Apps and Covid-19

Considering the billions of people who have smart phones generally use apps on these devices, it's possible to reach people and draw extensive data from their devices.

PI has been repeatedly exposing how smartphone apps can put users' privacy and security at risk. For instance we revealed how popular non-Facebook apps leak data to Facebook beyond the user's control or knowledge. We recently revealed similar levels of exploitation by menstruation apps.

The reality is that smartphones are highly complex interactions between hardware (chips and processors and storage and antennas), operating systems (generally Apple and Google), app stores (Apple and Google again), platforms (analytics companies and social media companies), and the apps themselves.

China was an early mover on apps: people were required to install the Alipay Health Code app, fill in personal details, and then were issued with a QR code with one of three colours denoting quarantining status. The app reportedly shared location data with the police. 

Using apps in the context of Covid-19 is useful to the general public to help people to report their symptoms and to learn about the virus and the health response. Apps are now being explored to trace contacts through interaction and proximity analysis. 

They are also being explored as quarantining enforcement tools, monitoring location and interactions. In this context, they are not necessarily voluntary tools.

The apps can help you report, generate data without your involvement, or lift data from your device. The apps can store the data locally or send the data to servers. And they can leak data to analytics firms and social media platforms.

So the Norwegian health app stores location data for 30 days on a centralised server. The Colombian app asks people to provide their data and answer questions about participation at protests and ethnicity. 

The apps are generally poorly spread. The Singapore app apparently has been downloaded only by 13% of the population. The UK is aiming for at least 50% of the population with their app.  This is because they are mostly voluntary at the moment.

Even when 'voluntary', compulsory data entry varies. In Argentina the app for self-diagnosis requires people to include their National ID, email and phone number. 

We are concerned that the voluntary nature of these apps will be rescinded for travellers and when borders are re-opened. Yet meanwhile, according to reports from  Thailand, SIM cards and apps were provided to every foreigner and travelling Thai, expecting this data to report on their locations; and Hong Kong is using bracelets with an app on people under compulsory quarantine and shares their location with government over messaging platforms.

It's in this context that apps like the one developed for Home Quarantining by the Polish government. It requires phone numbers, reference photos, and regular check-ins. South Korea's app uses GPS to track locations to ensure against quarantine breach, sending alerts if people leave designated areas.

Finally, there is the ever-present monitoring that goes on as part of commercial exploitation. Facebook, Google, and analytics companies have been accumulating location data for years, sometimes in great detail and sometimes in aggregate.

Some apps are exploring storing limited data. Argentina's CoTrack, MIT Media Lab, and Oxford University's apps appear to collect location and proximity data on the device and share only with consent and with no identifying data.