Data privacy concerns over Thailand's COVID-19 contact tracing app amid new wave of cases
BANGKOK: There have been concerns over data privacy in Thailand’s COVID-19 contact tracing app, as the country battles a new wave of infections.
Despite these challenges, the authorities are trying to encourage more people to use the app, including via efforts to protect personal information.
Since mid-December, Thailand has reported more than 14,000 new cases from several clusters, following months of zero local transmissions. In total, there are now more than 23,000 confirmed cases in the country.
As the government attempts to control the pandemic, various lockdown measures have returned and proactive testing has been carried out in communities. To keep track of the spread of the virus, the government has encouraged people to use a state-run contact tracing mobile application called Mor Chana or Doctors Win in the local language.
“I’ve never downloaded this app and never will because I don’t trust it. I feel what I risk losing isn’t worth the services I’d get from having this app,” said university teacher Phanphaka Rungruang from Bangkok.
“I’m afraid of data breaches caused by malware like spyware,” she added. “I’m not so worried about my phone number or identity but rather the government’s indirect surveillance.”
Mor Chana’s effectiveness relies on the size of its active user base. Since its launch in April last year, the app has about 7 million to 8 million downloads, according to information technology director Julapong Ponngoh from the Digital Government Development Agency (DGDA).
“Frankly speaking, this is not a lot. If not enough people download this app, it won’t be of much use, really,” he said.
Mor Chana’s downloads currently make up less than 20 per cent of Thailand’s Internet users who go online with their smartphones, which is about 41 million based on a 2019 survey by the Ministry of Digital Economy and Society.
“The app is driven by the number of active users. That’s why the government has been trying to promote it so that it gets used as much as possible,” Julapong added.
READ: Bill restricting use of TraceTogether data for serious crimes passed by Singapore Parliament
HOW MOR CHANA WORKS
The app was originally developed by volunteers from various organisations who wanted to leverage smartphone technologies to assist healthcare workers in Thailand in controlling the COVID-19 pandemic.
The technology was fully transferred to the government on Jan 15 and has since been managed by the Disease Control Department of Thailand’s Public Health Ministry and DGDA.
According to Julapong, Mor Chana’s data controller is the Disease Control Department, which has the power and duties to make decisions regarding the collection, use or disclosure of users’ personal data.
His agency, on the other hand, functions as a data processor, which means it only operates the collection, use or disclosure of personal data when ordered by the Disease Control Department.
“The top priority right now is to control the pandemic. So, the main user is the Disease Control Department. We’re working to help it access information and respond promptly,” he told CNA.
Mobile phone users who install the latest version of Mor Chana will first be prompted to take a selfie and allow the app to access certain resources necessary for contact tracing such as GPS location and Bluetooth.
The app will then create a QR code for them and complete the installation. This code, according to Julapong, provides them with an anonymous identity (AID) and can only be deciphered by officials from the Disease Control Department using a special tool.
When Mor Chana is active, it records where and when each AID is located and sends the data to the central server. If there is no GPS signal, the app will search for Bluetooth signals from nearby phones and record their GPS locations instead. Users are not required to check-in at individual establishments.
Such data is analysed when COVID-19 patients are identified, along with their past travel history. Health officials can indicate individuals at risk of infection, using their GPS locations and AIDs stored in the central server. They can then proceed to alert the users of the health risk via app notifications.
“The system doesn’t list names but (only) AIDs. So, the doctors won’t know to whom these AIDs belong,” Julapong said.
“If users open the app to check the message, they’ll see a warning from the Disease Control Department that they were in close contact with a risk group at a certain place and time and that they’re at risk and should urgently contact the department.”
PRIVACY POLICY NOT CLEARLY SPELT OUT
Unlike in its earlier versions, Mor Chana no longer requires users to reveal their personal information such as names, addresses or phone numbers. This would mean that the onus is on those identified as being at risk of infection to get in touch with the authorities.
As for its request for a selfie upon installation, Julapong said the photo is only stored on the user’s phone and will be used to prove that they are the owner of the device when reporting themselves to healthcare officials in any potential disease investigation process.
However, these details are not spelt out in the app’s privacy policy, which currently states it requires the user’s phone number, age and address. Moreover, the privacy policy does not provide clear details on who can share the data, simply saying the DGDA may share it with “other relevant authorities” under legal basis in different cases.
For data law experts, failure to accurately and comprehensively declare the app’s requirements and purposes could affect the transparency of Mor Chana as well as the number of active users.
“A privacy policy is crucial to create transparency and trustworthiness for an app,” said Prapanpong Khumon from the School of Law at the University of the Thai Chamber of Commerce.
The specialist in personal data protection laws said a clear and accurate privacy policy is the responsibility of the data controller, who should declare what personal data is collected for use, why it is collected and to whom or which entities it may be disclosed.
Despite previous confirmation by the government about Mor Chana’s data privacy, Prapanpong said its current privacy policy is so broad it “opens a window of possibility” for the personal data to be shared with other parties.
“If the policy could detail clearly which groups or units can access the data, people would have more confidence and understanding in this regard,” he added.
“It’s better than just guessing if that is possible.”
READ: Behind the scenes of a COVID-19 contact tracer’s work, tough cases and how TraceTogether has helped
CONCERNS OVER PERMISSIONS GIVEN TO APP
While there were initial concerns over the permissions given to the app, recent software updates indicate an attempt to allow users to be more selective in managing these permissions.
Last year, a data privacy study carried out by the Data Protection Excellence (DPEX) Centre in Singapore revealed that Mor Chana is the most privacy-intrusive contact tracing app among those rolled by six Southeast Asian governments.
In its Privacy Sweep report, the centre reviewed six contact tracing apps developed by the governments of Indonesia, Malaysia, Philippines, Singapore, Thailand and Vietnam.
Data protection experts studied the types of permissions sought by these apps on the Android operating system and whether they exceeded what would be expected based on their functionality. They also assessed how each of the apps explained to consumers why it wanted their personal data and what it planned to do with the data.
“It appeared then that Mor Chana used the most permissions – camera, device and app history, location, microphone, photos/media/files, and phone storage – to perform its functions. We reviewed these permissions against the functions and purposes of the app,” head of the DPEX Centre and data privacy specialist Kevin Shepherdson told CNA.
“When comparing the permissions used with other Southeast Asian countries’ apps, Mor Chana did not do very well. This is because our reviewers were unable to verify why these permissions were required – they were not explained in the app’s privacy policy,” he added.
Permissions given to an app allow it to access the user’s personal data on the mobile device but if abused, they could pose potential risks for personal data privacy.
For instance, permission to access the camera enables the app to take pictures and videos on the phone but it could also allow the app to watch the user via the camera and listen to the user via the microphone. The microphone permission, on the other hand, allows the app to record audio.
However, Shepherdson noted that that have been “positive privacy developments”, based on the latest app update in the Google Play Store on Jan 18.
“The app now uses fewer permissions and they are only the permissions required for the app’s core functions to work. For example, it no longer requires permission to record audio – microphone – which would be excessive,” he said.
As daily new case counts in Thailand continue in the hundreds, health officials have advised mobile phone users to download Mor Chana to get promptly notified of potential health risks as well as to help speed up the disease investigation process and fight the pandemic.
However, there are trade-offs between health and safety, as well as personal privacy.
According to Shepherdson, a key ingredient that would help the Thai government to strike a balance between public health and data privacy is transparency in Mor Chana's privacy policy.
"It is important during a pandemic such as this because the people need to trust the government," he told CNA.
"The privacy policy is the means by which a developer shows transparency to its users and explains the specific purposes of processing personal data and how the permissions will be used."
At present, Mor Chana's privacy policy is being edited to reflect its current features and a new version is expected to be published in the future, according to Julapong. Still, some remain sceptical and prefer to keep their personal data confidential.
"I don't want to download it because I don't think it'd be so useful. I don't want to reveal my personal data either as I fear the government would misuse it," said dentist and Bangkok resident Chanya Srisa.
"I take care of myself by wearing a facial mask whenever I go out and avoiding crowded places. I mainly travel between my workplace and home these days."
BOOKMARK THIS: Our comprehensive coverage of the coronavirus outbreak and its developments
Download our app or subscribe to our Telegram channel for the latest updates on the coronavirus outbreak: https://cna.asia/telegram