Contact tracing

Our government’s COVID response has been so far behind our ASEAN neighbors because we never implemented an effective contact tracing program.

Our contact tracing activities came late and is basically a manual system. DILG hired thousands of contact tracers to alleviate the lack of jobs following the brutal lockdowns this year.

There was an attempt at digital contact tracing, but IATF immediately selected StaySafe without vetting its app or having a competitive bid. The suspicion is that StaySafe must have had strong backers at IATF.

Then DICT Usec. Eliseo Rio also protested the selection of StaySafe for, among other reasons, serious privacy issues.

As I reported here last June, data privacy experts worry that StaySafe is borderline spyware that may intrude on the privacy of citizens beyond the epidemic. I heard fears about StaySafe data being used in 2022.

There were seven “dangerous” permissions in StaySafe, so-called because it involves the access of personal data (like text messages and contacts) or system features (like phone camera and location).

“Why do they need access to the camera? Another alarming permission would be reading and writing on contacts, SMS, and contact details. They can also delete your contacts. It’s like borderline spyware,” Israel Brizuela, CEO of data privacy consulting firm ePrivacyNow and member of the National Association of Data Protection Officers of the Philippines, told Rappler.

In a review of such apps, the Data Protection Excellency Network (DPEX) identified StaySafe as having “excessive permissions.” DPEX is a Southeast Asian organization that does research in data privacy practices.

Over the past week, Pasig rolled out its own tracing app and Valenzuela also has one of its own. There must be other LGUs with similar tracing apps. Now the IATF has issued Resolution 85 which mandates having StaySafe before anyone can enter government offices or establishments (and may include private). So confusing.

I am told that deputy commissioner Dino Aguirre of the National Privacy Commission said in a forum that the NPC is reviewing the privacy impact assessment of StaySafe. The results of the review have not been made public.

I am also told that the privacy policy in the Pasig app was copied from one used by a commercial company. It doesn’t provide privacy protection. That is likely not the intention of Mayor Vico, so he should look into that and fix it.

Anyway, ex-general Rio posted his thoughts on Facebook which I thought are important. First of all, Rio considers the IATF requirement unfair to our people who don’t have smartphones or any mobile phone for that matter.

“There are still around 12 million Filipinos with no phones or owning 2G only phones who cannot download the app, which requires a smartphone to be able to access it. Isn’t this IATF Resolution 85 discriminating against them, mostly our poor folks?

“While IATF is mandating this to our citizens, it cannot even enforce its Resolution 45 mandating StaySafe to donate its softwares and all personal data collected to the government. StaySafe was given up to July 10, 2020 to comply, or else it will lose its status as the official government contact tracing application.

“Until now StaySafe has not complied or turned over to the government said softwares and data. The provisions of Resolution 45 are to guarantee that StaySafe will not compromise the private data and right to privacy of our citizens…

“… another government approved app, the COVID-Kaya, that passed the initial tests and where the StaySafe data are supposed to be stored, was found to have been breached recently with more than 30,000 personal data accessed by unauthorized persons. This was reported by the Citizen Lab, an interdisciplinary laboratory based at the University of Toronto.

“Key finding of the report says that COVID-Kaya used by DOH and supported by DICT, ‘contained vulnerabilities in both web and Android apps that allow for unauthorized users to access private details about the app’s users and potentially patient data.’ We are still awaiting government action on this report.

“Another requirement that StaySafe violated is that it was mandated to connect to other contact tracing technologies, specially the Google-Apple Exposure Notification (GAEN), which proved effective in flattening the pandemic curve of other countries months ago. GAEN has no privacy issues at all. StaySafe is the only app authorized by DOH to use the GAEN, depriving other local apps and our people the opportunity to use it.

“MultiSys developed the TraceFast GAEN for IOS IPhones, but not for Android, which has more users in the Philippines. Moreover, TraceFast is under-utilized and it is a waste of entitlement granted to StaySafe if they are not promoting the GAEN (GAEN entitlement is limited only to one app for every country).

“The StaySafe app is a surveillance app. It is useless if you do not ALLOW it to track you every minute, 24/7 for an indefinite period, draining the phone’s battery much faster.  Our citizens will only agree to this for the sake of fighting COVID-19, if the government will assure them it will be used only for this purpose within a definite time period and their privacy is guaranteed and protected as required by law….

“Finally, the main effort of our contact tracing so far was done by thousands of human contact tracers with little or no help from StaySafe. Yet their procedures are still manual, using paper, pens and folders.

“We, an IT Group, proposed to IATF, thru the NTF, last Sept. 7, that we can digitally automate this manual process to make it faster and more efficient. It involves requesting only those who tested positively infected with the virus to have the location of their cellphones, no matter what type or whether it contains a digital app or not, tracked for the PAST 14 days. But the gatekeepers of IATF simply ignored us.”

We must be assured that all data regarding our mobile numbers and our location tracked during the pandemic period will be deleted with no copies made. After the emergency ends, we will no longer be tracked.

Given what Gen. Rio has disclosed, it is difficult to trust StaySafe. Simple as that.

Boo Chanco’s e-mail address is [email protected]. Follow him on Twitter @boochanco