By Hanniah Tariq
When the two rival tech giants, Apple and Google, join forces to allow application interoperability across their very different operating systems, it must genuinely be a matter of life and death. And it is. As the battle against Covid-19 continues, detecting and isolating cases is a crucial strategy to stem the spread of the deadly virus. And governments and public health authorities are utilising mobile location tracking to varying degrees across the globe for ‘contact-tracing’ — a strategy that has been instrumental in suppressing the virus in countries such as South Korea, where tech solutions helped bring a major Covid-19 outbreak under control.
Mobile app-based contact-tracing can save considerable time in tracking down all the recent contacts of an infected person, without requiring a detailed interview process with trained staff. It can also eliminate human error, because patients may find it hard to recall every person they have been in contact with, for more than 15 minutes, within the distance of a metre.
As a result, mobile applications based on tracking geographical locations have appeared in almost every country to help track the disease. And Pakistan is no exception. The Covid-19 Gov PK application from the Ministry of IT and Telecom (MoITT) with the National Information Technology Board (NITB) was designed to “keep the citizens updated with the legitimate and latest information related to total Coronavirus cases in the country.” Launched in March, it boasts features including self-assessment, ‘radius alert’ (more on this later), pop-up notifications on personnel hygiene, awareness videos and a ChatBot. The application has been a popular download, and Raymond William, the project coordinator at NITB, observes that when it was first launched, “there were one lakh downloads in the first week.” Within 2 months of launch, there were half a million downloads. And during the peak, the number of downloads stood close to a million.
Post-pandemic, the potential for abuse of human rights and increased state surveillance, particularly in authoritarian governments, is endless. Other national Covid-tracking applications have also run into trouble.
As the pandemic’s severity continues to decline in Pakistan, it would be expected that the download ratio for the application would also reduce. However, according to William, with around 76,000 new downloads completed in the last week, “the application is still under the same consideration and still an important product for download at this time.”
It has been six months since the app was first launched and our battle against Covid-19 began. Today, as countries around the world open back up, emphasis on contact-tracing — especially mobile app-based contact-tracing — is increasing globally.
However, as with most new mass technology, the benefits come with various concerns, which include the potential for abuse of power and loss of privacy for users. With Covid-tracking apps deploying worldwide, critics say the pandemic-struck world is the perfect testing ground for tracking apps that may be used for other forms of surveillance.
While there is little denying the effectiveness of contact-tracing, human rights activists are urging people to be vigilant.
THE POTENTIAL FOR ABUSE OF POWER
In May, the Human Rights Watch (HRW) raised this concern in a Joint Civil Society Statement which specified that “the long history of emergency measures shows that when surveillance is introduced, it usually goes too far, fails to meet its objectives, and once approved, often outlasts its justification.” Accordingly, they set out that such systems of tracking individual movement must be “lawful, necessary, and proportionate”, as well as “limited in duration.”
Around the world, some applications where the potential for misuse of information is exceptional have already been flagged by MIT Technology Review’s Covid Tracing Tracker Database, including China’s Chinese Health Code System app and Qatar’s Ehteraz app.
These apps are mandatory downloads. They make no promises on limitations on data use, so the data could hypothetically be shared with law enforcement agencies or marketing firms, and there is no time limit on storage. There is also no guarantee that the data collected will be limited only to health data.
Illustrations by Samiah Bilal
It is useful to mention here that although, according to a Business Insider article, “Chinese authorities said the data collected will only be used for the coronavirus outbreak, after which it will be destroyed”, the MIT Technology Review database found differently. They state that the Chinese Health Code System “sucks up data, including citizens’ identity, location and even online payment history, so that local police can watch for those who break quarantine rules.”
With a fluid situation, no one can predict the result of such applications, but the worst-case scenario can look like an episode of the dystopian British television series Black Mirror, which looks particularly at the unanticipated consequences of new technologies. There have already been reports of people having tested negative but being assigned the wrong colour (red, yellow or green), and confined to their homes — with no transparency from the Chinese government on the reason or duration of their detainment. HRW, Amnesty International and Privacy International are all alarmed.
Post-pandemic, the potential for abuse of human rights and increased state surveillance, particularly in authoritarian governments, is endless. Other national Covid-tracking applications have also run into trouble. Iran’s original AC19 Covid app, for example, was banned by Google Play for collecting more data than its rules allowed.
AT HOME IN PAKISTAN
Much has been written about Pakistan’s history of surveillance. In 2017, Privacy International, a London-based advocacy group, claimed that surveillance in Pakistan exceeded the legal capacity. Last year, Freedom House, a Washington DC-based activist group, declared Pakistan ‘not free’ in terms of internet use for the ninth consecutive year. And so, against the current backdrop of alleged enforced disappearances and silencing of dissenting voices, activists are critical of any personal information being tracked or recorded.
Nighat Dad, the executive director at the Digital Rights Foundation (DRF), says that there is a “dire need” for us to be talking about human rights and privacy at this time. “Covid-19 is an emergency, and it is an emergency that a lot of states in the world will extend continuously to gain more control over their citizens, especially as we turn to technology at this time,” she tells Eos. Dad acknowledges that the technology is not “inherently ill-intentioned”, but cautions that such technologies can “also become a way for the government to surveil people and their activities, especially if certain people speak out against the government and its policies.”
NITB responded to privacy-related concerns with a press release categorically stating that they collect “very limited personal information” of the user. “The app does not show the exact coordinates of the infected people, instead, it shows the radius parameter that is fixed by default at 10 metres for self-declared patients and 300 metres at a quarantine location,” the press release added.
Of course, concerns of privacy in Pakistan go beyond the app. Privacy International has pointed out that the “lack of data protection laws and the absence of a privacy commission are contributing factors to Pakistan’s failure to investigate or remedy security flaws in the country’s recently launched Covid-19 tracking technology.” Without such laws, the simple act of allowing an app access to the smartphone’s photo gallery, location or contact list when downloading leaves the user no protection of their privacy in case of misuse.
The Personal Data Protection Bill 2020 is still in draft form on the MoITT website. Initially presented for consultation in July 2018, it received harsh criticism from civil rights activists due to loopholes. The new draft still needs to be approved.
William, however, assures users that “when we are conducting a project at NITB, it is our mandate to protect the data. The 2020 bill may be in draft form, but at NITB, data protection is already being implemented.”
Even so, since its launch, Pakistan’s Covid-19 app has attracted a lot of scrutiny, much of it having to do with the app being vulnerable to potential hacks, and endangering users’ personal data such as passwords.
THE CASE OF COVID-19 GOV PK
“We have studied the app, and so have some international experts,” says Dad. “The app is not particularly secure, especially when it comes to the data of patients and personal information regarding their health.
“This raises serious questions, as people are expected to be using this app and reporting symptoms through it. The government needs to build a better app to give people a secure way of gaining assistance during this pandemic,” she tells Eos.
Earlier in June, French cybersecurity analyst Elliot Alderson also took to Twitter, asserting that “nothing is ok with this app.” Based on Alderson’s assessments, an article published on TheDigitalHacker.com, an independent tech news website, also deemed the app not safe to use. The app did not encrypt the password field, the article said. In simpler words this means that “anyone using the same WiFi, or a router through which the data is transferred, can see the exact password without putting [in] much effort.”
William assures users that “when we are conducting a project at NITB, it is our mandate to protect the data. The 2020 bill may be in draft form, but at NITB, data protection is already being implemented.”
It also pointed out that the app uses Hypertext Transfer Protocol (HTTP), not Hypertext Transfer Protocol Secure (HTTPS), to manage the server. HTTPS is considered much more secure. The article recommended not using the application, “unless it is updated with the latest security measures and encrypts users’ data before sending it to the server.”
Updates have come since. “To mitigate that, we asked our partners for the webviews to be on HTTPS, which was done the very next day,” says William. He also acknowledges that there was use of hard-coding techniques, a weakness identified by Alderson. (According to BeyondTrust, a company that specialises in solutions for data breaches, hardcoded passwords are “particularly dangerous because they are easy targets” and can allow hackers and malware to hijack users’ devices). “So we identified it, we called our developers and asked them to remove the hardcode,” he tells Eos.
But many were frustrated to see that the feature simply did not work. Several irate users reported on the Google Play Store that they found the function to be “useless”. One user, who gave the app a one-star rating, summed up its startling inaccuracy, revealing that, “I am a Covid-19 positive patient since June 7, with the correct, current address written on my CNIC, but my area shows zero cases.” Users have also called attention to imprecisions with areas such as Islamabad’s I-10, that were sealed due to their high infection rates, but were still marked as safe zones on the app.
William responds saying that the team was making certain upgrades to the app. “There is a cycle which we usually follow, which comes after 6 to 8 weeks, depending on the number of users.”
He further adds that while his team was expecting a huge download rate, they did not foresee the user base growing so much, so quickly. “We then had to enhance the infrastructure, increase resources and bandwidth, so that every user could use the application with all the available features,” he tells Eos. During these upgrades the app would stop functioning for some time.
Responding to criticism about the ‘radius alert’ feature, William adds that, “if somebody is declared positive, a radius with a diameter of 10 metres (the minimum social distance is 6 feet) is identified. If you are sitting in your room and a neighbouring house, 20 metres away, tests positive, you will be visible in a safe zone.”
Time lags could also have been an issue according to him, as third party apps like Google Maps can take time when users cluster. “So users may expect that as soon as they click the radius alert, [they would] get it immediately. This is not technically, logically or hardware-wise possible,” he says.
THE WAY FORWARD
For all the pros and cons involved, mobile tracking applications were still deployed worldwide during this time. They have proven useful enough that EU Member States “agreed on a protocol to ensure cross-border interoperability of voluntary contact-tracing apps, so that citizens can be warned of potential infection with coronavirus when they travel in the EU” in May. However, for such tech-driven responses to efficiently deliver benefits, several factors will need to be accounted for.
In Pakistan’s case, user trust will have to be fostered and maintained. Users will need to be sure that their data is secure, used in a limited manner and deleted after a certain period of time. According to Dad, the “only way to be certain of this is to pressure the government into releasing detailed SOPs [Standard Operating Procedures] regarding the app and how they intend on using it.” Dad suggests that these SOPs must talk about the length of use, disposal of data, how data will be saved and secured, and who will have access to it. “There needs to be transparency and accountability with this data,” Dad says. A way forward that she mentions is from the technologies used in “countries like South Korea and Singapore, of which the latter has launched an open-source app that can be audited and studied every so often.”
With a fluid situation, no one can predict the result of such applications, but the worst-case scenario can look like an episode of the dystopian British television series Black Mirror, which looks particularly at the unanticipated consequences of new technologies.
Internally, such apps need to maintain user perceptions on usefulness. For example, one of the key benefits cited for the use of such apps is their ability to track Covid-19 positive individuals and rapidly inform users of high infection areas. The ‘radius alert’ feature thus needs to provide reliable and fast data on cases reported in areas, especially hotspots. And users need to be made aware of technical issues such as time-lags, which might be experienced. The accuracy required is also highly dependent on how frequently, and reliably, the data is updated. As put by Parvez Iftikhar, International ICT consultant and former country-head of Siemens Telecom in Pakistan, “if you don’t input the exact data regularly, then what happens? You put garbage in and you get garbage out.”
Additionally, robust data protection laws are urgently needed, so that issues of information misuse can be addressed with users protected from that angle. Dad suggests implementing data protection laws, like the General Data Protection Regulation (GDPR) in the EU, to protect people and their data. However, this could take a while, given that the Personal Data Protection Bill 2020 is still in draft form.
When speaking about contact-tracing, Dr Faisal Sultan the prime minister’s focal person on Covid-19, told publication The Diplomat that, “A key set of principles is that whatever information is used, must be minimal, is known only to those with a valid need to know to enable a public health response, that the least amount of identifiable information is utilised, and all info gathered is kept secure.”
But these assurances can only go so far. There is also no mention of a post-Covid sunset plan for data collection. Dad sums up the precarious situation stressing that, at “DRF we have consistently said that, while it is good that tech is being used to fight Covid, the Government of Pakistan needs to establish the boundaries within which such technologies will be used. Covid-tracking apps, if left unchecked, can grow into monster dystopian technologies that will be used to surveil the general public. That is a situation that we want to avoid actively.”