Email

EYE IN THE SKY

Smartphone-based contact-tracing apps are throwing up questions about misuse, individual privacy and surveillance.
Updated 20 Sep, 2020 07:01am

Smartphone-based contact-tracing apps are proving to be extremely useful globally in the fight to bring Covid-19 under control. But they are also throwing up questions about their potential for misuse, individual privacy and government surveillance, especially in countries such as Pakistan where data protection laws and practices are weak



When the two rival tech giants, Apple and Google, join forces to allow application interoperability across their very different operating systems, it must genuinely be a matter of life and death. And it is. As the battle against Covid-19 continues, detecting and isolating cases is a crucial strategy to stem the spread of the deadly virus. And governments and public health authorities are utilising mobile location tracking to varying degrees across the globe for ‘contact-tracing’ — a strategy that has been instrumental in suppressing the virus in countries such as South Korea, where tech solutions helped bring a major Covid-19 outbreak under control.

Mobile app-based contact-tracing can save considerable time in tracking down all the recent contacts of an infected person, without requiring a detailed interview process with trained staff. It can also eliminate human error, because patients may find it hard to recall every person they have been in contact with, for more than 15 minutes, within the distance of a metre.

As a result, mobile applications based on tracking geographical locations have appeared in almost every country to help track the disease. And Pakistan is no exception. The Covid-19 Gov PK application from the Ministry of IT and Telecom (MoITT) with the National Information Technology Board (NITB) was designed to “keep the citizens updated with the legitimate and latest information related to total Coronavirus cases in the country.” Launched in March, it boasts features including self-assessment, ‘radius alert’ (more on this later), pop-up notifications on personnel hygiene, awareness videos and a ChatBot. The application has been a popular download, and Raymond William, the project coordinator at NITB, observes that when it was first launched, “there were one lakh downloads in the first week.” Within 2 months of launch, there were half a million downloads. And during the peak, the number of downloads stood close to a million.

Post-pandemic, the potential for abuse of human rights and increased state surveillance, particularly in authoritarian governments, is endless. Other national Covid-tracking applications have also run into trouble.

As the pandemic’s severity continues to decline in Pakistan, it would be expected that the download ratio for the application would also reduce. However, according to William, with around 76,000 new downloads completed in the last week, “the application is still under the same consideration and still an important product for download at this time.”

It has been six months since the app was first launched and our battle against Covid-19 began. Today, as countries around the world open back up, emphasis on contact-tracing — especially mobile app-based contact-tracing — is increasing globally.

However, as with most new mass technology, the benefits come with various concerns, which include the potential for abuse of power and loss of privacy for users. With Covid-tracking apps deploying worldwide, critics say the pandemic-struck world is the perfect testing ground for tracking apps that may be used for other forms of surveillance.

While there is little denying the effectiveness of contact-tracing, human rights activists are urging people to be vigilant.


THE POTENTIAL FOR ABUSE OF POWER

In May, the Human Rights Watch (HRW) raised this concern in a Joint Civil Society Statement which specified that “the long history of emergency measures shows that when surveillance is introduced, it usually goes too far, fails to meet its objectives, and once approved, often outlasts its justification.” Accordingly, they set out that such systems of tracking individual movement must be “lawful, necessary, and proportionate”, as well as “limited in duration.”

Around the world, some applications where the potential for misuse of information is exceptional have already been flagged by MIT Technology Review’s Covid Tracing Tracker Database, including China’s Chinese Health Code System app and Qatar’s Ehteraz app.

These apps are mandatory downloads. They make no promises on limitations on data use, so the data could hypothetically be shared with law enforcement agencies or marketing firms, and there is no time limit on storage. There is also no guarantee that the data collected will be limited only to health data.

Illustrations by Samiah Bilal
Illustrations by Samiah Bilal

It is useful to mention here that although, according to a Business Insider article, “Chinese authorities said the data collected will only be used for the coronavirus outbreak, after which it will be destroyed”, the MIT Technology Review database found differently. They state that the Chinese Health Code System “sucks up data, including citizens’ identity, location and even online payment history, so that local police can watch for those who break quarantine rules.”

With a fluid situation, no one can predict the result of such applications, but the worst-case scenario can look like an episode of the dystopian British television series Black Mirror, which looks particularly at the unanticipated consequences of new technologies. There have already been reports of people having tested negative but being assigned the wrong colour (red, yellow or green), and confined to their homes — with no transparency from the Chinese government on the reason or duration of their detainment. HRW, Amnesty International and Privacy International are all alarmed.

Post-pandemic, the potential for abuse of human rights and increased state surveillance, particularly in authoritarian governments, is endless. Other national Covid-tracking applications have also run into trouble. Iran’s original AC19 Covid app, for example, was banned by Google Play for collecting more data than its rules allowed.


AT HOME IN PAKISTAN

Much has been written about Pakistan’s history of surveillance. In 2017, Privacy International, a London-based advocacy group, claimed that surveillance in Pakistan exceeded the legal capacity. Last year, Freedom House, a Washington DC-based activist group, declared Pakistan ‘not free’ in terms of internet use for the ninth consecutive year. And so, against the current backdrop of alleged enforced disappearances and silencing of dissenting voices, activists are critical of any personal information being tracked or recorded.

Nighat Dad, the executive director at the Digital Rights Foundation (DRF), says that there is a “dire need” for us to be talking about human rights and privacy at this time. “Covid-19 is an emergency, and it is an emergency that a lot of states in the world will extend continuously to gain more control over their citizens, especially as we turn to technology at this time,” she tells Eos. Dad acknowledges that the technology is not “inherently ill-intentioned”, but cautions that such technologies can “also become a way for the government to surveil people and their activities, especially if certain people speak out against the government and its policies.”

NITB responded to privacy-related concerns with a press release categorically stating that they collect “very limited personal information” of the user. “The app does not show the exact coordinates of the infected people, instead, it shows the radius parameter that is fixed by default at 10 metres for self-declared patients and 300 metres at a quarantine location,” the press release added.

The statement further stated that, “self-declared patients have given their consent to reveal their coordinates for the safety of other citizens. Moreover, they have accepted our app privacy policy/terms and conditions.”

Of course, concerns of privacy in Pakistan go beyond the app. Privacy International has pointed out that the “lack of data protection laws and the absence of a privacy commission are contributing factors to Pakistan’s failure to investigate or remedy security flaws in the country’s recently launched Covid-19 tracking technology.” Without such laws, the simple act of allowing an app access to the smartphone’s photo gallery, location or contact list when downloading leaves the user no protection of their privacy in case of misuse.

The Personal Data Protection Bill 2020 is still in draft form on the MoITT website. Initially presented for consultation in July 2018, it received harsh criticism from civil rights activists due to loopholes. The new draft still needs to be approved.

William, however, assures users that “when we are conducting a project at NITB, it is our mandate to protect the data. The 2020 bill may be in draft form, but at NITB, data protection is already being implemented.”

Even so, since its launch, Pakistan’s Covid-19 app has attracted a lot of scrutiny, much of it having to do with the app being vulnerable to potential hacks, and endangering users’ personal data such as passwords.


THE CASE OF COVID-19 GOV PK

“We have studied the app, and so have some international experts,” says Dad. “The app is not particularly secure, especially when it comes to the data of patients and personal information regarding their health.

“This raises serious questions, as people are expected to be using this app and reporting symptoms through it. The government needs to build a better app to give people a secure way of gaining assistance during this pandemic,” she tells Eos.

Earlier in June, French cybersecurity analyst Elliot Alderson also took to Twitter, asserting that “nothing is ok with this app.” Based on Alderson’s assessments, an article published on TheDigitalHacker.com, an independent tech news website, also deemed the app not safe to use. The app did not encrypt the password field, the article said. In simpler words this means that “anyone using the same WiFi, or a router through which the data is transferred, can see the exact password without putting [in] much effort.”

William assures users that “when we are conducting a project at NITB, it is our mandate to protect the data. The 2020 bill may be in draft form, but at NITB, data protection is already being implemented.”

It also pointed out that the app uses Hypertext Transfer Protocol (HTTP), not Hypertext Transfer Protocol Secure (HTTPS), to manage the server. HTTPS is considered much more secure. The article recommended not using the application, “unless it is updated with the latest security measures and encrypts users’ data before sending it to the server.”

Updates have come since. “To mitigate that, we asked our partners for the webviews to be on HTTPS, which was done the very next day,” says William. He also acknowledges that there was use of hard-coding techniques, a weakness identified by Alderson. (According to BeyondTrust, a company that specialises in solutions for data breaches, hardcoded passwords are “particularly dangerous because they are easy targets” and can allow hackers and malware to hijack users’ devices). “So we identified it, we called our developers and asked them to remove the hardcode,” he tells Eos.


‘RADIUS ALERT’

Despite the questions related to security and privacy, thousands around Pakistan downloaded the app, willing to cooperate with any contact-tracing measures. One of the features that fascinated many was the ‘radius alert.’ According to the app’s privacy policy, “It operates on the basis of GPS system to provide service of “Radius Alert” for confirmed cases/quarantine locations ranging from 30 to 300 metres from your current position.”

But many were frustrated to see that the feature simply did not work. Several irate users reported on the Google Play Store that they found the function to be “useless”. One user, who gave the app a one-star rating, summed up its startling inaccuracy, revealing that, “I am a Covid-19 positive patient since June 7, with the correct, current address written on my CNIC, but my area shows zero cases.” Users have also called attention to imprecisions with areas such as Islamabad’s I-10, that were sealed due to their high infection rates, but were still marked as safe zones on the app.

William responds saying that the team was making certain upgrades to the app. “There is a cycle which we usually follow, which comes after 6 to 8 weeks, depending on the number of users.”

He further adds that while his team was expecting a huge download rate, they did not foresee the user base growing so much, so quickly. “We then had to enhance the infrastructure, increase resources and bandwidth, so that every user could use the application with all the available features,” he tells Eos. During these upgrades the app would stop functioning for some time.

Responding to criticism about the ‘radius alert’ feature, William adds that, “if somebody is declared positive, a radius with a diameter of 10 metres (the minimum social distance is 6 feet) is identified. If you are sitting in your room and a neighbouring house, 20 metres away, tests positive, you will be visible in a safe zone.”

Time lags could also have been an issue according to him, as third party apps like Google Maps can take time when users cluster. “So users may expect that as soon as they click the radius alert, [they would] get it immediately. This is not technically, logically or hardware-wise possible,” he says.


THE WAY FORWARD

For all the pros and cons involved, mobile tracking applications were still deployed worldwide during this time. They have proven useful enough that EU Member States “agreed on a protocol to ensure cross-border interoperability of voluntary contact-tracing apps, so that citizens can be warned of potential infection with coronavirus when they travel in the EU” in May. However, for such tech-driven responses to efficiently deliver benefits, several factors will need to be accounted for.

In Pakistan’s case, user trust will have to be fostered and maintained. Users will need to be sure that their data is secure, used in a limited manner and deleted after a certain period of time. According to Dad, the “only way to be certain of this is to pressure the government into releasing detailed SOPs [Standard Operating Procedures] regarding the app and how they intend on using it.” Dad suggests that these SOPs must talk about the length of use, disposal of data, how data will be saved and secured, and who will have access to it. “There needs to be transparency and accountability with this data,” Dad says. A way forward that she mentions is from the technologies used in “countries like South Korea and Singapore, of which the latter has launched an open-source app that can be audited and studied every so often.”

With a fluid situation, no one can predict the result of such applications, but the worst-case scenario can look like an episode of the dystopian British television series Black Mirror, which looks particularly at the unanticipated consequences of new technologies.

Internally, such apps need to maintain user perceptions on usefulness. For example, one of the key benefits cited for the use of such apps is their ability to track Covid-19 positive individuals and rapidly inform users of high infection areas. The ‘radius alert’ feature thus needs to provide reliable and fast data on cases reported in areas, especially hotspots. And users need to be made aware of technical issues such as time-lags, which might be experienced. The accuracy required is also highly dependent on how frequently, and reliably, the data is updated. As put by Parvez Iftikhar, International ICT consultant and former country-head of Siemens Telecom in Pakistan, “if you don’t input the exact data regularly, then what happens? You put garbage in and you get garbage out.”

Additionally, robust data protection laws are urgently needed, so that issues of information misuse can be addressed with users protected from that angle. Dad suggests implementing data protection laws, like the General Data Protection Regulation (GDPR) in the EU, to protect people and their data. However, this could take a while, given that the Personal Data Protection Bill 2020 is still in draft form.

When speaking about contact-tracing, Dr Faisal Sultan the prime minister’s focal person on Covid-19, told publication The Diplomat that, “A key set of principles is that whatever information is used, must be minimal, is known only to those with a valid need to know to enable a public health response, that the least amount of identifiable information is utilised, and all info gathered is kept secure.”

But these assurances can only go so far. There is also no mention of a post-Covid sunset plan for data collection. Dad sums up the precarious situation stressing that, at “DRF we have consistently said that, while it is good that tech is being used to fight Covid, the Government of Pakistan needs to establish the boundaries within which such technologies will be used. Covid-tracking apps, if left unchecked, can grow into monster dystopian technologies that will be used to surveil the general public. That is a situation that we want to avoid actively.”


The writer is a research and data analysis professional with over 13 years of experience in the development sector

GPS — A JOURNEY FROM WAR TO PEACE

Initially intended for military use during the Cold War, the Global Positioning System (GPS) has since evolved into something much more, with many practical civilian applications. By assisting with navigation of everything from cars to airplanes and ships, GPS technology has brought us a long way from piloting using the stars. Satellite-based positioning systems have been instrumental in mapping and surveying for prospective roads, bridges and human habitat developments. GPS has allowed us to develop rapid response systems for many everyday emergencies such as accurate emergency roadside support and prevention of car theft. Personal GPS trackers are often the most beloved companion to most trekkers and climbers in avalanche risk areas. This technology can even help distraught owners find everything from lost phones to pets.

The use of GPS and sensor technology is also emerging as a critical player in environmental stewardship. Speaking of its benefits, Dr Shahid Amjad, department head for environment and energy management at the Institute of Business Management (IoBM) Karachi, says, “Google cars are mapping air pollution, wearable bracelets that track daily chemical exposure can be purchased, and smart boats can help fishermen manage their catch effectively, increasing profits and fish in the sea.” Similarly, its applications in agriculture are practically endless, ranging from soil sampling and accurate planting to the determination of planting ratios, farm planning, and field mapping — to name a few. Sensors can even help farmers reduce the number of chemicals in their fields.

Within the healthcare system, GPS technology has enabled faster response times for ambulances and helicopters. Telemedicine can connect healthcare experts to patients in remote locations. GPS has been used to track patients in recovery from surgery and for patients with Alzheimer’s, for example. However, as of 2020, epidemiological surveillance of disease outbreak is perhaps one of the most talked-about applications of GPS technology.

WHO BENEFITS FROM CONTACT TRACING APPS?

Pakistan is not a country where contact-tracing can be done through smartphones alone. Indeed, many of the most vulnerable groups in the country do not have access to smartphones. In their May statement, HRW called attention to “the disproportionate impact on specific populations or marginalised groups.” Pakistan may have a high mobile penetration rate, but smartphone penetration, as a share of connections in Pakistan, is low — reported at only 22 percent of the population. It is also worth noting that around 4.3 percent of Pakistan’s population aged 65 and above, who are at a higher risk from the virus, do not typically use or benefit from mobile phone applications.

MIT Technology Review also found that “many people (including very young users, older users and those with older model phones) may be unwilling or unable to download and use the software required.” Another marginalised group, women, also have unequal access to mobile technology. LIRNEasia, a Colombo-based think-tank, reported in 2018 that a “gender gap between the mobile users (in Pakistan) persists at 37 percent, while rural women have the lowest level of mobile ownership in the country.” As women in the country shoulder most of the responsibility for unpaid domestic and care work, this group should have a high priority in benefiting from any pertinent location data.

Additionally, as put by HRW, “some communities, such as migrant workers, refugees, and homeless people, live in cramped conditions that would undermine the accuracy of contact-tracing apps.” The World Bank’s World Development Indicators (WDI) for Pakistan reveal the latent complications for accurate data collection in our context. Pakistan’s population density is 287 people per square kilometre, with more than 20 percent of the population living in urban agglomerations of more than 1 million. Additionally, 45.5 percent of the population was living in slums in 2014 (the latest figure available). By 2016, Orangi Town Karachi alone, dubbed as Asia’s largest slum, housed around 2.4 million people, according to the United Nations. Furthermore, approximately 106,000 people are internally displaced as a result of conflict or violence, and some 100,000 due to disasters.

With a large proportion of the population not downloading or being able to use the application, the results cannot be accurate. A fascinating debate on what rate of adoption (at least 60 percent or not) is needed for contact-tracing to work correctly is currently evolving globally. This can also be a problem associated with voluntary applications. As put by Zak Doffman, the cybersecurity contributor for Forbes magazine, “the main issue with these contact-tracing apps isn’t technical, it’s behavioural. Not enough of us will install the apps, and even if we do, we will not comply with instructions to get tested or self-isolate unless mandated to do so. An opt-in, anonymised platform cannot enforce or even reliably measure.”

Published in Dawn, EOS, September 13th, 2020