Across countries, contact-tracing applications have been effective in identifying Covid-19 patients and reducing Covid-19 clusters. They have enabled businesses to resume operations more quickly, thanks to real-time updates on the Covid-19 situation.
Despite their efficacy, these apps have brought about one very real concern: data privacy. For many, they seem unnecessarily intrusive, as users are required to submit a great deal of personal information, including their name, identification number, phone number and house address, and to log their whereabouts.
The paranoia about data privacy is worse for those who have watched The Social Dilemma, which aired on Netflix recently and highlighted the potential harms of social media, or those who talked to those who have watched this documentary.
“People are worried that someone can track where they are going and what they are doing,” says Sandeep Bhargava, Asia-Pacific Japan (APJ) managing director of Rackspace Technology Inc, a US-based multi-cloud technology services company.
“Some of the key concerns [about data] are how much information is shared and with whom, and how this information is used.
“In Malaysia, I do not sense any ill will in the government [with regard to the use of the data] but, as time goes by, I think it has to come out and be transparent about how this [data distribution and storage] works,” says Sandeep.
MySejahtera — the main contact tracing application in Malaysia — claims that its personal data collection is aligned with the Personal Data Protection Act 2010 (PDPA). The government assures the public that it will keep their data private on the MySejahtera website (https://mysejahtera.malaysia.gov.my/privasi_en/) except for the specific purpose of tracing those who have Covid-19 and who they may have come in contact with, says Sandeep.
While MySejahtera is owned and operated by the government of Malaysia, the National Security Council plays its role in assisting the government in ensuring the data is secure, says Sandeep. “The government has taken adequate security measures to prevent the data from being leaked.”
According to MySejahtera’s website, the check-in data is kept for 90 days and will be purged after that time. The website also says the data collected in the app will not be used for any purpose except those related to legal obligations.
In a Digital Edge Cover Story published this year (“WhatsApp debacle exposes local privacy problems”, Issue 1355, Feb 1), legal and policy experts expressed concern about personal data security in the MySejahtera app, as the federal and state governments are exempted from compliance to the PDPA.
Such an exemption may open a loophole for data abuse. For instance, the contact-tracing app in Singapore was eventually used to hunt down criminal offenders, although the government had initially promised to limit its use to contact tracing, according to Anisha Nadkarni, a tech policy research fellow at the Social and Economic Research Institute Malaysia (SERI).
“We need more clarity about where the data is stored and for how long and who has access to it. The government is bringing in data transparency incrementally, but I think [the process] is still unclear,” says Sandeep.
When borders reopen
In April 2020, Google and Apple announced a partnership to integrate the contact-tracing system directly — called the Google/Apple Exposure Notification system (GAEN) — into smartphones, as they aim to combat the coronavirus by sending notifications about possible infections.
For Sandeep, the integrated contact-tracing system run by both tech behemoths could be a solution to global contact tracing when borders reopen. “If you want to open up the world to seamless contact tracing, then Google and Apple are launching a comprehensive solution,” he says.
It has been a year since the partnership was announced and, up to May 2021, the GAEN system is operating in more than 25 countries, including the UK, the US, Russia and Canada.
According to a media statement from the system developer, the GAEN system solves the data privacy concern, as it works on decentralised architecture, where the system tracks nearby devices using Bluetooth Low Energy. In other words, no information can be overwatched by the central party unless the user consents to the data collection voluntarily.
Moreover, the Bluetooth-proximity-based identifiers change every 15 to 20 minutes to prevent malicious third parties from accessing the tracking data.
Having said that, Sandeep believes implementation across countries will never be easy, as the government needs to take a lot into consideration before execution.
According to San Francisco-based Electronic Frontier Foundation, the GAEN system is not entirely safe from cyberattack, especially for those infected with Covid-19. Hackers with malicious intent may track down where someone hangs out daily, such as their home, workplace or other places of frequent activity, by setting up a static Bluetooth beacon or luring them into downloading the malware.
“We do not have defined bodies that will regulate the data. It will be difficult for Apple and Google to get the approval from governments [to implement the technology],” he says.