Davao City netizens alarmed on DQR privacy issues


The Safe Davao QR or DQR is a system that the Davao City government would implement starting November 7. It's a QR code project of the city government where residents and visitors would be required to use in order to "control the further spread of the COVID-19 in the city due to the full occupancy of beds at the Southern Philippines Medical Center (SPMC), and temporary treatment and monitoring facilities."

Davao City Mayor Sara Duterte in a radio interview said that “With the QR, we can easily trace those people in contact with a positive person in a certain area. Also, the paper and pen contact tracing form, it has compromised the privacy of data and is a potential source of transmission of the virus,”. She also said that the DQR could also be used as a pass to enter and travel inside Davao City. “If they are from other provinces and work here in the city, they need to secure their DQR. If they only visit the city, they still have to get the DQR,” she added.

If you are a resident of Davao City or planning to go there, you need to register at https://safedavaoqr.davaoct.com to get your personal QR code. A QR code would be generated with all your details and you need to bring it if you would leave or just step out of your residences, or go beyond three meters from your house for structures without gates. For airplane travelers, the mayor said passengers should register for two codes: their QR code for exit from the Davao International Airport, and their DQR. People caught without their personal Safe Davao QR code would be apprehended including non-residents of the city.

A web developer based in Davao City whose FB post raised some concerns has gone viral. Marvin Quinsaat who calls himself stay-at-home dad noticed that the site that collects sensitive personal information is just using a free SSL certificate that could expire in three months. This is a concern as hackers and other malicious actors could intercept the data being exchanged from the user to the server and vice versa. After Mr. Quinsaat called their attention, the website upgraded the SSL certificate yesterday, November 4, four days after it has gone public.

Davao City Facebook users like Mr. Quinsaat have raised their concerns on the privacy and security issues involving the use of the DQR.

Here's my conversation with Marvin Quinsaat on FB messenger:

Art Samaniego: What do you think about this solution that the Davao City government is implementing.

Marvin Quinsaat: Honestly, I don't see a reason for implementing a fragmented version per LGU. Kasi di ba we already have a national solution via the staysafe.ph app. I think it creates unnecessary confusion especially for non-techy citizens.

AS: Do you think the one week lead time to implement this program is enough?

MQ: No, seven days from the launch to having people held for not having a QR code is not enough lead time. From what I know, the pilot program was launched in late October then after about a week and a half, they would implement na agad with harsh consequences.

AS: You and other Davao City residents raised your privacy concern. Is data privacy important to ordinary people?

MQ: In our time, yes. Before no one had internet or mobile, maybe not as much but nowadays it's so easy to be a victim of identity theft which is why so many Filipinos give a lot of importance to data privacy - myself included. We've all heard about the horror stories of data breaches and the financial losses that international companies have suffered - so I think with the advent of those micro loan apps na sobra lang daling ma-approve marami din nag-aalala sa privacy of their data online.

AS: What are your concerns when you first learned about the DQR

MQ: It had to be the privacy concerns which would be number one. Second would be transparency of who would have access to this data. Finally, I have major concerns with the use of validating both the ID and a selfie with the ID - which I feel was a bit extreme for simple tracking.

AS: What are the problems that you observed and do you have any suggestions on how to answer these problems

MQ: First and foremost, the SSL certificate or lack of in the actual registration page. When I wrote my post it was non-existent on where it was needed most, the registration page where people submitted their data. That's rule number one in security. Without it, anyone with enough knowledge can do an SQL injection to try to siphon off data from the database. This has been addressed the last time I checked. They went from a self-issued SSL to one from a reputable provider. Second, there was no transparency and accountability clause. As a webdev, that's one of the most important part of a site especially if you're collecting sensitive information to let those accessing the site that collects the data, what it's used for, how it's used, and how you can opt-out of having your data used. Instead they had some generic line in there that basically indemnifies them if there was something that goes wrong. That "use at your own risk" statement was the cherry on top. Knowing that our LGU put a deadline and that it is required for anyone wanting to travel around, in or out of the city, having that "use at your own risk" line shouldn't be anywhere on something that's mandated.

(Check Marvin's post on FB at https://www.facebook.com/m.b.quinsaat/)