January 20, Asia Meetup
Date: January 20, Wednesday
Time: Delhi 13:30 (UTC+5:30) / Taipei-Kuala Lumpur 16:00 (UTC+8) / Tokyo 17:00 (UTC+9) / NYC 3am (EST)
Who: Facilitated by Lulu Keng,Don, Kaia, and Nica
Where: The Meetjitsi link will be shared in the following rooms on the IFF Mattermost one or two hours before the start of the meeting: Southeast Asia, Central Asia and East Asia.
- Don't have an account to the IFF Mattermost? you can request one following the directions here.
Agenda: Research about COVID tracing app in Southeast Asia.
Topic Sharing : Government-launched COVID-19 Apps in Indonesia and the Philippine
The Pellaeon and The Citizen lab's research briefing:https://citizenlab.ca/2020/12/unmasked-ii-an-analysis-of-indonesia-and-the-philippines-government-launched-covid-19-apps/ One of the findings is a lot of unnecessary requests: multiple dangerous permissions, including location permissions capable of recording geolocation, camera permissions capable of taking photos and recording video, as well as device storage permissions capable of reading users’ photos and other files.
Such as COVID-KAYA, why it needs camera premission? Based on source code inspection, the app does not actually use the camera for anything Requesting this permission is unnecessary If vulnerabilities are found within the app, the attacker may utilize the camera access that the app has access to to spy on victims. Luckily, not many users because it specificly for health workers.
How to determine if an app follows data minimization principles?
Does it make sense for the app to collect data using this permission? For example, Foodpanda, a food delivery app, why does it need camera permission? You should be able to just click and enter your address and order items, without needing the camera. Therefore, the camera permission requested in Foodpanda does not make sense. This shows that the app does not follow data minimization principles, so it is better to choose other food delivery apps which collects less data.
A good tool
Exouds analysis system https://exodus-privacy.eu.org/en/, you can check what data items the app collects and what trackers it includes StaySafe-ph:(but not safe?) It has many users. The code structure of this is better than COVID-KAYA
Vulnerabilities were also found within StaySafe and COVID-KAYA. The vulnerabilities exposes user data.
It sends user device identifier for advertisement tracking service operated by Telekom Indonesia
COVID-19 App can be better
In Europe, some similiar Apps are open source and have good security policy and audits.
Q:App needs to require permission, how to allow App running but not give out too many? Is that possible to grant the permission for one time.
A: there will be ok permission, such as internet access is a reasonable permission for FoodPanda to run. Need to think if this permission is critical and necessary for the App. After Android 7 (TBC), the permission can be graduatlly set. On Android 11, it should be able to grant the permission for only once.
Q:Why specifically look at the App in this two countries?
A:Team decided in the begining (not me), but even for these 3 Apps, we took more than 3 months to do the analysis.
Q: I know that Singapore and Malaysia has gov-made COVID-19 App too, do you have information about their App?
A:The gov COVID-19 App - "BlueTrace" in Sigapore actually is the best in SouthEast Asia. It is even partly open-source. Sadly no other countries adopt it. There are too many Apps, we are not able to look into all of them.
Q:Is it the same research framework? Or are you looking at other aspects of it? Mysejahtera I mean
A: I will use Part 3 research framework to analyze Mysejahtera.
Q:There are too many Apps, is there idea how to do the research? Personal Data Protection Law?
A: In Indonesia, we don't have it, still being drafted, but not yet ratified.
A: In Philippines, the one we have doesn't cover government sector. there is a data privacy law in the Philippines, and we have a National Privacy Commission. but I don't think NPC has been informed of the study. The Filipino data protection agency had probed into staysafe, but the app was published before the probing completes.
A: The App transpracy in Thailand is worse.
A: In Malaysia, gov COVID-19 App is not moderatory to install.