apple announced its collaboration with Google to develop contact tracing technology together.
Since the announcement, the two companies launched Exposure Notification API on iOS and Android. It is a development tool for software developers to use with the purpose to help public health agencies notify individuals who have had any potential exposure to a COVID-19 infected person. The system is said to be decentralized and uses Bluetooth exclusively. The two companies made the use of this tool conditional on developers abiding by the following requirements:
- The app must be an official app that is made by or for the use of public health authority to respond to COVID-19.
- Consent of users is needed before the apps are used. Consent must also be obtained before a user’s positive test result and other information is shared with public health authority.
- The app should collect the minimum amount of information necessary and it should be used to respond to COVID-19 only. It is forbidden to use the collected information for advertising or other purposes.
- The app cannot access or ask for a permission to access a device’s Location Services that would reveal specific geolocation data. The existing apps that already use the method will not be able to use the new Exposure Notification API.
- The Exposure Notification API allows one app per country to avoid fragmentation. However, the two companies are willing to work with nations that have adopted the app at the national level and provides some flexibility.
The TraceTogether app on iOS is an example. This app so far has received relatively low ratings (2.6 rating out of 5 at the time of writing from 305 ratings) in the Apple App Store, and users have reported facing problems after downloading the app on their devices. However, the developer team seems willing to adapt the app according to the requirements of Google and Apple.
Tracing Apps in Southeast Asia
Singapore became one of the earliest countries to launch a contact tracing app. TraceTogether, a contact tracing app that uses the Bluetooth technology, has been developed based on the centralized BlueTrace Protocol. BlueTrace is a homegrown product of Singapore’s Government Technology Agency (GovTech). The software behind the app, called OpenTrace, is open-source and available on GitHub. Following the deployment of TraceTogether, Indonesia has come up with its own app, PeduliLindungi, which has been developed by local developers and launched by the Indonesian Ministry of Communication and Information. The app uses Bluetooth technology as well. Thailand has also implemented its own app called Mor Chana, which uses both Bluetooth and GPS. The Thai app was developed by a team of developers called Code for Public on behalf of the Thai Ministry of Digital Economy and Society. Vietnam also has its own Bluezone which uses the Bluetooth technology, and was developed by a tech firm called Bkav on behalf of Vietnam’s Ministry of Information and Communications. Similarly, Malaysia has followed its neighbors by launching MyTrace, which also relies on Bluetooth. However, it is not known which protocol the apps in Indonesia, Malaysia, Thailand, and Vietnam are built upon. The Philippines has shown interest in developing a tracing app based on the technology provided by Singapore. At present, there is no publicly available information about contact tracing app initiatives being introduced by the remaining countries in the region.
Apart from the information available about the BlueTrace protocol and TraceTogether app, there is still not much information known about those contact tracing apps that have been introduced by other countries in the region. Although Indonesia and Malaysia have not released any code related to their official contact tracing apps on GitHub at the time of the writing, Vietnam and Thailand have made the code that is relevant to their tracing apps available. Beyond this, much of the information about the apps themselves are still not known. The information provided by the governments is also limited, which raises concerns over transparency.
[table id=1 /]
Furthermore, claiming that the apps are open-source does not mean that the actual code of the app is open-source. Based on the available information, it is the ‘reference implementation’, or the software behind the BlueTrace protocol, on which Singapore’s TraceTogether app is built, that is open-source, not the complete source code of the app itself. Developers who would like to build a tracing app based on the BlueTrace protocol would benefit from the ‘reference implementation’ being open-source. However, in terms of security, the app will still be based on the centralized model. Open-sourcing of the app’s actual code will not mitigate the risk. This study looks at the ‘reference implementation’ of the BlueTrace and OpenTrace protocol, and reveals that OpenTrace performs authentication with Firebase which logs a lot of information. The temporary IDs that are generated, using the Singaporean Ministry of Health (MOH) key, also uses reversible encryption, which is not the best option for security. In this case, if the MOH key is compromised, any given temporary IDs can be reversed to reveal both the User ID and timestamp which logs a substantial amount of information. These are all processed via Google’s servers. Even though MOH cannot see most of the information, Google can access this data.
In the case of Thailand’s Mor Chana app, while the code is available on GitHub, it only reveals limited information on the extremely basic User Interface (UI) and extremely crude contact exchange system. In this case, it means that the code available is extremely basic. More specifically, the code did not provide much information on how the app works. First, when we examined the example of the Mor Chana code, it is found that the user ID generated once and never updated before it is broadcasted through BLE. Because the user ID is persistent, the same user ID will appear again each time the phone is near the same phone. After a few encounters, it is easy to tell who the person is behind the user ID. As the available code also does not have any collection code, it means that it does not store anything beside the user’s own ID for broadcast. It also does not tell how it processes data at all. Based on the code, it means that when the app receives a user ID, it just shows up on the screen and when the app is closed, anything in the memory is gone. Therefore, it is hard to claim that the app as open-source given the many gaps in the available information from the code about the processing of data.
However, it is found in a written article that the app collects GPS data and store the collected data in Amazon Web Services (AWS). Collecting GPS data from the app also raises concerns over international privacy laws. Since the App stores information via AWS, the data may be obtainable by US law enforcement under the 2018 Clarifying Lawful Overseas Use of Data Act (CLOUD Act), which allows authorities to obtain information held by US-registered data companies, regardless of where in the world that information is collected from.
In Europe where privacy is a primary concern, the European Commission has launched a guideline for nations regarding the use of a contact tracing app, which stipulates that the member states cannot force people to download the app. The app must be approved by the national health authority in each country. The app must also respect the privacy of users by securely encrypting the collected data and ensuring that the app will be dismantled as soon as it is no longer needed. This guideline is a positive response to the use of contact tracing apps in the member states of the European Union (EU), and can prevent the emergence of harmful unauthorized apps that can access sensitive personal data. The guideline also establishes criteria to collectively monitor the effectiveness of the apps, and outlines a communications strategy to engage with stakeholders and the people affected by these initiatives.
Given the response to tracking apps in Europe, it is still a question of how the Association of Southeast Asian Nations (ASEAN) will respond in a similar situation. ASEAN has been relatively silent on the matter, and does not have an influential role so far in tackling COVID-19 among the ASEAN Member States (AMS). At the national level, apart from the app being deployed, there is neither specific regulation to address the privacy concerns of the app, nor any prevention mechanisms proposed to ensure that information gathered on the app will not be used for other purposes. Furthermore, there is no guarantee that people will not be forced to use the app when they are not willing to do so. There is also no requirement to ensure the security of backend databases and to test the application for mitigating the app’s exploitation. It appears that most apps are being swiftly rolled out without any mechanism in place to support the security and privacy of users.
The majority of countries in Southeast Asia have a long record of human rights abuses which have occurred at the hands of the governments. As countries are either already using or likely to use centralized approaches in their tracing app, their respective governments will be responsible for overseeing the collected data. This situation does not seem reassuring for people to place their trust in the government to handle their personal information. Questions about competence also exist on whether the government is able to ensure that the collected data will not be hacked or leaked by insiders. In the case of TraceTogether, for example, all the IDs are kept secret only if the ‘super key’ is kept secret. If the key is compromised, the attacker can access all information and deanonymize all individuals in the database. An attacker can also build a social graph of all the interactions recorded in the database, which would include not only those who are infected, but also those who have been around them.
Another aspect of the situation is related to policy, as nations in the region are known to already have weak regulations on personal data and privacy. Singapore, Malaysia, and Thailand either already have or are currently planning to put personal data regulations in place; these countries share the same policy of excluding government agencies from these regulations. Without an enforcement agency to oversee the data collection process by the authorities, people can only rely on the information gathered from the government’s claims. In the case of Singapore, for example, those individuals who have tested positive for COVID-10 are required to provide their personal details according to the country’s Infectious Disease Act. However, the Act contains legal loopholes on how government agencies are required to use the information.
Moreover, there is a question of trust that is placed in companies like Apple, Google, and Amazon to take care of their users’ personal data. The database of collected information from TraceTogether’s users is overseen by Google, while Thailand’s app will use Amazon’s service to handle its data. In both these cases, as well as in the technological collaboration between Apple and Google, how the data is collected from the apps will rely on these companies’ integrity. Due to the loopholes in the existing regulations and the lack of enforcement throughout the region, there are concerns that these legal loopholes may not be able to hold these companies accountable when an incident over the collected data occurs.
Will it Work?
The contact tracing app is expected to work effectively when around 60% of the population uses the app. However, reaching this threshold is quite challenging. In Singapore where its population has a high rate of computer literary, only 20% of the population have installed the app. When Apple and Google launch their joint technology, it remains to be seen whether there will changes or not to the contact tracing apps that are available to countries in the region.
Despite both companies’ dominance in the mobile phone market, Google and Apple’s apps will not be the ultimate solution for contact tracing. Older phones in particular will not be able to use the API. In the case of Apple phones, iOS 13 will need to be installed in order to use API, which excludes those devices that are older than iPhone 6S. Similarly, only Android devices that are on version 6 or higher will be compatible with the apps.
Apart from these challenges, there are other issues with respect to using Bluetooth signals, which affects the accuracy of contact tracing. The potency of Bluetooth signals depends on the conditions of the devices, as the signal can be interrupted in obscured space. Bluetooth signals are also limited by phone usage, as phones can also be turned off, run out of battery, and put on airplane mode. Contact tracing through Bluetooth will also not work in cases when people forget their phones at home, or if they opt to not take their phones with them for some period of time. There are also questions about the effectiveness of Bluetooth signals for the purpose of accurate contact tracing, such as in a situation where two people are seated in two different cars with the windows rolled up while waiting for a traffic light.
The Bottom Line
Tracing apps should not be seen as a replacement for conventional contact tracing methods, and the government should not make it mandatory for people to use these apps. In the case that the governments want an effective alternative for the contact tracing to combat COVID-19, they must be more transparent about how the apps works and how information is stored, as well as ensure the security and privacy of the apps through enforcing mechanisms. Auditing by independent third parties should also be considered. However, as the apps that are currently available in the region are more likely to adopt the centralized approach, this trend, combined with the loopholes in the regulations on privacy and personal data protection, means that the personal information of users are vulnerable for misuse and exploitation. It is also not recommended for people to download unofficial apps that cannot be authenticated and are not transparent on how the people behind the apps are using the information they collect. It is especially risky to use unofficial apps, as they might collect more personal information than necessary or use the information they collect for other purposes.
The effectiveness of the tracing apps for contact tracing is also flagged as a concern, even with Apple and Google taking the lead. This concern is due to the problems with the core technology, Bluetooth, that is being used in these apps. Moreover, people must place their trust in Apple and Google when handling their data, which also requires the two companies to be transparent on how their technology works.
If you are a mobile user and wondering whether you should download a tracing app on your phone, you should be concerned about where your information is stored and which information is gathered. As most nations in Southeast Asia are moving towards adopting the centralized approach, it is likely you will have access to a centralized tracing app, unless there are some changes in the model due to the influences of Apple and Google’s collaboration. If the tracing app in your country also collects GPS data, you might want to first ask yourself whether you are willing to give up your privacy or not in that area. The next question to ask yourself is: if your country’s app still uses a centralized model in which the government oversees the collected data, are you willing to trust your government and the third parties who are behind this to handle this data? This question could be answered by looking at the government’s human rights records, the history of data breaches in the country and the way it has been handled, in addition to the personal data and privacy-related regulations and enforcement mechanisms that exist in your country.