Why state spying fears are overblown
Worried about being spied on by the state if you use its Covid-19 contact tracing app? You don’t need to be
"Would you trust the gov not to gather data on you?" a sceptical Twitter user tweeted last week. It is a valid question posed to a community of keyboard warriors questioning the SA government’s newly launched Covid-19 contact tracing app, Covid Alert SA.
The health department launched the app, which has been available to download from the Google Play Store and the iOS App Store since September 1. It is built on Google and Apple’s new exposure notification platform, which uses Bluetooth technology to alert users who have come into contact with someone who has Covid. The same platform is being used by a number of other countries.
"By downloading and using the Covid Alert SA app, you become part of a powerful digital network of app users who choose to work together for the benefit of everyone in the app community while all enjoying complete privacy and anonymity," the department says.
However, in a world where personal data has become a valuable currency, concerns about privacy are not misplaced.
And for South Africans who have witnessed deeply rooted government corruption, these fears are compounded. Can this same government be trusted to handle a new technology that could, in theory, track anyone who downloads it?
Since its launch, South Africans have taken to social media platforms to question the scope of the app’s user tracking capability.
But the reality is that everyone already carries a tracker in the form of a smartphone. Smartphones harvest vast troves of personal data — far more, in fact, than any single app can.
The Covid Alert SA app uses mobile networks and the Bluetooth low-energy protocol to register if you’ve been in close contact with a person who has reported being diagnosed with Covid-19. This makes it far more benign in comparison with other apps.
"Anybody who has downloaded this app would know that there is no user registration," Gaurang Tanna, technical lead for the Covid tracing project at the health department, told eNCA.
"The app works completely anonymously. For you to receive alerts you don’t need to register. The app does not use GPS, but it uses Bluetooth. In fact, it uses low-energy protocol. And that really only measures close proximity to other app users and not your actual location," he said.
The app was built using the exposure notification platform that Apple and Google developed earlier this year, and according to experts in the field, as well as Google’s own application programming interface explanation, it doesn’t collect or distribute personal information.
But the questions about its scope haven’t been addressed by the government. The department has used blanket terms to "cover the bases". Though its hesitancy to flesh out technical details when addressing the general public is understandable, it is more important to offer full transparency. "The app protects your privacy and security at all times. It does not need or store any of your personal information," the department says on its website.
The official Google explainer on contact tracing is far more forthcoming: "This technology only works if you decide to opt in. If you change your mind, you can turn it off at any time … The exposure notifications system does not collect or use the location from your device.
"All of the exposure notification matching happens on your device. The system does not share your identity with other users, Apple, or Google. Only public health authorities will be able to use this system. They must meet specific criteria around privacy, security, and data use."
In building this app, local developers would have had to adhere to Google and Apple’s security protocols for it to be made available to the general public while using the tech firms’ technology. This means that the government does not inherently control the technology. It has just packaged already available technology for the SA user.
But the system relies on mass adoption by the public for it to work optimally. And people will need more than a vague prompt from President Cyril Ramaphosa to be persuaded to use it. A more open discussion is needed, so people can understand how this app works, and how it ensures anonymity.
If you do decide to use the app, you’ll download a small file of about 3MB. Upon opening the app, it’ll ask for permission to use your device’s Bluetooth as well as your phone’s mobile connection. It does not ask for access to location data.
"When it comes to tech, there are always going to be advantages and disadvantages with varying technologies, but the advantage of a Bluetooth-based system, in terms of privacy, is that it doesn’t depend on collecting location data, and so the individual identities of people are not tied to contact events," says Jarred Mailer-Lyons, head of digital at The MediaShop.
For the app to work, you will need to have Bluetooth switched on all the time. Your phone will send other smartphones in your proximity random IDs that can’t be used to identify a person or a location.
When you go to your local shop, for example, and you have the app running in the background, it’ll ping nearby devices (that also use the app) and collect anonymised IDs that can’t be linked to either person or phone number.
If you happen to test positive for Covid a few days later, a notification will be sent to all of those anonymous IDs that they may have been in contact with a positive case.
"The app uses Bluetooth and geolocation to collect a user’s personal information and that is then stored within their mobile devices in a model that is known as self-sovereignty identity," Mailer-Lyons says. "The personal information is only saved on the user’s personal device and not on a centralised private or government-owned database — meaning that the personal information never physically leaves the device."
So while questions about privacy are legitimate, the world is fighting a pandemic in an age when digital technology is available to help the cause. This app, seen under that lens, is just another tool we can recruit.
Would you like to comment on this article or view other readers' comments?
Register (it’s quick and free) or sign in now.
Please read our Comment Policy before commenting.