Convergencia Research, Consultoría especializada en Latinoamérica y Caribe
Monday, May 11, 2020

Covid-19 monitoring apps add criticism and Bluetooth is emerging as key to quarantine disarticulation

One of the first reactions of States to the pandemic was to create monitoring apps, with unclear purposes and questionable effectiveness. The melting pot of platforms of all kinds and colors reopened the debate on privacy and personal data in the hands of States, private companies and OTTs.

The CuidAR app of the Argentine Ministry of Health was updated last April 30, to correct errors of the original version, and incorporates functions, such as the circulation permit. As of May 7, 1.5 million downloads have been registered in the platform "intended for the prevention and care of citizens against the pandemic", according to its express purpose.

Like other platforms, CuidAR provoked criticism for five dubious variables around privacy violation: consent, control, storage, access and effectiveness. Juan Pablo Altmark, president of the APLA (Latin American Privacy Association), considered that the purpose of the data collection is not clear, nor are the terms in which they will be used. Although it does not violate Law 25,326 on the Protection of Personal Data and Habeas Data in force in Argentina - because there is a user's consent - certain aspects cast doubt on its effectiveness, and this detracts from the delivery of information, as indicated by Altmark. “The app requires the user to be responsible and supportive, and to allow continuous tracking. If it is less effective, the impact on privacy is greater. Neither do we know who tested this application, whether there is a process of anonymization of the data or professionals capable of doing it, or subsequent audits, "said the officials in dialogue with Convergencialatina.

Pablo Fiuza, CEO of Qservices, one of the companies that collaborated in developing CuidAR, clarified that the central function of the platform is self-diagnosis, but it is prepared to add new functionalities, and “it will surely advance as needed by the easing of quarantine, ”he anticipated. In relation to the controversial ability to geolocate, he clarified that the app locates the user only twice: at the time of download -the data about the city in which he lives is stored-, and in case the person confirms that  he  is a positive case for coronavirus - with a certain frequency of time the Government obtains location information.

Monitoring apps were implemented in the context of the health emergency after two other instances of data collection: the geolocation information provided by mobile operators and the mobility data from Google and Facebook. Maryleana Méndez, Asiet's General Secretary, indicated that in Latin America, each country made its effort, but there will be a lot of fabric to cut in terms of privacy because the user must have absolute clarity about the data they provide. He recalled that at the top layer of the network, the operator has no control, and the app must obtain the informed consent of the user: however, this does not exempt the owner of the platform from following local data protection regulations, even more so when users have been "flexible" in giving these consents in the pre-pandemic era.

Costa Rica stood out among the developments in Latin America because it took advantage of an existing app, EDUS, in which the Costa Rican Social Security Fund has electronic files on its policyholders. Originally it was used to schedule medical appointments in any health facility in the country. In March, a module was added to identify confirmed coronavirus patients, suspects and contacts of the latter, as well as the risk factors of each person. In case of reporting a high risk, an alarm is triggered in a nearby health center, which communicates with the patient by phone and determines whether a test should be carried out. Costa Rican development, as Méndez pointed out, has trust among users for its prior use for the digital clinical record, and has a maximum level of protection of personal data.

As a counterpart, Peru in your hands (Perú en tus manos, in Spanish) is the most controversial regional app, with one million downloads in its first week in iOS and Android stores, at the end of April. It shows a national map with heat zones that reflects the concentration of suspected cases. 95% of those who downloaded the app agreed to share their location through the GPS of their mobile, and about 200,000 did the digital triage. This platform is part of an aggressive policy of the Martín Vizcarra government: it ordered operators to report the location of their clients to call emergency services, in addition to the responses to the "Peru in your hands" triage test. This information can only be used for pandemic mitigation actions and will be treated anonymously, and will be available to the Presidency of the Council of Ministers, the Ministry of Health, the telecommunications regulator Osiptel, the Social Health Insurance, the National Protection of Personal Data Authority, the National Registry of Identification and Civil Status, the Regional Directorates of Health, the National Police and the Joint Command of the Armed Forces. Along with this broad spectrum of organizations with access to data, the use of identifiers to determine the real identity of the tracked contacts raises suspicions; and the usefulness of heat maps, with “yellow” areas that can come from false positives, starting from mixed up systems reported by the user.

The European rod. The first formal reactions to the range of monitoring apps arose from the EC (European Commission), something expected if we consider that the current regulatory framework - the RGPD (General Data Protection Regulation) - is the most stringent worldwide. The EC issued a recommendation in early April, so that member countries began implementing it in the middle of the month: it especially contemplates privacy protection, with prerogatives to "model and predict the evolution of the virus using anonymized and aggregated data from mobile location." The agency requested the actions report before May 31, and there will be a review in June. Special attention will be paid to the deactivation of these measures once the pandemic is over: any information that can identify users must be eliminated 90 days after the crisis is under control.

The head of the Independent Surveillance of the European Data Protection Supervisor, Wojciech Wiewiorowski, even asked the EU governments to centralize their efforts to monitor Covid-19 with the use of a single app, an idea that could materialize with the help of technology under development by Apple and Google. Meanwhile, the States were called to grant the management of apps to national health authorities; to store data on devices whenever possible; and to minimize data analysis, external storage, and the role of private organizations. Regarding the user's informed consent, it should be applied to each element of the application, and not only as a general option when activating it.

Bluetooth and effectiveness. Among the EC's observations, Wiewiorowski himself highlighted Bluetooth as "a useful way to achieve privacy and personal data protection effectively." Indeed, and as Singapore pioneered, with the Bluetooth function of the Smartphone an app is able to record the memory of all other users of the application with whom a certain user has approached. When a user becomes infected, a message is sent to everyone else who has been in close contact with that person. The location of the phones is not part of this equation, since only devices that have been very close are considered.

Tracking infections via Bluetooth would be effective only if the app were downloaded by 60% of the population, a study by the University of Oxford showed. This is one of the few investigations that really measured the effectiveness of apps so far, one of the key points to determine the impact on privacy. For this effort, coronaviruses were simulated in a model city of 1 million inhabitants with a wide range of epidemiological configurations to explore transmission control options: even with a percentage lower than 60%, a reduction in the number of cases and Covid-19 deaths was observed.

Veridiana Alimonti, Senior Analyst of Policies for Latin America of the Electronic Frontier Foundation, explained to Convergencialatina that within a distance considered risky between people today, the app associated with Bluetooth exchanges device identifiers. The information about the users who were in contact is anonymized and can go to a central server or be kept on the device. In the implementation of Singapore - which achieved an adoption of 20% of the population - the first case occurred, so the Government has a database that maps the identifiers with user data. "This is too much. In proximity apps, there is no need to collect and store real contact data of the people that the user comes across with," she considered.

This differentiation marked by Alimonti today divides European States between those who support the centralized or decentralized model of proximity apps of Covid-19. Under the centralized scheme - supported by France and the United Kingdom - authorities can trace identities and notify contacts of a possible positive case. In the decentralized one –supported by Germany, Estonia, Switzerland and Austria-, the user notifies in the app that they have been infected and their recent contacts find out through a signal received on their cell phones. These in turn are periodically connected to a server where the codes of those who tested positive are registered.

In the debate between models, there was even a “side change” by Germany. The country had initially given its support to the Pepp-PT (Pan-European Proximity Tracking to Preserve Privacy) initiative of some 130 organizations in the region, and which would follow the advice of a single app for the EU, with data stored in a central server. In the face of criticism of this project, Germany favored "a decentralized software architecture that uses programming interfaces of the main providers of mobile operating systems that will be available shortly," according to the words of Health Minister Jens Spahn. With this, Germany implicitly turned to the combined plans of Apple and Google to create contact tracking technology.

Signs of Apple and Google. On April 10, it was announced that Apple and Google would begin implementing parts of the iPhone and Android infrastructure that developers need to create Bluetooth-based proximity tracking apps. From what is known so far, the program will be implemented in two phases. In the first, both companies had built a new API on their respective platforms, with the basic functionality necessary for their proximity tracking scheme to work on both iPhone and Android. Other developers - the States, for example - will have to create applications to run on the new API. Draft specifications for the API are expected to be available in May. For the second phase, Apple and Google indicated that proximity tracking "will be introduced at the operating system level to help ensure wide adoption," and not much more is known about it.

Although initially the news of the landing of Google and Apple in the field of Covid-19 apps raised the alarm about such a magnitude of personal data in the hands of these giants, from the EFF officials clarified that it is a decentralized model, so only the identifiers of infected and not those of their contacts will be reported. “It is true that there is concern about the power they already have: it will be important to verify how they will deal with that data. They should not store them or link them with other data that they can obtain from the cell phone. A very robust protection, with full transparency, open source and the possibility of auditing and publishing results will be needed,” warned Alimonti.

Last news and analysis

Estados Unidos · Software and Applications

27/03/2024

25% of advertisers' budget invested in social networks and the Internet

Uruguay · Pay TV · Internet & OTT · Operators

27/03/2024

Through agreements with Claro and Movistar, cable operators expand their Internet offer

These are agreements of different types, which include leaving the last mile for the cable operator or contracts for available bandwidth. Antel could join with infrastructure leasing. Some cable operators are already building their own networks.

Uruguay · Pay TV · Internet & OTT · Operators

27/03/2024

Through agreements with Claro and Movistar, cable operators expand their Internet offer

These are agreements of different types, which include leaving the last mile for the cable operator or contracts for available bandwidth. Antel could join with infrastructure leasing. Some cable operators are already building their own networks.

Paraguay · Operators

26/03/2024

Government analyzes partial privatization of Copaco

The state operator is going through a delicate moment. Its income does not cover operating expenses and it must fulfil a debt obligation of US$110 million. Furthermore, the lack of investments led to the obsolescence of its infrastructure. Oscar Stark, president of the firm, states that alternatives are being evaluated to obtain the necessary funds, including the possibility of adding private partners. And he believes that in 18 months "the situation will be resolved."

América Latina · Equipment Providers and Network Solutions

25/03/2024

Andina Link 2024: Padtec targets small and medium-sized ISPs in Colombia

The Brazilian supplier Padtec participated in Andina Link 2024. From the fair, Hernán Yepes, CALA Norte Regional Manager, told Convergencialatina about the plans with the Colombian market, shaken by 5G deployment.

Search news