THE DAWN/ANN – When the two rival tech giants, Apple and Google, join forces to allow application interoperability across their very different operating systems, it must genuinely be a matter of life and death.
And it is. As the battle against COVID-19 continues, detecting and isolating cases is a crucial strategy to stem the spread of the deadly virus. And governments and public health authorities are utilising mobile location tracking to varying degrees across the globe for ‘contact-tracing’ — a strategy that has been instrumental in suppressing the virus in countries such as South Korea, where tech solutions helped bring a major COVID-19 outbreak under control.
Mobile app-based contact-tracing can save considerable time in tracking down all the recent contacts of an infected person, without requiring a detailed interview process with trained staff. It can also eliminate human error, because patients may find it hard to recall every person they have been in contact with, for more than 15 minutes, within the distance of a metre.
As a result, mobile applications based on tracking geographical locations have appeared in almost every country to help track the disease. And Pakistan is no exception. The COVID-19 Gov PK application from the Ministry of IT and Telecom (MoITT) with the National Information Technology Board (NITB) was designed to “keep the citizens updated with the legitimate and latest information related to total coronavirus cases in the country”.
Launched in March, it boasts features including self-assessment, ‘radius alert’ (more on this later), pop-up notifications on personnel hygiene, awareness videos and a ChatBot.
The application has been a popular download, and Project Coordinator at NITB Raymond William observes that when it was first launched, “there were one lakh (100,000) downloads in the first week.” Within two months of launch, there were half a million downloads. And during the peak, the number of downloads stood close to a million.
As the pandemic’s severity continues to decline in Pakistan, it would be expected that the download ratio for the application would also reduce. However, according to William, with around 76,000 new downloads completed in the last week, “the application is still under the same consideration and still an important product for download at this time.”
It has been six months since the app was first launched and our battle against COVID-19 began. Today, as countries open back up, emphasis on contact-tracing — especially mobile app-based contact-tracing — is increasing globally.
However, as with most new mass technology, the benefits come with various concerns, which include the potential for abuse of power and loss of privacy for users. With COVID-tracking apps deploying worldwide, critics say the pandemic-struck world is the perfect testing ground for tracking apps that may be used for other forms of surveillance.
While there is little denying the effectiveness of contact-tracing, human rights activists are urging people to be vigilant.
THE POTENTIAL FOR ABUSE OF POWER
In May, the Human Rights Watch (HRW) raised this concern in a Joint Civil Society Statement which specified that “the long history of emergency measures show that when surveillance is introduced, it usually goes too far, fails to meet its objectives, and once approved, often outlasts its justification”. Accordingly, they set out that such systems of tracking individual movement must be “lawful, necessary, and proportionate”, as well as “limited in duration”.
Around the world, some applications where the potential for misuse of information is exceptional have already been flagged by MIT Technology Review’s COVID Tracing Tracker Database.
With a fluid situation, no one can predict the result of such applications, but the worst-case scenario can look like an episode of the dystopian British television series Black Mirror, which looks particularly at the unanticipated consequences of new technologies. There have already been reports of people having tested negative but being assigned the wrong colour (red, yellow or green), and confined to their homes — with no transparency from the government on the reason or duration of their detainment. HRW, Amnesty International and Privacy International are all alarmed.
Post-pandemic, the potential for abuse of human rights and increased state surveillance, particularly in authoritarian governments, is endless. Other national COVID-tracking applications have also run into trouble. Iran’s original AC19 COVID app, for example, was banned by Google Play for collecting more data than its rules allowed.
AT HOME IN PAKISTAN
Much has been written about Pakistan’s history of surveillance. In 2017, Privacy International, a London-based advocacy group, claimed that surveillance in Pakistan exceeded the legal capacity. Last year, Freedom House, a Washington DC-based activist group, declared Pakistan ‘not free’ in terms of Internet use for the ninth consecutive year. Activists are critical of any personal information being tracked or recorded.
Executive Director at the Digital Rights Foundation (DRF) Nighat Dad said that there is a “dire need” for us to be talking about human rights and privacy at this time.
“COVID-19 is an emergency, and it is an emergency that a lot of states in the world will extend continuously to gain more control over their citizens, especially as we turn to technology at this time,” she said. Dad acknowledged that the technology is not “inherently ill-intentioned”, but cautions that such technologies can “also become a way for the government to surveil people and their activities, especially if certain people speak out against the government and its policies”.
NITB responded to privacy-related concerns with a press release categorically stating that they collect “very limited personal information” of the user.
“The app does not show the exact coordinates of the infected people, instead, it shows the radius parameter that is fixed by default at 10 metres for self-declared patients and 300 metres at a quarantine location,” the press release added.
Of course, concerns of privacy in Pakistan go beyond the app. Privacy International has pointed out that the “lack of data protection laws and the absence of a privacy commission are contributing factors to Pakistan’s failure to investigate or remedy security flaws in the country’s recently launched COVID-19 tracking technology.” Without such laws, the simple act of allowing an app access to the smartphone’s photo gallery, location or contact list when downloading leaves the user no protection of their privacy in case of misuse.
The Personal Data Protection Bill 2020 is still in draft form on the MoITT website. Initially presented for consultation in July 2018, it received harsh criticism from civil rights activists due to loopholes. The new draft still needs to be approved.
William, however, assures users that “when we are conducting a project at NITB, it is our mandate to protect the data. The 2020 bill may be in draft form, but at NITB, data protection is already being implemented.”
Even so, since its launch, Pakistan’s COVID-19 app has attracted a lot of scrutiny, much of it having to do with the app being vulnerable to potential hacks, and endangering users’ personal data such as passwords.
THE CASE OF COVID-19 GOV PK
“We have studied the app, and so have some international experts,” said Dad. “The app is not particularly secure, especially when it comes to the data of patients and personal information regarding their health.
“This raises serious questions, as people are expected to be using this app and reporting symptoms through it. The government needs to build a better app to give people a secure way of gaining assistance during this pandemic,” she said.
Earlier in June, French cybersecurity analyst Elliot Alderson also took to Twitter, asserting that “nothing is ok with this app”. Based on Alderson’s assessments, an article published on TheDigitalHacker.com, an independent tech news website, also deemed the app not safe to use. The app did not encrypt the password field, the article said. In simpler words this means that “anyone using the same WiFi, or a router through which the data is transferred, can see the exact password without putting [in] much effort”.
It also pointed out that the app uses Hypertext Transfer Protocol (HTTP), not Hypertext Transfer Protocol Secure (HTTPS), to manage the server. HTTPS is considered much more secure. The article recommended not using the application, “unless it is updated with the latest security measures and encrypts users’ data before sending it to the server.”
Updates have come since. “To mitigate that, we asked our partners for the webviews to be on HTTPS, which was done the very next day,” said William. He also acknowledged that there was use of hard-coding techniques, a weakness identified by Alderson.
“So we identified it, we called our developers and asked them to remove the hardcode,” he said.
But many were frustrated to see that the feature simply did not work. Several irate users reported on the Google Play Store that they found the function to be “useless”. One user, who gave the app a one-star rating, summed up its startling inaccuracy, revealing that, “I am a COVID-19 positive patient since June 7, with the correct, current address written on my CNIC, but my area shows zero cases.” Users have also called attention to imprecisions with areas such as Islamabad’s I-10, that were sealed due to their high infection rates, but were still marked as safe zones on the app.
William responded saying that the team was making certain upgrades to the app. “There is a cycle which we usually follow, which comes after six to eight weeks, depending on the number of users.”
He further added that while his team was expecting a huge download rate, they did not foresee the user base growing so much, so quickly. “We then had to enhance the infrastructure, increase resources and bandwidth, so that every user could use the application with all the available features,” he said. During these upgrades the app would stop functioning for some time.
Responding to criticism about the ‘radius alert’ feature, William added that, “if somebody is declared positive, a radius with a diameter of 10 metres (the minimum social distance is six feet) is identified. If you are sitting in your room and a neighbouring house, 20 metres away, tests positive, you will be visible in a safe zone.”
Time lags could also have been an issue according to him, as third party apps like Google Maps can take time when users cluster. “So users may expect that as soon as they click the radius alert, [they would] get it immediately. This is not technically, logically or hardware-wise possible,” he said.
THE WAY FORWARD
For all the pros and cons involved, mobile tracking applications were still deployed worldwide during this time. They have proven useful enough that European Union (EU) member states “agreed on a protocol to ensure cross-border interoperability of voluntary contact-tracing apps, so that citizens can be warned of potential infection with coronavirus when they travel in the EU” in May. However, for such tech-driven responses to efficiently deliver benefits, several factors will need to be accounted for.
In Pakistan’s case, user trust will have to be fostered and maintained. Users will need to be sure that their data is secure, used in a limited manner and deleted after a certain period of time. According to Dad, the “only way to be certain of this is to pressure the government into releasing detailed standard operating procedures (SOPs) regarding the app and how they intend on using it”. Dad suggested that these SOPs must talk about the length of use, disposal of data, how data will be saved and secured, and who will have access to it. “There needs to be transparency and accountability with this data,” Dad said. A way forward that she mentioned is from the technologies used in “countries like South Korea and Singapore, of which the latter has launched an open-source app that can be audited and studied every so often”.
Additionally, robust data protection laws are urgently needed, so that issues of information misuse can be addressed with users protected from that angle. Dad suggests implementing data protection laws, like the General Data Protection Regulation (GDPR) in the EU, to protect people and their data. However, this could take a while, given that the Personal Data Protection Bill 2020 is still in draft form.