This research on the ASEAN region’s newly launched contact tracing apps – with regards to privacy and data compliance – was carried out by Straits Interactive CEO Kevin Shepherdson and legal consultant Lyn Boxall.
Introduction
As governments in ASEAN relax lockdown restrictions, COVID-19 contact-tracing smartphone apps are being introduced to help limit the spread of the coronavirus.
What they basically do is to allow users of these apps to ‘proactively help’ in contact tracing and to participate in the contact tracing process. Specifically, GPS/Bluetooth technology is used to track the locations of all individuals with whom the user of the app may have been in contact.
The users’ mobile phone exchanges ID-related information of their mobile phones via short-distance Bluetooth signals with other mobile phones with the same app. If a user has been exposed to an infected person who has also downloaded the app, the contact history is then shared with the relevant government agency.
Many people are reluctant to download such apps for fear of constant government surveillance and they worry if such apps will spy on them by extracting all kinds of personal related information from their mobile phones. Since users will be running such apps in the background on their Android phones, can these smart apps be trusted?
Straits Interactive assembled a local team of IAPP (International Association of Privacy Professionals) certified privacy managers from the region to do a detailed privacy sweep of contact tracing smart apps from the governments of five ASEAN countries.
Methodology of the privacy sweep
Straits Interactive decided to benchmark the contact tracing apps against the survey parameters used by the Global Privacy Enforcement Network (GPEN), which conducted a global privacy sweep of mobile apps back in 2014.
That sweep involved the participation of 25 privacy enforcement authorities around the world. It assessed the following:
The types of permissions sought by a surveyed app.
Whether those permissions exceeded what would be expected based on the app’s functionality.
Most importantly, how the app explained to consumers why it wanted the personal data and what it planned to do with it.
To understand this, it is better to first take a look at ‘app permissions’ in general.
Understanding app permissions
A ‘permission’ in an app protects the privacy of the user of the app. Every app must include ‘app manifest’ that, among other things, lists the permissions that the app uses.
Every mobile phone has an operating system, most commonly the Android operating system (Google) or the iOS (Apple) operating system. The vast majority of mobile phones are ‘Android phones’ and they have two ‘permissions’ categories:
- Normal permissions: These permissions do not directly risk the user’s privacy, for example, permission to set the time zone is a normal permission. If an app lists a normal permission in its manifest, the system grants the permission automatically.
- Dangerous permissions: These permissions give the app access to the user’s personal data in their mobile phone, such as contacts and SMS messages, as well as certain system features, such as the camera. If a dangerous permission is requested, privacy laws do not allow the relevant personal data to be collected, used or disclosed unless the user gives explicit consent by ‘accepting’ the request for permission to do so. In addition, privacy laws generally restrict ‘dangerous permissions’ to personal data that the app may collect, use or disclose while the user is actually using it. They do not allow apps to collect, use or disclose personal data simply because the user downloaded the app.
By way of illustration, here is a list of dangerous permissions that might be sought by an app:
Users often blindly “agree” to or “allow” these permissions without first understanding their functions. Nor do they read the privacy policies of the respective applications.
The following table shows the various dangerous permissions being used in the five contact tracing smart apps that were reviewed:
Singapore’s TraceTogether and Vietnam’s Blue Zone use the least permissions to perform its contact tracing functions, while Thailand’s MorChana uses the most.
Straits Interactive looked at whether these dangerous permissions exceeded what would be expected based on the app’s functionality. It also looked at the explanation in the privacy statement about why these permissions are needed and what will be done with the relevant personal data.
Before considering those points, here is an explanation of various permissions and some comments about potential risks if they were to be abused:
The following tables summarise the findings of the research. The sweeper is the reviewer.
Singapore’s TraceTogether comes up tops in terms of privacy communications and overall marks.
The privacy statement and accompanying documents explain clearly and in simple English what the TraceTogether app does, what type of personal data is collected and how it may be used or disclosed. The review shows that the permissions the app seeks do not exceed its functionality and declared purposes.
While the TraceTogether app does not comply with all of the nine obligations under Singapore Personal Data Protection Act (PDPA) or all of the six processing principles under the GDPR, it is generally consistent with those obligations and principles.
The few areas where it falls short tend to reflect the nature of an app such as the TraceTogether app rather than an inadvertent or careless departure from an obligation or principle.
A research review of Singapore’s TraceTogether App can be found here.