COVID-19 apps: In gov’t we trust?
Whenever we endorse something—be it a product or another person—we are vouching for the latter’s credentials or qualities. In so doing, we are putting our own reputation at stake. If the endorsee falls short of expectations or turns out to be the opposite of what we claim it to be, we also suffer as a result.
This is why we exercise caution when given an opportunity to make an endorsement. Society expects us to act responsibly and conduct an honest and thorough evaluation before lending our name to someone or something that could embarrass us or cause us to lose credibility. When the lives and welfare of a lot of people are involved, the stakes are even higher.
The Philippine government doesn’t seem to share this view, at least when it comes to its endorsement of technologies related to the COVID-19 pandemic.
IATF Endorsements
In a resolution dated 22 April 2020, the Inter Agency Task Force (IATF) for the Management of Emerging Infectious Diseases adopted StaySafe.ph as the government’s “official social-distancing, health-condition-reporting, and contact tracing system”, subject to “continued compliance with relevant cybersecurity, data privacy, and confidentiality laws” as well as guidelines issued by its Sub-Technical Working Group on ICT.
The government effectively gave the app a veneer of credibility or trustworthiness, courtesy of its acquired “official” status. When the IATF used the term “continued compliance,” it also implied that the government had evaluated the platform and found it to be consistent with applicable laws.
But the government wasn’t done. Last June, the IATF also endorsed another app, SafePass, as a “COVID-19 Prevention and Incident Management platform for all business establishments.” Its seal of approval was also subject to the same “continued compliance” condition, and therefore gave rise to the same presumption as regards the app’s “compliant” status.
This July, the IATF, in another resolution, doubled down on its initial backing of StaySafe.ph by obliging local government units (LGUs) to use the contact tracing app. It said LGUs should issue the necessary executive order or ordinance to make this happen.
A Convoluted Regulatory Scheme
In looking at these developments, one has to assume that the government already has a sound and effective regulatory regime, right? It couldn’t possibly be pushing for all these products without making sure they are safe and actually useful.
Well, let’s see.
A guidance document pertaining to COVID-19 technologies came out two days before the IATF endorsed StaySafe.ph. On April 20, the National Privacy Commission (NPC) issued a Public Health Emergency Bulletin wherein it expressed its support for digital technologies. The document featured nothing more than boilerplate “requirements” that can be sourced from any data privacy law (i.e., an app must be: inclusive and trusted; clear about its legitimate purpose; transparent in its use of personal data; proportional in its data collection; secure, etc.). There was no mention of consequences if an app fails to live up to the conditions.
What could arguably qualify as the first regulatory policy came two days after the StaySafe.ph endorsement. On April 24, the NPC and the Department of Health (DOH) issued a joint circular that required all COVID-19 ICT solutions and technologies to be registered with the Commission and to follow the minimum standards of the Department of Information and Communications Technology (DICT) and the health department, including the latter’s COVID-19 surveillance and response protocols and data requirements.
That directive, of course, begged the question: was StaySafe.ph registered with the NPC? Also, was it following these “minimum standards” set by the DICT and the DOH? And, where are these so-called standards, anyway?
As regards the first question, NPC would be in the best position to answer that. But with the second and third, it looks like they would’ve been impossible to answer at that time because it was only by May’s end that the DICT, through a circular, laid down the guidelines of its vetting and evaluation process for all “ICT services, products, and applications for government use in addressing the COVID-19 situation.”
That’s right. The government endorsed an app more than a month before it had a proper vetting process in place. How is that possible?
Speaking of the DICT’s evaluation protocols, it is far from ideal and doesn’t exactly inspire a lot of confidence. The Circular says the procedure will be informed by a “framework of ICT best practices and standards” consisting of five main components: (1) ICT service management; (2) project management; (3) enterprise architecture; (4) cybersecurity; and (5) data privacy. It points to a confusing “Checklist of Vetting Requirements” found in a spreadsheet file, without providing additional guidance as to how such document will be navigated. In the portion of the file that takes up data privacy, a term (i.e., privately identifiable information) that is not recognized in the local data protection landscape is used, suggesting the document is inspired by or was taken from a US source. The document gives little else and simply says data privacy compliance review and clearance will be given either by the Data Protection Officer of the agency expected to use the app, or the NPC. What standards and procedures will they use and follow? No one knows. The policy also notes that the Department may impose additional requirements or ask for more submissions.
But wait, there’s more.
When June came, the IATF issued another resolution providing specific instructions for the official turnover of StaySafe.ph to the government. First, it said that a Memorandum of Agreement must be executed between the developer and the DOH regarding the donation and use of the app. The contract must take up the app’s source code and issues like data ownership and intellectual property. Then, the resolution says DOH must accept the app only after the DICT and NPC have already certified that the donation is “technically feasible and secure, …the systems are compatible, and that the arrangement is compliant with data privacy laws.”
Additional conditions included:
• The app must be able to perform the functions of two separate apps. Specifically, as a: (1) Bluetooth digital contact tracing; and (2) a frontend application system for LGUs.
• The app must be limited to collection of data.
• All data in the app database must be migrated to COVID-Kaya database (owned by DOH).
• The developer has 30 days to comply with the directives.
Notice that these are a lot of conditions. And they are being imposed nearly two (2) months after the government had given its nod and endorsed the app.
What if the developer fails to meet the conditions? What if the DICT or the NPC refuses to issue a certification? What then becomes of the “official” app, which, by this time has collected plenty of personal data already? Did the government just tell people to trust an app it wasn’t even done evaluating yet?
It certainly looks that way because the DICT said it was still studying the app at that time. And as if things weren’t confusing enough, the Department also said it would defer to the guidance of the IATF-EID on the selection of the country’s contact tracing application.
What does that mean? You have the IATF saying the app must obtain appropriate certification from the DICT (and the NPC), and yet here is DICT saying it will defer to the IATF’s directives.
Why is no one willing to be accountable for the government’s regulatory framework (if one can call it that)?
Maybe it’s because, as things stand, the government doesn’t look like it knows what it is doing when it comes to regulating COVID-19 technologies. Maybe it doesn’t care?
This July, the DOH said it welcomed the development of other contact tracing apps aimed at supporting the government response to the pandemic, as long as these undergo validation and regulation with the DICT and the NPC. Are they also expected to go through the same labyrinth that was just described? Are they all going to be endorsed? There are still more questions than answers.
In its PHE Bulletin last April, the NPC said COVID-19 technologies, in order to be successful, should be trustworthy. That is true. But so should the government and its mechanism for endorsing these technologies, no?
Jamael Jacob (@jamjacob) is a lawyer specializing in the field of law, ICT, and human rights. He is currently the Director of the University Data Protection Office of the Ateneo de Manila University, and Policy and Legal Advisor to the Foundation for Media Alternatives. The views expressed herein do not necessarily represent or reflect the views of the organizations he is currently affiliated with.