The question is who will grab the data: cybercriminals or government agencies opportunistically harvesting the data in the name of security?

After nearly a year of global contact tracing through barcode scanners, QR codes and mobile apps, authorities around the world have done a good job of using the collected data to track down people who may have come into contact with infectious people.

Conversely, cracks have also surfaced after such data collection gave rise to privacy and logistical concerns.

For example, last month in the Philippines, a contact tracing app was launched in Manila’s Metro Rail Transit (MRT). Called ‘MRT-3 Trace’, the app is meant to provide convenience to commuters who have to manually fill up a contact-tracing form.  

As this was only a soft launch of the app, provisions were made for contact-tracing forms to be available at the station for those who had not downloaded and installed it. Public response were generally positive. However, one young commuter had expressed concern that some Filipino senior citizens might not have smartphones, while another person voiced concern over data privacy issues.

Hiccups in transparency

In Singapore, the ‘Tracetogether’ contact tracing app and token attracted controversy when it was revealed that the police would have access to the data for ‘serious’ criminal cases—when the original announcement was that the data would be strictly untouchable for any use other than pandemic control.

Said policy was amended, however, on January 4, 2021 on account of how “how the Criminal Procedure Code applies to all data under Singapore’s jurisdiction.” Incensed Singaporeans felt that the government had back-pedaled on the app’s privacy policy, since the Covid-19 Temporary Measures Amendment Bill stipulates that any unauthorized use or disclosure of personal contact-tracing data is an offence.

After a Certificate of Urgency was issued to allow amendments to the Bill, the matter was rushed through three readings in just one parliamentary sitting. The Police will be granted use of the data in cases involving murder, terrorism, serious drug offences; use of firearms/dangerous weapons; kidnapping and rape.  

In Thailand, the MorChana contact tracing app was hounded by controversy has also hounded when the government took sole control of the app last month after a partnership with the private sector for about nine months.  

According to reports, MorChana developers were not happy with the government’s actions. Thailand’s Disease Control Department (DCD), however, as represented by DCD director-general Dr Opart Karnkawinpong, was quoted as saying: “We are in the process of further developing the app together. So, there may have been some misunderstanding between software developers and the Public Health Ministry. We will address these issues and consult each other to promote good understanding.”

To ensure privacy, some features of the app, such as obtaining users’ private information, have been removed, and the app’s function is now to merely alert users to an infected person in a particular area.

There were also questions about the MorChana app’s cloud coming close to being overwhelmed by the sheer number of users. That paved the way for the app to be linked to the government’s own data center and cloud service.

More teething pains

According to data protection law specialist Associate Professor Sonny Zulhuda of the International Islamic University Malaysia, his country’s own contact tracing app is not necessarily breach-proof.

The ‘MySejahtera’ app faced some issues late last year, including the inevitable privacy concerns. The Health Ministry has reassured the public that the personal data stored in the app is treated as confidential patient information under the Medical Act 1971, the Prevention and Control of Infectious Diseases Act 1988, and provisions under the Personal Data Protection Act (PDPA) 2010.

On his part, Dr Zulhuda reiterated: “The security task is enormous because it involves handling the dynamic data of the whole nation. But the task is not solely on the Government’s shoulders. Everyone involved in contact tracing will share some task: the premises’ owner; the staff in charge of data handling; and the individuals who record their own data, both electronically and in log books.”

Finally, in an exact opposite scenario, Japan has had its share of woes due to a contact tracing app that guards privacy so tightly that it does not enable the government to centralize data, use GPS to track people, or harvest information such as phone numbers and names.

Features in the app meant to protect the user have been criticized for preventing the government from collecting data essential to gauging the effectiveness of pandemic control measures!

Love it or hate it

When all is said and done, contact tracing apps and practices will have their pros and cons, defects and denouncers.

However, given the extremely short time frame in which such measures were implemented and refined along the way in unprecedented circumstances, people will just have to make do in order to protect themselves and everyone else.

Governments faced with such massive tracking operations have no doubt made mistakes and improvised along the way. Let us hope that privacy and trust issues will be etched indelibly into their collective playbook as they continue to battle the invisible viral enemy.