Thinking of sharing your location data? Think twice

Published March 24, 2020, 12:00 AM

by manilabulletin_admin

Yesterday, this article, “Cebuano IT expert develops mobile app for COVID-19 contact tracing”, at Manila Bulletin. After skimming through it, I was immediately reminded of the New York Times article, “Twelve Million Phones, One Dataset, Zero Privacy”, where anonymized location data from mobile phone in the US did not guarantee that a single individual couldn’t be identified.

The mobile application described in the article above,, attempts to make it privacy-centric by not collecting any personal information. What it does is it generates your own unique device ID, represented as a QR code. From then on, it collects your location data and sends it to their server. If a user gets COVID-19, each location visited will be filtered to find other users in the same location at the same time and alerts them (and the Department of Health (DOH)?).

Whilst the intention is good, the privacy implication is not acceptable. First off, basing on what the NYT article above revealed,’s attempt not to collect personal information is not sufficient as [1] there is a unique device ID, which can easily be traced to an individual, and [2] given enough location data, one’s pattern can immediately identify a particular individual. Given that there is an enhanced community quarantine (ECQ) in most cities and municipalities, the location that will be logged will mostly contain the residence and perhaps locations of the market, groceries, and drugstores. If more than one member of the household installs the application, you can identify which unique device IDs belong to one particular household.

After reviewing the website, which contains third-party trackers from Google, and the privacy policy, which contains,

“We don’t share any personally identifying information publicly or with third-parties, except when required to by law.”

Note that they are collaborating with the government, i.e., Cebu, and the police, along with the DOH. I am guessing that these collaborating agencies will have access to the data, too.

“Our website may link to external sites that are not operated by us. Please be aware that we have no control over the content and practices of these sites, and cannot accept responsibility or liability for their respective privacy policies.”

And which fails to identify what these external sites are, and what is/are the purpose(s) for using these external sites.

The application highlights that it is not collecting any personal information, but the personal information can be derived from the data that is being collected.

I hope that the application was also presented to the National Privacy Commission, in addition to the Inter-Agency Task Force on Managing Emerging Infectious Disease (IATG-MEID), to ensure that data remains private regardless.

Don’t get me wrong, I fully support the Filipino IT industry in contributing to combat the COVID-19 problem. However, I am always concerned about the long term, privacy implications of software applications and online services that are being produced and released.