Apps and Covid-19

Considering the billions of people who have smart phones generally use apps on these devices, it's possible to reach people and draw extensive data from their devices.

PI has been repeatedly exposing how smartphone apps can put users' privacy and security at risk. For instance we revealed how popular non-Facebook apps leak data to Facebook beyond the user's control or knowledge. We recently revealed similar levels of exploitation by menstruation apps.

The reality is that smartphones are highly complex interactions between hardware (chips and processors and storage and antennas), operating systems (generally Apple and Google), app stores (Apple and Google again), platforms (analytics companies and social media companies), and the apps themselves.

China was an early mover on apps: people were required to install the Alipay Health Code app, fill in personal details, and then were issued with a QR code with one of three colours denoting quarantining status. The app reportedly shared location data with the police. 

Using apps in the context of Covid-19 is useful to the general public to help people to report their symptoms and to learn about the virus and the health response. Apps are now being explored to trace contacts through interaction and proximity analysis. 

They are also being explored as quarantining enforcement tools, monitoring location and interactions. In this context, they are not necessarily voluntary tools.

The apps can help you report, generate data without your involvement, or lift data from your device. The apps can store the data locally or send the data to servers. And they can leak data to analytics firms and social media platforms.

So the Norwegian health app stores location data for 30 days on a centralised server. The Colombian app asks people to provide their data and answer questions about participation at protests and ethnicity. 

The apps are generally poorly spread. The Singapore app apparently has been downloaded only by 13% of the population. The UK is aiming for at least 50% of the population with their app.  This is because they are mostly voluntary at the moment.

Even when 'voluntary', compulsory data entry varies. In Argentina the app for self-diagnosis requires people to include their National ID, email and phone number. 

We are concerned that the voluntary nature of these apps will be rescinded for travellers and when borders are re-opened. Yet meanwhile, according to reports from  Thailand, SIM cards and apps were provided to every foreigner and travelling Thai, expecting this data to report on their locations; and Hong Kong is using bracelets with an app on people under compulsory quarantine and shares their location with government over messaging platforms.

It's in this context that apps like the one developed for Home Quarantining by the Polish government. It requires phone numbers, reference photos, and regular check-ins. South Korea's app uses GPS to track locations to ensure against quarantine breach, sending alerts if people leave designated areas.

Finally, there is the ever-present monitoring that goes on as part of commercial exploitation. Facebook, Google, and analytics companies have been accumulating location data for years, sometimes in great detail and sometimes in aggregate.

Some apps are exploring storing limited data. Argentina's CoTrack, MIT Media Lab, and Oxford University's apps appear to collect location and proximity data on the device and share only with consent and with no identifying data.

26 Jun 2020
Germany’s “Corona-Warn” contact tracing app amassed 6.5 million users (7.8% of the German population) in the first 24 hours after its June 16 launch despite setbacks that included disputes over data privacy and functionality. The app was developed in six weeks by a team of developers and engineers
09 Jun 2020
Russian authorities are considering introducing an app that migrant workers will be required to download when they enter the country. Leaked details indicate that the app would contain detailed biometric data, health status, police records, and a “social trustworthiness” rating. It’s unclear whether
05 Jun 2020
After problems with its TraceTogether contact tracing app, Singapore is planning a comprehensive contact tracing system in which it will distribute to all its 5.7 million residents a wearable device that will identify people who have interacted with people carrying the coronavirus. The devices can
03 Jun 2020
The lack of data protection laws and the absence of a privacy commission are contributing factors to Pakistan’s failure to investigate or remedy security flaws in the country’s recently-launched COVID-19 tracking technology, which partially depends on a system originally developed to combat
01 Jun 2020
Italy has launched Immuni, one of the first contact tracing apps based on the Apple-Google API. The app is opt-in, and includes an explanation of the privacy and security measures in its setup. The app collects anonymously bluetooth tokens that are automatically randomised, but does not collect GPS
13 May 2020
The Slovak Constitutional Court declared unconstitutional parts of the newly amended telecommunication law that permitted state authorities to access telcommunications data for the purposes of contact tracing. The parliament approved the legislation in March, but the court ruled that the need for
12 May 2020
Any user of India's Aaorgya Setu contact tracing app can now request deletion of the data they've entered according to the Aaorgya Seta Emergency Data Access and Knowledge Sharing Protocol, 2020, which specifies the definition, collection, processing, and storage of the data the app collects. The
28 Apr 2020
Many of the technologies used to combat the coronavirus pandemic, including monitoring and analysing social media posts, telecommunications location data, and the use of sensors, were first tested on refugees during the 2015 crisis and are now being repurposed in the name of public health. In 2019
01 Apr 2020

The Myanmar Ministry of Union Government Office, Ministreay Health and Sports, Ministry of Transport and Communications, and youth tech expert Ko Htoo Myint Naung have collaborated on a mobile app to monitor people ordered to quarantine, adapted from other similar apps developed in countries such as South Korea. The app, which is available in Myanmar and English, allows both citizens and foreign residents to report on their health condition. Mobile operators will provide free SIM cards and 1GB of internet data for people under quarantine. A database of all registered and quarantined people will be used to build appropriate action plans.

Writer:  Myanmar News Agency
Publication: Global New Light of Myanmar
 

13 May 2020
In designing its Healthy Together contact tracing app, the US state of Utah opted for a GPS and Bluetooth-based design created by social media startup Twenty; it does not use the Google-Apple API. The goal is for the app to assist the 1,200 Utah Department of Health workers who are doing phone call
20 May 2020
In its final report, the expert group appointed by the Norwegian Ministry of Health and Care Services to assess the security and privacy of the country's COVID-19 contact tracing app, "Smittestopp", concluded that the app handles neither responsibly. The group recommended removing all data once it's
18 May 2020
France, like the UK, opted to develop its own contact tracing app. "StopCovid", using a centralised design developed by the Pan-European Privacy-Preserving Proxity Tracing (PEPP-PT) group, which created a framework called ROBust and the privacy-presERving proximity Tracing protocol (ROBERT). French
19 May 2020

Security researchers have found seven problems with the NHSx contact tracing app including: weaknesses in registration that could allow attackers to steal encryption keys; storing unencrypted data on handsets; generating a new random ID code only once a day; and design decisions with respect to Bluetooth connections that could enable tracking. These questions are independent of whether the app is centralised or decentralised.

Writer: BBC; Chris Culnane and Vanessa Teague
Publication: BBC; State of IT
 

30 Apr 2020
INTERNETLAB offers an extensive analysis of all the eight different Covid-19 related apps being discussed in Brazil at the moment. Apps were rated according to four parameters: consent, need, transparency and security. Besides this, the organisation takes a look into what permissions which app has
21 May 2020
Immunity passports are likely to increase discrimination and threaten fairness and public health - and won't work for practical reasons. First and foremost, scientists do not yet know whether infection confers immunity or for how long; the serological tests so far developed are insufficiently
21 May 2020

In an analysis, the smartphone privacy company Jumbo Privacy finds that Care19, North Dakota's official COVID-19 contact tracing app, sends latitude and longitude data and a unique user advertising identifier to Foursquare and other data to Google servers and the bug-tracking Bugfender. The app's privacy policy does not disclose this third-party sharing. The app development company, ProudCrowd, said it would update the privacy policy and that the data-sharing agreement does not allow Foursquare to collect or use the Care19 data beyond returning the names of nearby businesses. North Dakota officials say future versions of the app will incorporate Apple-Google's new Exposure Notification API.



Writer: Steven Melendez
Publication: Fast Company