The most privacy-invasive COVID-19 apps
Due to the COVID-19 outbreak, pervasive digital surveillance of citizens has been deployed worldwide. Albeit some of it may be enforced as a response to the current extreme situation, the vast majority of government-funded applications don’t have the necessary legal or technological checks to ensure their user privacy.
For instance, some apps track people’s political views or sexuality — both of which can mean very serious, if not lethal, repercussions in some cultures. In most cases, there is no way to know where the data collected by these apps will end up after the outbreak stops.
However, if zoomed in, there is a good number of COVID-19-related applications that cross the line when it comes to respecting users’ privacy. Surfshark’s research covers 12 applications in 12 different countries across the globe and aims to report what these apps are doing, what information they collect, and what consequences they could bring.
CoronApp-Colombia
Colombia’s National Health Institute developed this Android-only app that is meant to help identify and help get rid of the COVID-19 virus. It is also supposed to provide centralized information and transparency.
The key concern about this app is the fact that while people have to provide information like their name, sex, date of birth, ethnicity, and email, one cannot know how that information will be used or protected. The Terms and Conditions remain unclear — and Colombians cannot use the app at all before providing this information.
CoronaMadrid in Spain, Madrid
This app is meant to help people self-diagnose the COVID-19 virus. It has been developed by the Community of Madrid with the help of private companies: Google, Telefónica, Goggo Network, Ferrovial, Carto, Forcemanager, and Mendesaltren.
In its privacy policy, this app states that the aforementioned companies, along with the state security forces or judicial bodies (national and international), have access to the data that users provide to the application. That data includes name and surname, mobile phone number, ID, date of birth, email address, physical address, gender, and the phone’s GPS location.
It’s particularly concerning that they allow this data (albeit they claim it will be anonymized at least to some extent) to be accessed by such a wide variety of third parties.
AC19 in Iran (already deleted from the Google Play Store)
When people download this app, they have to provide their name, address, date of birth, and confirm their phone number. Another critical detail is that they have to agree that this app will track their location in real-time — but this Android-native message is often displayed in English, and it’s uncommon that people in Iran speak it. For the other 40% users, who have the older Android version, there will be no prompt to accept.
This real-time location tracking is incredibly intrusive, and the app’s users are extremely likely to be unaware of what they agreed to. It’s developed by the Smart Land Strategy group who reportedly created apps containing spyware for the Iranian government in the past. While AC19 has been tested by ZDNet and found to contain no spyware , it doesn’t need it with how intrusive it is.
Home Quarantine in Poland
Accounts are created automatically for the people who, for example, have returned from abroad. Once the app asks for a selfie, the person in question has a 20-minute window to take a selfie. Failing to do so will result in a visit from the police, and potentially, even a fine.
While it is understandable that the government wants to prevent the rapid spread of COVID-19 and hopes to do so by ensuring that people take quarantine seriously, what this app does is rather dystopian. Considering that GPS location can also be spoofed, it may also not be as effective as they hope, while still worryingly intrusive.
Hangzhou Health Code in China
This app is meant to determine whether a person can freely go about their business or if they must stay in quarantine. It was developed by the General Office of the State Council, the National Health Commission, and Alibaba Group Holding Ltd and Tencent Holdings Ltd.
Corona 100m in South Korea
Corona 100m is a tracking app that informs people about known COVID-19 cases within 100 meters of their location. It uses data from surveillance camera footage and credit card transactions to map the movements of known patients.
Track Virus in Israel
In Israel, there’s a new app called Track Virus. It works by cross-checking how their users move, and if somebody is confirmed to be a COVID-19 patient, the Health Ministry then notifies the app, and people can see if they crossed paths with this person.
However, the critical issue with this, as it is with similar tracking apps, is the potential misuse of such information. Plus, the precedent to reuse this system for a goal that’s much less humanitarian.
Electronic wristbands in Hong Kong
In Hong Kong, people are receiving government-issued electronic wristbands. These connect to a smartphone application and are meant to ensure that all the people who must be quarantined stick to staying at home.
Although this is a rather intrusive method, unfortunately, it feels relatively mild compared to some of the harsher measures other countries chose to employ.
AoT app with sim cards in Thailand
In Thailand, everyone who arrives from countries categorized as high-risk (for example, China or Italy) receives a sim card and has to download AoT Airport’s new app that helps track their movements. That is meant to help make sure that these people remain in quarantine.
Although we have seen many more intrusive apps on this list, there is still little information as to who developed it and what ulterior motives they may have had, as well as how its users can trust the application to delete the data after 14 days.
TraceTogether in Singapore
TraceTogether, developed by the Singaporean government, is meant to help locate people who may have been exposed to the virus. It works by using Bluetooth to detect nearby phones. Later, if a person who uses the app has been diagnosed with COVID-19, the authorities may examine this data to find out who this infected individual has crossed paths with.
An app being developed in the UK
This app will track people’s movement in real-time and alert people if they have come in contact with someone infected with the COVID-19 virus. Unlike in South Korea, no information about these people would be shared.
An app being developed in Belgium
The very fact that this is an application so similar to the one we see in a country notorious for mass-surveillance and lack of respect for privacy should be a clear indication that the idea might need to be reconsidered, to say the least.
CONCLUSIONS
Mass surveillance is quickly spreading along with the advancing technology — and this pandemic crisis is allowing them to both set a precedent and normalize it. However, not everyone is aware of the potential consequences of sharing their data.
Collecting an incredible amount of user data is increasingly recognized as a bad thing. It can fuel discrimination, especially since innocent-looking data may reveal sensitive information. Political views or sexuality may be things that have life-threatening consequences for people in some countries.
On top of that, some app developers may have other interests — especially in cases such as Alibaba group helping develop the Chinese app, or Google being involved in the development of the CoronaMadrid app. Ultimately, users would have to trust every company involved not to exploit the crisis.
There is no argument against the fact that the COVID-19 pandemic is threatening to change people’s lives permanently. However, it remains unclear the ulterior motives these invasive applications may have behind, and whether they will do more harm than good in the long run. If the data collected remains in the app creator’s archives, that may be the dawn of true surveillance culture.
SUPPORTING DOCUMENTS
For more information about the apps included in this report, access Google Sheets.
Originally published at https://surfshark.com on April 1, 2020.
