On April 3rd 2019, the World Health Organization (WHO) published a press release announcing the results of a coordinated effort led by the WHO Digital Health Technical Advisory Group to develop technical solutions that could trace the development of the COVID-19 infection, perform population screening, and more efficiently allocate limited medical resources.
In the early days of the COVID-19 pandemic outbreak, countries like Singapore, South Korea, Taiwan, Italy and Spain released—either at a regional or national level—Android apps to assist their citizens by providing them with information, or allowing them to self-diagnose their symptoms to alleviate the load on public health systems. However, the hurried pace at which these apps were released, and their ability to collect and process very sensitive data about their users at such a critical and information-dense time has raised numerous concerns from privacy advocates.
To that end, we analyzed 4 recently-created apps developed or published by public organizations in Spain: CoronaMadrid from the regional government of Madrid, COVID-19.eus from the public health service of Euskadi, STOP COVID19 CAT from the regional government of Catalunya, and Asistencia COVID-19 from the Ministry of Economy and Digital Transformation.
Our platform allows us to examine how and when apps access sensitive data, and where it’s sent. And, since the SDKs that offer common functionality to app developers (like remote data storage or location and mapping services) often manage sensitive data, our platform also identifies which are present in an app, and what they have been doing.
While none of the apps appear to show evidence of egregious privacy behaviors, we did find several problems that we believe need to be addressed when building and deploying almost any app—let alone one that is designed to manage the personal information of the public at such a sensitive time.
1. As it is common in most mobile apps, all four apps depend on cloud services like Google Cloud (CoronaMadrid and Asistencia COVID-19), Mubiquo’s push notifications and geo-fencing services (STOP COVID19 CAT), and Amazon Web Services (STOP COVID19 CAT), most likely to speed-up the development process and easily scale-up their backend infrastructure. As a result, sensitive data from citizens, including national ID numbers, geolocation data, phone numbers, chronic medical conditions, and COVID-19 symptoms are hosted on services offered by non-European companies, thus also subject to foreign jurisdictions.
2. The lack of meaningful information presented in X.509 certificates on the server instances deployed in the cloud makes it difficult to attribute them to specific stakeholders (government agencies, or to third parties like partners or providers). As a result, it is difficult to identify the organizations responsible for collecting sensitive data and their role as a first-party or as a third-party service (STOP COVID19 CAT, COVID-19.eus).
3. The app publishers are not sufficiently transparent about the presence of third-party SDKs like Crashlytics, Google Firebase, or Google’s Mobile Services (GMS).
4. Both CoronaMadrid and Asistencia COVID-19 upload data to the same database hosted by Google Cloud. We cannot tell whether they act as individual or joint data controllers, as defined in Art. 26 of the GDPR, because there is not sufficient information in either of their privacy policies to accurately identify each publishing organization’s respective role.
5. The four apps implement authentication mechanisms based on SMS text messages (two-factor authentication) and national ID numbers (or social security numbers). However, these technologies can be easily circumvented with fake information (e.g., ID number generators and disposable SMS services). This lack of control over the authenticity of the users could have a negative effect on the quality of the data collected to control the pandemic.
You can read the full report here.