Thai Covid-19 apps judged invasive
Contact tracing may prove elusive if people refrain from using the technology
To fight further waves of the pandemic, contact tracing apps that monitor infection locations and points of contact have never been more important. The recent scandal involving Egyptian airmen leaving quarantine to go to a mall in Rayong has the government scrambling to retrace their contact points, which could have been a much easier process had such apps been in use.
While the government slowly reopens the country to foreign arrivals who will need to download these apps to trace the virus, public trust in contact tracing apps remains low. People skipping Thai Chana checkpoints has become a common sight in Bangkok shopping centres, while many are crying foul at the app's dubious privacy and data protections.
According to the Singapore-based cybersecurity firm Straits Interactive, the Mor Chana and Thai Chana contact tracing apps, endorsed by the government to stop the spread of Covid-19, contain excessive user permissions and have terms and conditions lacking transparency.
A report by the Data Protection Excellence Network (DPEX) conducted by Straits Interactive showed the Mor Chana app asked for more permissions from users than any other contact tracing app in Asean, while Singapore's TraceTogether app and Vietnam's Blue Zone app had the least.
Mor Chana is an app designed to help medical professionals, government agencies and the public trace Covid-19 infections. Users can submit information to the app about their health status and location to assist the government and doctors trace the spread of the virus. The app was developed in collaboration with state organisations and private developers to provide data to the Department of Disease Control.
Countries around the world are developing similar apps to fight the pandemic, while privacy advocates are raising concerns that these tracing apps could be abused by the government and used to monitor citizens for purposes other than Covid-19 prevention.
According to the study, the app requires nine "dangerous" permissions (or permissions that grant access to personal data outside the app) including access to the camera, GPS location, and device and app history, which means the app developer can access web history and log data of other apps. The developer and its partners in government could access these functions as long as the app is running.
"It is like giving access to your entire phone to the developer," said Kevin Shepherdson, chief executive of Straits Interactive. "We are not asking for change, per se, but more clarity by the app on how the data will be stored and used and how it is relevant to tracking Covid-19 outbreaks."
The Mor Chana app requires permissions that grant access to personal data outside the app, according to a study.
The Thai Chana app, which was not discussed in the DPEX report, potentially raises even more problematic personal privacy issues. While requiring fewer permissions than the Mor Chana app, its terms and conditions page is only two paragraphs long and only vaguely accounts for who can access the data and what it will be used for.
The app was developed by state-owned Krungthai Bank and allows users to check in to businesses by scanning a QR code. The app requires permission to use the camera to scan QR codes, and an optional permission to track GPS location if the user wants to find nearby businesses using the app.
Many terms and conditions for smartphone apps are hundreds of pages long, addressing all aspects of data privacy and legal liabilities, while Thai Chana's is uncharacteristically brief.
Thai Chana's website says the app will store the check-in and check-out data for only 60 days, but users will have to take the site's word for it because the statement is not detailed in the terms and conditions.
This lack of data transparency could be in violation of the recently passed Personal Data Protection Act (PDPA), which was modelled after similar data protection laws in other countries.
The government delayed compliance for most aspects of the law beginning in May, saying it was to provide financial relief for businesses that would have to bear considerable costs to comply with the law.
This includes the provision requiring app developers to clearly detail the precise ways they will use the data, who will have access to the data, and how long it will be stored.
"Under the PDPA, preventing a pandemic like this one is one of the justifications to use personal data, but you must be very clear what you are using the data for," said Prapanpong Khumon, associate dean for academic affairs in the Faculty of Law at the University of the Thai Chamber of Commerce, who helped draft the DPEX report. "You can only use the person's data for the purpose that you notify the people using the app."
As tourists return to the country, the short terms could also be in violation of the EU's General Data Protection Act, which enforces data protection rules of European citizens even outside the EU.
The Mor Chana terms and conditions are much longer, about two pages in length, and do specify that the data will be held until 30 days after the Covid-19 pandemic and the repeal of the Emergency Decree and then be "erased, destroyed or anonymised". With a vaccine possibly years away, the exact time the developers can hold on to the data is unclear.
Users of the Mor Chana app can request data be erased, destroyed or anonymised, "unless retention of the data is necessary for legal purposes".
Thai Chana, on the other hand, asks the user to give consent for the Public Health Ministry and agencies underneath the ministry for "collecting, using, and disclosing the following data included [sic] telephone number and place and time of giving consent … for the purpose of controlling and preventing Covid-19 and other communicable diseases."
Under Section 23 of the PDPA, an individual must be informed of six elements of how their data is used, including purpose of using the personal data, legal basis of using the data, period of retention of data, categories of data and entities in which the data is disclosed to, contact details of data controller, and the rights that the data subject have to take control of their data.
"Since the PDPA is not enforced now, the Thai Chana app does not violate anything," Mr Prapanpong said. "However, if the PDPA is fully enforced next year, the app can do more on the privacy notice [terms page] to fulfil the PDPA requirements so that an individual can be informed on how their personal data is used.
"However, with the current terms, the information that the app gives to an individual appears to be insufficient which can lead to confusion and a question on the app's transparency."
Polawat Witoolkollachit, the inspector-general of the Digital Economy and Society Ministry who oversaw development of Thai Chana, said none of the data on the app has been used yet because there have been no outbreaks of Covid-19 in Thailand since the app was rolled out.
He said data on the app will be used exclusively by the Public Health and Finance ministries, which act as the processors of the data.
Dr Polawat said the app cannot see individuals' GPS locations, as they are anonymised on the server side, which cannot be accessed by the app developers.
"Use of the app is under the enforcement of the emergency decree and has the support of Thais," he said. "This was done in the Thai context under a very tough situation, and we are using it to move our society forward from the Covid situation."
As for the short terms page in the Thai Chana app, he said the legal team overseeing the app found it compliant with Thai law and the emergency decree.
A visitor to Khao Yai National Park scans a QR code to check in via the Thai Chana app upon arriving at the park. Arnun Chonmaha-trakool
LOSS OF TRUST
According to Dr Polawat, over 220,000 businesses out of about 1 million nationwide have registered to use the Thai Chana mobile app, and about 400,000 people have downloaded it. There are about 3 million check-ins every day.
Public trust in the app waned after iPhone users in Thailand received a spam text message advertising a Macau online gambling service after downloading the app and entering their phone number.
But there is no evidence to connect the spam messages to the Thai Chana app, and some iPhone users reported receiving the messages without downloading the app.
This incident has been compounded by general distrust in the government after the forced disappearance of Thai activist and junta critic Wanchalearm Satsaksit in Cambodia. With protests in Thailand becoming more frequent after the end of the curfew, some activists are having second thoughts about the government accessing their GPS location.
"Technically, it does require the user to give several permissions for his or her phone," said Thai student democracy activist Netiwit Chotiphatphaisal. "As we do not really have evidence about how the government will utilise this, it is safer not to use the app and just act like you scanned the QR when getting into places."
To make matters worse, in June the government admitted to sharing mobile tracking data with the Defence Ministry in a television interview on the MCOT TV network. Neither the Mor Chana app nor Thai Chana says it allows the Defence Ministry to access its data.