‘Borderline spyware’: IT experts raise alarm over Duterte admin contact-tracing app

AT A GLANCE

  • The government's official contact-tracing app has excessive permissions and unclear parameters on how citizens' information will be used after the COVID-19 crisis.
  • StaySafe got the nod of National Security Adviser Hermogenes Esperon Jr and other high-level security officials.
  • The National Bureau of Investigation, also in charge of building cases on individuals spreading “fake news” and “misinformation” about the pandemic, will be using the app for contact-tracing – a task it was assigned to, to help the health department.
  • Some IT experts worry that the database of numbers collected by the app could be used for the 2022 elections.
  • Though perhaps unintended, the app could make surveillance easier for the state to target its critics.

On May 2, my phone received a text message from a sender identified as “STAYSAFE.PH.”

The message read: "A reminder from IATF & National Task Force on Covid-19: Help us stop the spread of COVID-19, register now at WWW.STAYSAFE.PH." 

StaySafe is just one among many locally-developed apps claiming to be a useful tool against the coronavirus. 

But StaySafe has one thing the other apps don’t – an official seal of approval from the government entity leading the pandemic response, the Inter-agency Task Force on Emerging Infectious Diseases (IATF-EID). 

Despite StaySafe’s official designation, some members of the IT community and even a former ICT government official, worry about its data privacy measures. They also worry about how data gathered by the platform will be used by government – particularly the security agencies that have taken an interest in the app. 

Fueling these concerns is the passage by Congress of the anti-terror bill, which law experts say, gives security officials dangerous powers, including prolonged and broadened surveillance.

All this takes place under the shadow of a deadly pandemic which United Nations human rights chief Michelle Bachelet said has given countries like the Philippines an excuse to crack down on legitimate dissent.

Developed by whom?

StaySafe is an online platform and app developed by local tech firm Multisys Technologies Corporation.

The firm boasts of several high-profile clients, developing digital products for the Villar Group (headed by Duterte ally Manny Villar), Robinsons Bank, Grab, and others. It has developed cashless payment apps for local governments like Manila and Cauayan City.

According to Multisys' website, they have over 2,000 companies using their platforms. In 2018, Manny V. Pangilinan saw potential in the firm. His company, PLDT Inc, bought a 46% minority stake.

The man behind Multisys is former overseas Filipino worker turned businessman David Almirol Jr. He was a migrant worker in the Middle East then worked at a United States military camp until 2014, when he moved back to the Philippines to set up Multisys.

In the firm's website, Almirol said he aspires to be the country's Bill Gates. 

The app uses bluetooth technology to determine the location of the phone using it, as well as other phones in the area using the app. This is supposed to allow the app to warn the user when there is a suspected, probable, or confirmed coronavirus case nearby.

The app also asks for the user’s cellular phone number to send it a one-time password (OTP).

StaySafe is a cut above other COVID-19 apps because it is one of two apps officially adopted by the national government (the other being RapidPass, to allow priority vehicles and frontliners to quickly pass through checkpoints).

“The IATF adopts StaySafe.ph as the official social-distancing, health-condition-reporting, and contact-tracing system that will assist in the government’s response to COVID-19,” reads IATF Resolution No 27, dated April 22. 

It included a caveat, that the adoption of StaySafe must be subject to “compliance with relevant cybersecurity, data privacy, and confidentiality laws.” 

Nod of Esperon

StaySafe got attention from the task force primarily through the efforts of President Rodrigo Duterte’s top security man, National Security Adviser Hermogenes Esperon Jr. Esperon is a former military chief and among the "Hello Garci" generals, or generals accused of helping rig the 2004 presidential elections in favor of Gloria Macapagal Arroyo. Esperon has denied involvement.

In early April, Esperon scheduled a presentation of StaySafe before the IATF, according to persons present at the meeting. Impressed by Almirol’s presentation, the task force decided to adopt StaySafe.

Esperon is all praises for Multisys for “donating” StaySafe to the government.

“The donor should be admired and praised. That app cost them time and money. I appreciate their good faith and concern,” Esperon told Rappler on June 2.

Esperon neither confirmed nor denied the claim from a tech insider that Multisys has developed technology either for the National Intelligence Coordinating Agency (NICA) or National Security Council (NSC). Esperon is director general of the NSC Secretariat. 

“Who said so?” he said, when asked by Rappler.  

“Some people? No need to get my side then. Just ask your sources,” he said.

Nod of other security officials

Multisys, meanwhile, said it has "several projects for government agencies" but declined to confirm any project with an intelligence or security agency citing "confidentiality agreements with [their] partners."

On April 8, Multisys signed a memorandum of agreement with the National Task Force (NTF) COVID-19, the government entity implementing policies formulated by IATF-EID.

The document, some pages of which were shown to Rappler, was signed by Almirol and NTF chairman and Defense Secretary Delfin Lorenzana. The other two signatories were NTF chief implementor Carlito Galvez Jr and Esperon.

All 3 government signatories are retired military generals who now head agencies related to security.

While there was no signature from an official of the Department of Information and Communications Technology (DICT), StaySafe was also supported by ICT Secretary Gregorio Honasan and his undersecretary Manny Caintic. Honasan did not respond to Rappler’s request for comment.

Critically, the task force signed the MOA and gave StaySafe official backing even without any technical vetting by the DICT or the National Privacy Commission (NPC).

"It was still a work in progress, even up to this time. It is a health monitoring app with a location tracker, but up to now has no contact-tracing capability... It just generates a database of cellphone numbers with their location, useful for surveillance purposes of people who reported themselves with symptoms," said Eliseo Rio Jr, a former ICT undersecretary familiar with how StaySafe was approved by the task force.

NPC commissioner Raymund Liboro told Rappler on Friday, June 5, that the agency’s Data Security and Compliance Office was still not done assessing StaySafe, two months after it became the government’s official contact-tracing and health-reporting app.

He also admitted not closely perusing the MOA, saying it’s not NPC’s job to look into contracts.  

“We’re not involved in looking at contracts. We presume regularity,” said Liboro. 

However, he did say that NPC would prefer if apps like StaySafe were controlled by a specific line agency, while the task force is composed of multiple line agencies.

To be used by NBI for contact-tracing

On May 16, the National Bureau of Investigation (NBI) announced it will use StaySafe in its contact-tracing efforts, nixing initial plans to use Trace Together, an app developed by the Singapore government.

The reason for the shift given to media was that the NBI wanted to patronize local talent and because StaySafe had IATF-EID approval.

“We will be adopting the StaySafe.ph,” said NBI Deputy Director Ferdinand Lavin.

The NBI, a government agency engaged in surveillance, was ordered to help the DOH in contact-tracing. But it’s also in charge of building cases on individuals spreading “fake news” and “misinformation” about the pandemic. 

What assurance is there that data collected through StaySafe won't be used for surveillance of critics or purposes unrelated to COVID-19?

Data privacy red flags

StaySafe has 7 “dangerous” permissions, so-called because it involves the access of personal data (like text messages and contacts) or system features (like phone camera and location).

App permissions are privileges that an app has which allows it to access data and features of a phone so that it can function properly for the user. Trustworthy app developers won’t request for anything their app doesn’t need.

“Why do they need access to camera? Another alarming permission would be reading and writing on contacts, SMS, and contact details. They can also delete your contacts. It’s like borderline spyware,” Israel Brizuela, CEO of data privacy consulting firm ePrivacyNow and member of the National Association of Data Protection Officers of the Philippines, told Rappler.

Brizuela listed the following permissions he found worrisome:

  • Camera
  • Contacts (permission to read, write, and delete contacts)
  • Location (permission to access fine and course location, bluetooth)
  • Microphone (permission to record audio)
  • Phone (permission to call phone, read and write call log)
  • SMS (permission to send, receive, and read text messages)
  • Storage (permission to read and write external storage)
  • Settings (permission to write settings)

Many other apps, including other coronavirus response apps, make use of similar permissions. 

In a review of such apps, the Data Protection Excellency Network (DPEX) identified StaySafe as having “excessive permissions.” DPEX is a Southeast Asian organization that does research in data privacy practices.

Its analysis of Southeast Asian contact-tracing singled out the Philippines for using a 3rd party developer. Most apps they analyzed were developed by government bodies. 

Singapore's Trace Together app managed to do contact tracing with less permissions and a clearer privacy notice.

For one thing, it doesn't ask the user to take a profile photo. Also, the only time a user's phone number is made visible to the government is when the user comes in close contact with a COVID-19 case or tests positive. The government then asks the user for permission to access their "close proximity" information for the past 21 days, or information showing the user IDs of other app users they were exposed to.

DPEX said Trace Together was the "least intrusive" in terms of permissions and topped privacy protection marks.

For governments that use a 3rd party app developer, DPEX recommended "better oversight" and said a Data Protection Impact Assessment is "crucial to identify privacy and security risks."

Data privacy compliant?

Multisys insists the platform is compliant with the Data Privacy Act. 

Its privacy notice explains why it collects certain types of information from users and for what purpose. One such purpose is to improve government policies and actions “in response to the COVID-19 pandemic,” reads the notice. 

The information will be used “to enable contact tracing of suspected, probable, and confirmed COVID-19 patients.”

The policy note clearly states that the NTF is the data controller while Multisys is the data processor. This distinction is important because controllers and processors have distinct responsibilities, based on the data privacy law.

The NTF, as data controller, must ensure safeguards are in place to keep personal information confidential and prevent its use for unauthorized purposes.

But some IT experts like Brizuela aren’t convinced. He said, “We think their privacy notice is confusing and inconsistent.”

Multisys' explanation

Multisys, in an email to Rappler, sought to explain StaySafe permissions. 

The app needs access to phone cameras to allow users to take profile photos (optional) and for QR code scanning, said the firm.

The read and write external storage permissions are to enable the user to choose a profile photo or delete a profile photo taken using the app.

Below is the full list of StaySafe permissions as provided by Multisys: 

  • ACCESS_COARSE_LOCATION / ACCESS_FINE_LOCATION - for "Scan Area" feature
  • ACCESS_FINE_LOCATION / BLUETOOTH / BLUETOOTH_ADMIN - for Bluetooth-enabled contact tracing
  • CAMERA - for the optional profile photo and QR code scanning
  • FOREGROUND_SERVICE - to make the bluetooth contact tracing service a priority of the phone system, which will make it consistently running
  • INTERNET - to access the platform
  • READ_EXTERNAL_STORAGE / WRITE_EXTERNAL_STORAGE - for photo selection (for the profile picture) or deletion in case user took a photo via the app
  • RECEIVE_BOOT_COMPLETED - so that even when the device restarts, the bluetooth contact tracing service will continue to run 
  • REQUEST_IGNORE_BATTERY_OPTIMIZATIONS - so that Android OS will automatically and temporarily stop the bluetooth contact tracing service when the app is stopping or pausing 
  • VIBRATE - for the scan QR feature, to indicate if the user has scanned a legitimate QR code
How long will users' data be kept?

Apart from the permissions issue, Brizuela said StaySafe is vague on how long users’ information will be kept and if it will only be used for fighting the pandemic. 

StaySafe’s privacy notice contains this sentence: “We will keep your information for as long as necessary unless you request the deletion of your information, after which these will be securely deleted. However, we may retain your information when required by law.”

Retention of personal information "when required by law" is a red flag in itself because it is too broad and indefinite. 

Brizuela said the notice should clearly state that users' information will be deleted after the pandemic. 

“After the pandemic, deletion of the information should be automatic because it can be abused,” Brizuela added.

Useful for elections?

Other IT experts who spoke to Rappler worry that the StaySafe database of cellphone numbers and locations of users could be used to reach voters during the 2022 elections.

It could also be used to target critics. Cross-referencing the StaySafe database to other information known by security agencies could make it easier for them to track and spy on government critics.

The loopholes in the system could be due to sloppy app design or lack of foresight on the part of government.

In a May 13 letter to Health Secretary Francisco Duque III, chief implementor Galvez admitted to the “lack of a formal protocol on the acceptance, vetting, and approval” of apps offered to the coronavirus government task force. 

Thus, he proposed the creation of an Information Systems Task Group that would assess such platforms, evaluate their security risks, and monitor their effectiveness.

He recommended former ICT undersecretary Rio to head the group. Rio was among the officials who earlier sounded alarm bells over StaySafe. Himself a retired general, Rio has decades of experience handling communications and information systems for the military. 

But before Rio could helm the group, he was eased out of government. President Duterte accepted his resignation, filed 4 months ago and almost forgotten by Rio. The undersecretary was surprised by the move given his involvement in the government’s pandemic efforts. 

Safeguards?

Are there enough safeguards in the Multisys-NTF deal to ensure information from users will not be abused?

One thing still not clear is which government agency holds the information of citizens who use the app. 

While Esperon claims StaySafe was “donated” to DICT in early May, Galvez said days later that this has not yet been ironed out.

“We in the IATF will discuss that. As of now, I don’t know about the turnover,” he said on Saturday, June 6. 

“We will talk with DICT and also with DILG (Department of the Interior and Local Government) because those who will use this are LGUs and members of the National Task Force and IATF,” he added.

Meanwhile, Multisys said they are “already in the process of transferring the full ownership and controls” to government.

Until this formal turnover, it's possible that data of hundreds of thousands of Filipinos who have registered with StaySafe lies in the hands of a private company with links to government security agencies. 

For all the hype around StaySafe, it is yet to prove itself as an effective contact-tracing app.

Many users reviewing the app on Google Play complained about the contact-tracing feature, claiming inaccurate results or frequent crashing. Some had problems just registering. Others wanted assurance that the app was not running on background and tracing their location without their knowledge.

Eager to check if StaySafe worked, I turned on its “Protect Me” feature that is supposed to report any nearby suspected, probable, or confirmed cases. The app then flashed an impressive animation of a blue dot “scanning” its surroundings and finding purple, yellow, and red dots.

But the animation wasn’t showing actual cases near me. It just flashed graphics to preoccupy the user while the app was trying to load results. 

Thirty minutes later, the blue dot was still scanning. Tired of waiting, I exited the app. After a few more failed attempts to scan my area, I deleted it. – Rappler.com

Pia Ranada

Pia Ranada covers the Office of the President and Bangsamoro regional issues for Rappler. While helping out with desk duties, she also watches the environment sector and the local government of Quezon City. For tips or story suggestions, you can reach her at pia.ranada@rappler.com.

image