One of the curious consequences of the coronavirus pandemic has been the scramble among governments around the world to develop a contact-tracing app.
These apps are seen by many as being one of the key tools to help bring countries out of the lockdown and get the economy and everyday life moving again.
In the UK, the contact-tracing app is currently being trialled in the Isle of Wight and there has been much debate about the privacy implications it brings with it. In the USA, Google and Apple are working together to develop an effective app.
But in Asia, where the virus struck first, contact-tracing app development is further down the line and there is much that we can learn from their experiences, as the recent report by the Digital Reach Asia campaign group tells us.
Contact-tracing apps in Southeast Asia
One of the first countries to launch a contact-tracing app was Singapore and we have reported on the privacy issues around that app before.
It is called TraceTogether and employs Bluetooth technology based on the centralized BlueTrace technology, which was developed by the Singaporean government, to recognize devices nearby.
It is the centralization of the data which was a concern in Singapore and this is one of the biggest objections to the UK-developed app too as it puts that data at greater risk of being hacked or misused.
In Indonesia, their contact-tracing app which was developed locally is known as PeduliLindungi. It also uses Bluetooth technology as opposed to GPS data to recognize other devices.
In Thailand, the contact-tracing app, which is known as Mor Chana, uses both Bluetooth and GPS.
Vietnam’s app is called Bluezone and, as the name suggests, it is based on Bluetooth technology as well, as is the MyTrace app that has been rolled out in Malaysia.
The only other country in the region known to be considering a contact-tracing app is the Philippines and they are believed to be talking to Singapore and basing it on their technology.
One crucial piece of information that is absent for most countries is what happens to the data these apps are collecting.
Singapore’s app data is stored on a central government database run by Google, which doesn’t exactly inspire much confidence from a privacy perspective, hence the controversy it has generated.
Thailand’s data is managed by Amazon Web Services (AWS) but the other countries have not revealed any details about what they are doing with the data. The risk of this data being misused is therefore stark.
Most countries which have rolled out apps have also not revealed which protocol they have built their apps on.
Singapore’s app is built on an open-source protocol and the full coding for that is available. But that doesn’t mean the entire app is open source.
The code behind Thailand and Vietnam’s apps is also up on GitHub. But Indonesia and Malaysia have not released any code at all.
Digital Reach Asia have studied what information is available and identified some worrying features.
They noticed that the OpenTrace protocol used in Singapore’s app performs authentication with Firebase which logs a huge amount of user information.
They also noted that the temporary IDs that are generated, use the Singaporean Ministry of Health (MOH) key, and also use reversible encryption. This makes it possible to reverse and access this data if the MOH key is ever compromised.
Analysis of the coding available from the Mor Chana app in Thailand shows that it has what Digital Reach Asia describes as “an extremely basic User Interface (UI) and extremely crude contact exchange system.”
By this they mean the coding is basic and actually reveals little about how the app actually works.
They did show that the app generated the same user ID each time, which means it would be possible to use it to identify who you had been in contact with if you came close to them more than a few times.
When this revelation is added to the fact that this app collects and stores GPS data too, he implications for user privacy suddenly become extremely serious.
The Thai data is stored by AWS, which is subject to US law. This means that under the 2018 Clarifying Lawful Overseas Use of Data Act (CLOUD Act), US law enforcement agencies could demand access to it.
Should you download these apps?
The coronavirus pandemic is the focus of everyone’s attention at the moment and understandably so.
But a lot of governments are known to use times of crisis to push through things that wouldn’t be acceptable at any other times. The worry is that these apps are an example of that.
While getting contact-tracing apps rolled out fast is important, it mustn’t be done at the expense of user privacy and it is clear that in some of the cases analysed by Digital Reach Asia, that has been the case.
The UK too risks going down that highly inadvisable road and the truth is that unless government’s everywhere can guarantee that a contact-tracing app is not going to harvest private information and put that data at risk, the advice has to be for people not to download them.