privacy invasive apps

The analysis documents COVID-19 apps that violate privacy by collecting superfluous amounts of data

With the COVID-19 wreaking havoc worldwide, the last thing people think about is their digital privacy. Unfortunately, in some countries, measures taken to flatten the curve infringe people’s digital privacy more than necessary. This analysis covers 12 apps used to monitor the situation, which collect redundant types of data that can be used for questionable purposes.

MAIN FINDINGS:

  • At least 7 out of 10 apps* track GPS location
  • At least 6 out of 10 apps are unclear about what they track, don’t provide Terms and Conditions upfront, or use intrusive methods such as surveillance camera footage to track their users
  • At least 2 out of 10 apps clearly state that they share this information with third parties
  • At least 4 out of 10 apps were developed by or with the help of non-government bodies, such as private companies

*10 apps that are already released, as the UK and Belgium ones are not yet available

Due to the COVID-19 outbreak, pervasive digital surveillance of citizens has been deployed worldwide. Albeit some of it may be enforced as a response to the current extreme situation, the vast majority of government-funded applications don’t have the necessary legal or technological checks to ensure their user privacy. 

For instance, some apps track people’s political views or sexuality – both of which can mean very serious, if not lethal, repercussions in some cultures. In most cases, there is no way to know where the data collected by these apps will end up after the outbreak stops.

A recent report found that new digital tracking measures were already introduced in no less than 19 countries. The report analyzes the massive surveillance on the big-picture level with country-wide programs. 

However, if zoomed in, there is a good number of COVID-19-related applications that cross the line when it comes to respecting users’ privacy. Surfshark’s research covers 12 applications in 12 different countries across the globe and aims to report what these apps are doing, what information they collect, and what consequences they could bring.

Colombia

CoronApp-Colombia

Colombia’s National Health Institute developed this Android-only app that is meant to help identify and help get rid of the COVID-19 virus. It is also supposed to provide centralized information and transparency.

While that all sounds very good, the users do have to provide basic information about themselves. One example is whether they have participated in any mass events in the previous eight days, which sounds like an innocent enough question. However, due to the recent protests all over the country, it is controversial. 

The key concern about this app is the fact that while people have to provide information like their name, sex, date of birth, ethnicity, and email, one cannot know how that information will be used or protected. The Terms and Conditions remain unclear – and Colombians cannot use the app at all before providing this information.

Spain

CoronaMadrid in Spain, Madrid

This app is meant to help people self-diagnose the COVID-19 virus. It has been developed by the Community of Madrid with the help of private companies: Google, Telefónica, Goggo Network, Ferrovial, Carto, Forcemanager, and Mendesaltren.

In its privacy policy, this app states that the aforementioned companies, along with the state security forces or judicial bodies (national and international), have access to the data that users provide to the application. That data includes name and surname, mobile phone number, ID, date of birth, email address, physical address, gender, and the phone’s GPS location.

It’s particularly concerning that they allow this data (albeit they claim it will be anonymized at least to some extent) to be accessed by such a wide variety of third parties.

Iran

AC19 in Iran (already deleted from the Google Play Store)

AC19 – which is already removed from the Google Play Store, but still available via the web – claims to detect if people have been infected by the COVID-19 virus. It has been pulled from Google’s official store, apparently, because it doesn’t allow apps by Iranian developers.

When people download this app, they have to provide their name, address, date of birth, and confirm their phone number. Another critical detail is that they have to agree that this app will track their location in real-time – but this Android-native message is often displayed in English, and it’s uncommon that people in Iran speak it. For the other 40% users, who have the older Android version, there will be no prompt to accept.

This real-time location tracking is incredibly intrusive, and the app’s users are extremely likely to be unaware of what they agreed to. It’s developed by the Smart Land Strategy group who reportedly created apps containing spyware for the Iranian government in the past. While AC19 has been tested by ZDNet and found to contain no spyware, it doesn’t need it with how intrusive it is.

Poland

Home Quarantine in Poland

This app, developed by the Polish Government, is meant to ensure that people who are COVID-19 patients or are potential patients stick to the mandatory quarantine measures. It does so by requesting to take geo-located selfies.

Accounts are created automatically for the people who, for example, have returned from abroad. Once the app asks for a selfie, the person in question has a 20-minute window to take a selfie. Failing to do so will result in a visit from the police, and potentially, even a fine. 

While it is understandable that the government wants to prevent the rapid spread of COVID-19 and hopes to do so by ensuring that people take quarantine seriously, what this app does is rather dystopian. Considering that GPS location can also be spoofed, it may also not be as effective as they hope, while still worryingly intrusive.

China

Hangzhou Health Code in China

This app is meant to determine whether a person can freely go about their business or if they must stay in quarantine. It was developed by the General Office of the State Council, the National Health Commission, and Alibaba Group Holding Ltd and Tencent Holdings Ltd.

It’s no surprise that the country identified as the “world’s worst abuser of internet freedom for the fourth consecutive year” by the Freedom House released an intrusive COVID-19 app. Hangzhou Health Code gives people a color code (green, yellow, or red) based on information like their location and travel history. Only people with green codes can move around freely, and it’s not completely clear how these colors get assigned.

What’s worrying about this is that the app shares this information with the police. That indicates that it could become a national staple even after the pandemic passes. Plus, it deepens the all-consuming digital web that Alibaba technology has melded into Chinese society. 

South Korea

Corona 100m in South Korea

Corona 100m is a tracking app that informs people about known COVID-19 cases within 100 meters of their location. It uses data from surveillance camera footage and credit card transactions to map the movements of known patients.

This app is said not to indicate who precisely the infected people are, but it does seem to state their approximate age and gender. It reveals things like the restaurants these people ate and the places they visited.

Since it has been released, people have already reported that thanks to this information, they have been subject to ridicule and rumors. Some restaurant owners even indicated that this could be damaging to their business

Israel

Track Virus in Israel

In Israel, there’s a new app called Track Virus. It works by cross-checking how their users move, and if somebody is confirmed to be a COVID-19 patient, the Health Ministry then notifies the app, and people can see if they crossed paths with this person.

Apparently, people have been forced to quarantine by mistake due to the location errors made by this app. Of course, one could argue that if this app helps achieve the primary goal of slowing down the infection, such mistakes are worth it.

However, the critical issue with this, as it is with similar tracking apps, is the potential misuse of such information. Plus, the precedent to reuse this system for a goal that’s much less humanitarian.

Hong Kong

Electronic wristbands in Hong Kong

In Hong Kong, people are receiving government-issued electronic wristbands. These connect to a smartphone application and are meant to ensure that all the people who must be quarantined stick to staying at home.

One person who has received this wristband told CNBC that he had “to walk around the corners of his house, upon arriving home, so the technology could precisely track the coordinates of his living space in which he would remain under quarantine.”

Although this is a rather intrusive method, unfortunately, it feels relatively mild compared to some of the harsher measures other countries chose to employ.

Thailand

AoT app with sim cards in Thailand

In Thailand, everyone who arrives from countries categorized as high-risk (for example, China or Italy) receives a sim card and has to download AoT Airport’s new app that helps track their movements. That is meant to help make sure that these people remain in quarantine.

This application will be tracking people for the required 14 days of quarantine and will alert the authorities if the person leaves their quarantine area. Afterward, it is said to stop tracking and delete the data immediately

Although we have seen many more intrusive apps on this list, there is still little information as to who developed it and what ulterior motives they may have had, as well as how its users can trust the application to delete the data after 14 days.

Singapore

TraceTogether in Singapore

TraceTogether, developed by the Singaporean government, is meant to help locate people who may have been exposed to the virus. It works by using Bluetooth to detect nearby phones. Later, if a person who uses the app has been diagnosed with COVID-19, the authorities may examine this data to find out who this infected individual has crossed paths with. 

According to the app’s privacy statement, each user is assigned an ID, and if somebody else has the same app on their phone, the apps will exchange encrypted information to mark that these people may have been in close physical proximity. They also claim it is purely meant to trace people who may be infected with COVID-19.

However, it is worth noting that the Singapore government is offering to share the app’s technology with other countries. Even if the citizens of Singapore trust that their information is processed as stated, sharing such technology can help quickly spread a new culture of surveillance.

UK

An app being developed in the UK

The UK government, with the help of researchers from Oxford University, is working on a surveillance-like app, similar to what China has. It is planned, however, that it would not be mandatory, and the people would share the information voluntarily.

This app will track people’s movement in real-time and alert people if they have come in contact with someone infected with the COVID-19 virus. Unlike in South Korea, no information about these people would be shared.

In a country that has, approximately, 4 to 5.9 million CCTV cameras and is introducing real-time facial recognition technology, this move does sound a bit Orwellian. It would be very doable to cross-reference the data that the app collects with the amount of footage the government and the police are privy to.

Belgium

An app being developed in Belgium

Belgium has some strict privacy laws, and yet, they are entertaining the possibility of introducing an app that is by far the most similar to HealthCode in China. This app would also control how freely people can move based on their health status.

The very fact that this is an application so similar to the one we see in a country notorious for mass-surveillance and lack of respect for privacy should be a clear indication that the idea might need to be reconsidered, to say the least.

CONCLUSIONS

Mass surveillance is quickly spreading along with the advancing technology – and this pandemic crisis is allowing them to both set a precedent and normalize it. However, not everyone is aware of the potential consequences of sharing their data. 

Collecting an incredible amount of user data is increasingly recognized as a bad thing. It can fuel discrimination, especially since innocent-looking data may reveal sensitive information. Political views or sexuality may be things that have life-threatening consequences for people in some countries.

On top of that, some app developers may have other interests – especially in cases such as Alibaba group helping develop the Chinese app, or Google being involved in the development of the CoronaMadrid app. Ultimately, software owners have to ensure that the mobile app development company they are associated with has a good reputation and skills to deliver a secure app.

There is no argument against the fact that the COVID-19 pandemic is threatening to change people’s lives permanently. However, it remains unclear the ulterior motives these invasive applications may have behind, and whether they will do more harm than good in the long run. If the data collected remains in the app creator’s archives, that may be the dawn of true surveillance culture.

SUPPORTING DOCUMENTS

For more information about the apps included in this report, access Google Sheets.