I have been warning people about the dangers of collecting sensitive personal information under the guise of contact tracing. The temptation to gather as much citizens’ personal data as possible is high, particularly when the election is quite near. Imagine being able to accurately pinpoint where a particular voter lives, which precinct they belong to, with whom, and cross-referenced with social media posts, then you can have a good insight on the voting population in a particular area. Any company with that much data will be highly profitable come election time — how do you think Cambridge Analytica got into this scandal? Yes, Facebook and Google have these information, too, but a local company will earn millions, at least, with the same “volunteered” personal data.
I have no personal beef against StaySafe.ph, but I saw the dangers of using this platform as it collects sensitive personal information that can be used in other ways. Just as a reminder, having a secure system does not mean that your privacy is not being violated. My friend, who is a cybersecurity expert, posted, “StaySafe.ph fixes sensitive personal information exposure”, showing that there were security vulnerabilities that were identified, and luckily fixed. As I have said, security is different from privacy (although both go hand-in-hand) — simply put, StaySafe.ph secures the personal data it collected from unauthorized access, similar to how Facebook and Google protects their data asset. And we know how Facebook and Google use our data.
The same friend led me to “Unmasked II: An Analysis of Indonesia and the Philippines’ Government-launched COVID-19 Apps”, by The Citizen Lab of the University of Toronto, in Canada, and the key finding shows concern:
StaySafe PH, a COVID-19 contact tracing app launched by the government of the Philippines, collects device geolocation data and stores it in an insecure manner. Through a vulnerability in the backend database used by this app, we were able to access the geolocation data of hundreds of thousands of users. We are concerned, but did not confirm, that it would be possible to use users’ movement patterns to deanonymize them and to discover their health status.
I agree that there should be a balance between privacy and public health, but as pointed out by The Citizen Lab researchers, there are ways to do contact tracing without the need to collect sensitive personal data (see GP³T and Apple-Google Exposure Notification system). The question now is, if there are safer alternatives (that are, mind you FREE to use), why develop another that isn’t safe? What are the hidden motivations behind this?
The researchers also cited this (which I refuse to link to since it is Facebook)
In a Facebook post dated December 4, 2020, Eliseo Rio Jr. also claimed that “ntil now StaySafe has not complied or turned over to the government its aforesaid softwares and data.”
Two words — WHY NOT?
Until there is full transparency on StaySafe.ph, I urge Filipinos, if you can avoid it Stay AWAY, NOT safe. The Philippine government should open the application’s source code for review by interested parties, similar to how the automated election system is required by law; have the data independently audited to ensure that data collected beyond at least two (2) weeks (beyond the 14-day quarantine period, the data is no longer valid for contact tracing) must be completely deleted (including in all back-up storage); and finally, come clean as to how Stay(AWAY,NOT)Safe.ph was selected, when other applications were available. As it is, stay at home so you won’t be FORCED to give up your personal information for possible use beyond contact tracing.