StaySafe.ph developer: Trust issues hound contact tracing app

Trust issues are impeding the widespread adoption of the government’s official contact tracing app, known as StaySafe.ph, its private sector developer claimed.

David Almirol Jr., CEO of StaySafe.ph’s developer Multisys Technologies Corp., made the assessment as the app struggles to grow its user base, now almost 1.1 million people or 1 percent of the Philippine population.

“We Filipinos don’t trust each other anymore,” Almirol said at an online briefing on Monday (June 15), which was organized to address concerns about StaySafe.ph and provide a glimpse of how the technology works.

The venue was also a chance for Almirol to dispute allegations that the mobile app is a spying threat or lacked capabilities to do contact tracing, a key function in isolating cases to slow or stop the spread of the novel coronavirus disease (COVID-19).

“StaySafe was built to save lives. If Filipinos start trusting Filipinos, I think Filipinos will use it,” he added.

For StaySafe.ph to be effective, around half the population or 50 million people should be using the app, Almirol said.

“One million [users] is nothing. That is 1 percent of the population,” he said. “I see StaySafe as a solution. Not a perfect solution but it is a tool.”

The blanket call for trust, however, comes amid persistent questions over StaySafe.ph’s usefulness in solving problems across the country apart from privacy concerns.

COVID-19 cases rising

StaySafe.ph was launched last April as the government’s official social distancing, health condition reporting and digital contact tracing system.

It is meant to augment the Department of Health’s (DOH) own manual contact tracing efforts. The app, which Almirol said will be donated to the Philippine government, will also allow the real-time monitoring of cases. These capabilities remain lacking in the DOH until today.

This is crucial as cases continue to rise. Confirmed COVID-19 cases hit 26,420 on June 15, with 1,098 deaths and 6,252 recoveries.

Because of the threat of COVID-19, some areas have slid back to strict lockdown measures, which brings the economy to a halt. Such was the case of Cebu City which President Rodrigo Duterte ordered to be placed again under enhanced community quarantine starting July 16.

Dr. Tony Leachon, special adviser to the National Task Force against COVID-19, told ANC on Tuesday the government needed real-time and granular data.

“I trust them but I still verify,” Leachon said of the COVID-19 information being released by the DOH.

DOH turnover

Despite those concerns, the government’s interagency task force (IATF) against COVID-19 decided that StaySafe.ph will be turned over to the DOH by July, an IATF resolution on June 10 showed.

It was not immediately clear if the DOH had the proper personnel to run StaySafe.ph.

The original plan was for the Department of Information and Communications Technology (DICT) to control StaySafe.ph, including the source code and all user data, but the IATF changed its stand on the matter.

Almirol admitted on Monday this caused some confusion. But he also clarified that the DICT will remain “on top of this even after the transfer to DOH.”

According to the IATF resolution, StaySafe.ph will be turned over after the DICT and National Privacy Commission (NPC) issue a certification that the app is technically feasible, compatible and compliant with data privacy laws.

Not fully vetted

StaySafe.ph’s most vocal critic is Eliseo Rio Jr., the former DICT undersecretary who said he was eased out of government last May 22 after questioning StaySafe.ph’s limitations and calling for other IT developers to offer their own solutions.

He also cited StaySafe.ph’s relatively small number of users and how it lacks compatibility with 2G phones, which are still used by over 20 million Filipinos.

Rio, a retired brigadier general, electronics and communications engineer and former head of the DICT, said StaySafe.ph did not undergo any comprehensive vetting. He also pointed out potential issues on privacy, in particular, the possible misuse of StaySafe.ph’s data after users delete the app.

Espionage worries heightened when Multisys’ April 17 memorandum of agreement with the COVID-19 national task force surfaced and showed Defense Secretary Delfin Lorenzana, National Security Adviser Hermogenes Esperon Jr. and Secretary Carlito Galvez, head of the national COVID-19 response, as the only government signatories.

Government projects

Almirol said Rio’s views on StaySafe.ph’s contact tracing limitations were “speculative.” Moreover, he said the app would not be used as a spying tool as he insisted that priority was data security and privacy.

Almirol, however, acknowledged that Multisys had completed several projects with unnamed government agencies.

Rio said in a Rappler interview last June 9 that Almirol was involved in national security-related projects since 2016.

Multisys, which was established in 2010, initially participated in government projects as a subcontractor of larger companies. Almirol said that while the company had the technical expertise, it lacked the steep eligibility requirements as a newcomer in the industry.

It grew its business rapidly and it has over 120 programmers today.

In November 2018, PLDT became a shareholder with a 46 percent stake in Multisys after investing P2.15 billion.

How does StaySafe.ph work?

Almirol said StaySafe.ph’s features will be tailored to what the government needed.

During a live demonstration, he said StaySafe.ph collects data via GPS, for tracking a user’s location, and Bluetooth.

User registration is also required using a person’s mobile number. StaySafe.ph does not collect details like names, addresses, birthdays and e-mail addresses. Together, these will unlock the full range of StaySafe.ph’s features, Almirol said.

These features included citizen registration, health condition reporting, social distancing, manual and digital contact tracing and QR code scanning to log the location of users.

Almirol explained that mobile numbers are needed for the local government to reach out to users, who are also allowed to log their specific symptoms.

Data sharing

Local government units using StaySafe.ph can also generate “heat maps” showing COVID-19 hot spots in their areas.

The data come from cases or suspected cases provided by local authorities themselves or the DOH, Almirol explained. The app organizes the information on a dashboard with informative graphics ad charts, making the data accessible to policymakers.

Individual users are also alerted when there are nearby confirmed or suspected COVID-19 cases, Almirol said. These lists should be updated regularly by the LGUs and DOH.

Almirol said the system only works when both the government and individual users provide data.

“This is a give and take relationship. Contact tracing is useless without both of them,” he said.

He added StaySafe.ph provided a platform for both manual and digital contact tracing.

He said StaySafe.ph’s software algorithm allows it to detect contacts within a 1-2 meter distance using Bluetooth.

The technology is also useful for measuring social distancing, which requires people to stay physically apart to lessen the chances of contracting COVID-19.

More LGUs needed

Almirol said the developers recently received clearance to use the computing interface that will allow operating systems like Google’s Android and Apple’s iOS to detect each other.

During the live demo, it was impossible for reporters to tell if the technology behind digital contact tracing worked as advertised. The presentation included floating color-coded icons each representing an anonymous registrant and how they might be linked to a suspected case.

Almirol said millions more users were needed for StaySafe.ph to be effective. He said more LGUs also needed to adopt the platform.

He said just 200 out of 1,600 LGUs are using StaySafe.ph. Those local governments collectively provided data on 35,000 probable, suspected and confirmed COVID-19 cases, Almirol said.

Multiple versions of Staysafe.ph

He said Multsys is prepared to adjust to the requirements of the government even if it meant the developer removing certain features because of privacy issues.

For example, StaySafe.ph can do away with GPS and keep just mobile numbers and Bluetooth.

However, this will cut features such as citizen’s health reporting, the LGU heat map, QR codes although digital and manual contact tracing will still be available, Almirol said.

At its most stripped-down form, StaySafe.ph will be allowed to function using only Bluetooth. Almirol said the only features here will be social distancing and digital contact tracing.

According to the IATF resolution, StaySafe.ph is required to provide Bluetooth digital contact tracing and serve as the “frontend application system for the LGUs.”

Moreover, StaySafe.ph will be limited to collecting data which will be housed in the DOH’s COVID-Kaya system. If Multisy fails to comply with the resolution, its IATF endorsement will be withdrawn and all data will be migrated and stored with the DICT.

Is the user data safe?

Almirol said user data are deleted every 30 days. Moreover, users can choose to delete their own records.

“What is important with StaySafe is you have the right to delete your records so nothing is left behind,” he said.

On StaySafe.ph’s website, it said “we will keep your information for as long as necessary unless you request the deletion of your information, after which these will be securely deleted. However, we may retain your information when required by law.”

IT consultancy company ePrivacyNow, however, tagged the statement as confusing.

“This only means that opt out is not enforceable and users are not really sure if there is evidence of erasure on the right to be forgotten,” ePrivacy CEO Israel Brizuela wrote on a June 6 blog post.

“There is no assurance that once you delete this application on your phone your personal data is deleted on the servers as well,” he said.

Brizuela also cited “dangerous permissions” of StaySafe.ph such as access to a user’s camera, contacts, location, microphone, phone, text messages, calendar and settings.

Almirol said StaySafe.ph “intends to have lesser permissions” and these were meant as protections and not threats to the user.

Nevertheless, he said the National Privacy Commission (NPC) is currently conducting an audit on StaySafe.ph’s features. NPC officials did not immediately respond when sought for comment.

Moving on from Staysafe.ph

Almirol said he hoped the Philippines could emulate Taiwan, one of the global success stories in containing COVID-19. He said Taiwan’s contact tracing approach was the main inspiration for StaySafe.ph.

For now, Almirol said he was eager to turn over StaySafe.ph to the government.

“We thought that after we make StaySafe and we donate it then they will continue with the implementation,” he said.

Multisys’ agreement with the national task force, however, clearly stated that the company will be responsible for the development and “technical management” of StaySafe.ph. The agreement also said Multisys will “jointly operate and implement the solution.”

Nevertheless, Almirol said he was ready to move on, describing the selection of StaySafe.ph as both “lucky and quite unlucky.”

The company even turned down a potential P100 million deal through a managed services contract with the government.

He recalled that talks for managed services, a type of outsourcing agreement, emerged after DICT assistant secretary Emmanuel Caintic talked about the challenges of taking over StaySafe.ph app in terms of manpower and technical expertise

“I want to get back to Mulitsys and for the government to take over StaySafe,” Almirol said.

Edited by TSB
Read more...