Open letter to request strong user privacy protections in the Philippines’ COVID-19 contact tracing efforts

The Inter-Agency Task Force for the Management of Emerging Infectious Diseases (IATF-EID)

Department of Health (DOH)

Department of Information and Communications Technology (DICT)

Multisys Technology Corporation (Multisys)

World Health Organization (WHO)

Open letter to request for strong user privacy protections in the Philippines’ COVID-19 contact tracing efforts

To whom it may concern,

Following the spread of COVID-19, the Philippine government has launched an exposure notification application, StaySafe.ph, which aims to contain the pandemic in the country. The app was developed by Multisys Technology Corporation in partnership with the National Task Force Against COVID-19. While the effort is commendable, the importance of combating COVID-19 while protecting people’s individual freedoms, particularly the right to privacy, cannot be emphasized enough. We urge the authorities to provide more transparency in the COVID-19 contact tracing efforts in the Philippines to protect the privacy of users.

Given StaySafe.ph’s potential to put the privacy of its users at risk, the undersigned organizations request the Philippine government to provide users with a higher level of transparency and to uphold their privacy rights by releasing the white paper and the source code of StaySafe.ph, under an open-source license.  The white paper should document the system’s architecture, functions, protocols, data management, and security design. The source code should be of the deployed system; it should be complete, up-to-date, and buildable. This will help independent experts to examine any vulnerabilities in the system, which in turn can help secure the privacy and security of users and their data.

Resolution No. 45 of the Inter-Agency Task Force for the Management of Emerging Infectious Diseases (IATF-EID) notes the donation and use of StaySafe.ph, and provides information on the app’s source code, ownership of all data, and the related intellectual property rights.  The Resolution also states that all data in the app’s database shall be migrated to the COVID-KAYA application. COVID-KAYA has been developed by the World Health Organization (WHO) in coordination with the Department Information and Communications Technology (DICT) with the purpose to have a data collection system that can be used by health authorities when they collect COVID-19 case reports. We request the Department of Health (DOH) and relevant authorities to provide more transparency over the process by also releasing the white paper and the source code of the COVID-KAYA system under an open source license regarding its architecture, functions, protocols, data management, and security design.

Resolution No. 45 also states that the donated version of StaySafe.ph must be able to connect to existing digital proximity tracking technologies (e.g. Google and Apple); as such, we would like to encourage the Philippines to explore international best practices that protect the privacy of users. The use of a decentralized protocol for exposure notification apps (e.g. Decentralized Privacy-Preserving Proximity Tracing (DP-3T) or Temporary Contact Number (TCN)) is especially recommended. Human rights assessments, in particular a privacy impact assessment, should be conducted for both StaySafe.ph and COVID-KAYA according to NPC Circular 16-01, which has been issued by the National Privacy Commission on the security of personal data use by government agencies. The result of the assessment should be publicly available. The DOH should also ensure that the collected data by SafeStay.ph will, without exception, only be used for contact tracing purposes.

All these measures form part of the DOH’s obligations as a personal information controller (PIC) under the Data Privacy Act of 2012 (DPA), which mandates higher levels of security for the handling of any sensitive personal information by the government, including those handled through its contractors. The DPA also requires PICs to observe the principle of transparency, which is outlined in numerous international data protection standards. These obligations will help the Philippines align its contact tracing efforts with relevant international human rights instruments to which it adheres, including the Universal Declaration of Human Rights (Article 12) and the International Covenant on Civil and Political Rights (Article 17).

Our request finds support in the Interim Guidance issued  by the WHO, “Ethical considerations to guide the use of digital proximity tracking technologies for COVID-19 contact tracing” (WHO reference number: WHO/2019-nCoV/Ethics_Contact_tracing_apps/2020.1). The Guidelines identify 17 principles to guide governments, public health institutions, and non-State actors on the ethical and appropriate use of digital proximity tracking technologies to address COVID-19. The document recommends that the use of a contact tracking application should be based on the voluntary and informed consent of users. It also recommends that digital proximity tracking technologies be subjected to a test that is performed by an independent agency or research body and that the results of tests are made publicly available.  Furthermore, it recommends that data collection and processing be transparent, and that COVID-19 responses include the free, active, and meaningful participation of relevant stakeholders, including civil society organizations.

Summarizing the above statements, we request the authorities in charge to take the following actions:

1. Release the white paper and the source code of StaySafe.ph. The white paper should contain all the necessary details of the system’s architecture, functions, protocols, data management and security design. The source code should be that of the deployed system; it should be complete, up-to-date, and buildable so that the system’s security and privacy treatment can be independently verified. The white paper and the source code must be regularly updated along with the app.

2. Provide transparency of the COVID-KAYA system regarding its architecture, functions, protocols, data management, and security design by releasing the system’s white paper and source code under the open source license. The white paper should contain all the necessary details of the system’s architecture, functions, protocols, data management and security design. The source code should be that of the deployed system; it should be complete, up-to-date, and buildable. The white paper and the source code must be regularly updated along with the app.

3. Conduct human rights assessments, particularly a privacy impact assessment of both StaySafe.ph and the COVID-KAYA systems, as mandated by NPC Circular 2016-01, and release the results thereof to the public.

4. Follow the WHO’s Interim Guidance, ‘Ethical considerations to guide the use of digital proximity tracking technologies for COVID-19 contact tracing’, and protect the privacy of citizens in any upcoming contact tracing efforts in keeping with its international commitments to protect the fundamental human right to privacy. 

Yours sincerely,

DigitalReach

Foundation for Media Alternatives (FMA)

Democracy.Net.PH

Gender and Development Advocates (GANDA) Filipinas

EngageMedia

Freedom from Debt Coalition

Internet Society – Philippines Chapter

Philippine Computer Emergency Response Team (PhCERT)

Initiatives for International Dialogue (IID)

Sustainability and Participation through Education and Lifelong Learning (SPELL)

Human Rights Online Philippines

Association for Progressive Communications (APC)

Southeast Asia Freedom of Expression (SAFEnet)

University of the Philippines Center for Integrative and Development Studies Program on Alternative Development (UP CIDS AltDev)

CIVICUS: World Alliance for Citizen Participation 

Women’s Legal and Human Rights Bureau

Privacy International