The majority of state-backed Covid-19 coronavirus apps are “collecting superfluous amounts of data”, according to an investigation by digital security company Surfshark.
In reaction to the digital pandemic tracking measures that at least 19 countries have put in place, Surfshark analysed 10 apps that are live now in 10 countries around the world.
It found that seven out of 10 apps monitor GPS location, while 60% are unclear about what they track, do not provide terms and conditions upfront, or use intrusive methods, such as surveillance camera footage, to keep tabs on users.
At least two of the apps clearly state that they will share information with third parties, however.
The UK’s contact tracing app is not live yet and under development by National Health Service innovation unit NHSX, but health secretary Matt Hancock has already signed a notice providing legal backing for the NHS to set aside its duty of confidentiality in data-sharing arrangements.
Dubbed the Covid-19 Purpose, the new data-sharing agreement means NHS organisations and GPs can share any, and all, patient data with any organisation they like, provided it is for the purpose of fighting the coronavirus outbreak.
“Many crisis-management measures might become a fixture of life,” said Naomi Hodges, cyber security adviser at Surfshark. “Therefore, we must consider how our life after Covid-19 will be impacted permanently. Governments worldwide are introducing invasive, privacy-ignoring measures that people adapt to because they are afraid.
“Such Orwellian security measures, driven by the seemingly noble goal of public health safety, can be dangerous for a lot of reasons, the first of which is the fact that the majority of people lack cyber security education to evaluate the potential consequences of sharing their data.”
Drilling into the details of the apps, Surfshark found some of them could track a range of sensitive data, including people’s political views or sexuality.
In Colombia, for example, users are asked to provide their name, sex, date of birth, ethnicity and email address, but the terms and conditions remain unclear, so there is no way of knowing how the data will be used or protected.
On top of this, users are also asked whether they have take part in any mass events in the past eight days, which, given recent protests in the country, could be used to identify people’s political leanings.
While Colombia’s Android-only app was developed by its National Health Institute, CoronaMadrid in Spain has been developed with the help of private companies, including Google, Telefónica, Goggo Network, Ferrovial, Carto, Forcemanager and Mendesaltren.
Data collected by the app includes name and surname, mobile phone number, ID, date of birth, email address, physical address, gender, and the phone’s GPS location.
Surfshark identified a total of four apps that were developed by, or with the help of, non-governmental bodies or private companies.
“Collecting an incredible amount of user data is increasingly recognised as a bad thing,” said Surfshark in a blog post. “It can fuel discrimination, especially since innocent-looking data may reveal sensitive information. Political views or sexuality may be things that have life-threatening consequences for people in some countries.
“On top of that, some app developers may have other interests – especially in cases such as the Alibaba group helping develop the Chinese app, or Google being involved in the development of the CoronaMadrid app. Ultimately, users would have to trust every company involved not to exploit the crisis.”
Surfshark said it remains unclear whether these apps will do more harm than good in the long run, and that it could “be the dawn of a true surveillance culture” if the information collected ends up being retained by the app’s creators.
“Mass surveillance is quickly spreading along with the advancing technology – and this pandemic crisis is allowing them to both set a precedent and normalise it,” said Hodges.