By: Stéphane Labarthe y Andrés velasquez
In Colombia, both the national and local governments are adopting and deploying technological tools with a variety of functionalities: disease information, symptom tracking, contact tracking, mobility passports, and even as enforcement measures for quarantines or stay-at-home orders.
Karisma’s Digital Privacy and Security Lab, K+Lab, analyzed three tools available in Colombia in order to understand how they protect privacy and address digital security. The tools audited are: CoronApp_Colombia, “Cali Valle Corona” app, and the “Medellín me cuida” website. The selection of these three solutions is based on the scope of users they have due to their deployment throughout the national territory or in densely populated areas.
The following is a summary of the results of this assessment:
- Lack of public information on the purposes for which these technological solutions are deployed, how they work and how they fit into national or local epidemiological strategies. There are no policy briefs or documents that can explain these technology responses. Nor is there any information available that they include digital security or privacy by design. In the case of Coronapp_Colombia, it is licensed under a GNU General Public License, but its code has not been published yet. The absence of official information contrasts with the many aspirational statements about the role these tools are playing and will play during and after the emergency.
- Non-compliance with the basic legal requirements of the national data protection legal framework. For example, consent is not requested for every functionality, instead it is assumed for most cases with the single download or use of the technological solution or given for different functionalities.
- A recklessly deployments of solutions that put at risk sensitive personal data of hundreds of thousands of users. The audit carried out by Karisma found important vulnerabilities in the three technological solutions. The vulnerabilities were reported; subsequently, those responsible for its developments corrected them. However, there is a concern about the haste with which they are being deployed, without taking into consideration quality standards, verification of the digital security of the application, including the possibility of implementing different auditing techniques, and communicating secure channels to report security problems in the technological solutions.
Our analysis of the above-mentioned technological solutions includes some recommendations for national and local authorities that we believe may be relevant to the OECD’s work on this issue:
- Transparency is crucial for building public trust. Karisma calls on government authorities to disclose information of the scope and objectives of these technologies, and how do they fit into a broader epidemiological strategy, how they will measure its effectiveness, etc. To increase transparency, government authorities should also publish technical documents that explain the different technologies and functionalities of the application.
- Privacy by design must be at the core of the development of these technologies. To this end, it is necessary to limit the collection of data to strictly those necessary to achieve the stated goal of any proposed solution. The life cycle of the data collected by these solutions must also be clearly established, as well as the setting up of some monitoring mechanism to verify that these requirements are met. Attention must also be paid to compliance with data protection legal frameworks. In this sense, key elements to comply with data protection laws are to clearly state who keeps, who processes, who can access this data and for how long after the crisis is over.
- The adoption of pseudo-anonymization techniques should be encouraged. As collected data are intended to be used for public policy decisions to contain the spread of the virus, the implementation of pseudo-anonymization techniques is of utmost importance. A good framework to ensure this is suggested by the Group of European Data Protection Authorities (European Data Protection Board, formerly G29). Pseudo-anonymization could even facilitate future use of the data in medical and scientific studies, maintaining the privacy of the users much more effectively and avoiding the manipulation of the information by anyone who wants to study it. In the case of implementing digital contact tracing by proximity, this should also be done in a pseudo-anonymous way, for example by adopting the DP-3T protocol (Decentralized Privacy Tracing for Preservation of Proximity). In this way, the possibility of States snooping with whom, where and when people meet would be minimized. This becomes even more important in the Colombian context, where abuses of surveillance powers and technologies against journalists, human rights defenders, political opponents and others have been documented for years.
- All digital security best practices should be implemented. The technological solutions implemented to contain the spread of the virus must consider their systems to be a high-value target for hackers, cybercriminals and even other States. This has been exemplified by the attempted cyberattack against the World Health Organizations and governments in recent weeks. No emergency can exempt developers from taking serious steps to ensure digital security. In that sense, among the good practices that should be promoted and implemented are the performance of periodic external and internal audits of all types (e.g., internal, code, pentesting audits); the publication of audit reports and follow-up on identified problems; the creation of secure reporting channels for vulnerabilities; and others. Timely and effective communication of this information also builds public trust.
In conclusion, the desire to adopt technological solutions in an emergency context is leading us to a zero-sum situation that we must reject. It is not that in order for one to win (e.g. health, economy), we have to give up another (e.g. privacy). It is not a trade-off between health and privacy. The solutions that are proposed and in which sensitive personal data are collected should elicit a highly responsible response from the entities, which are the recipients of this great public trust. These exercises should be the starting point for a significant improvement in the data processing that public entities perform in this emergency, which is technically up to the task at hand.
It is normal that in the face of a global problem such as this pandemic, governments will turn to the technological measures being implemented in other countries to learn from others. This search for options should not be made without a critical analysis of the specific reasons that in each particular context justify the adoption of the technology and how it is being done. We must not be swayed by non-evidence-based, good intention/successful promises and declarations when trying to solve the health crisis we are experiencing. Moreover, the race to produce results drives weak developments that threaten people. Unfortunately, the prevailing approach seems to be more linked to the popular saying that states that it is easier to apologize than to get permission, rather than the obligation of governments to protect citizens.
Finally, we would like to stress that it is important to recognize that technology is no substitute for good public policies. Deployment of technology without sufficient control of outcomes and evidence of adequate impact on the pandemic may generate more problems than benefits. It can also deepen the crisis by breaking the trust that people place in these applications.
For more information
The CoronApp_Colombia technical report on digital security and privacy (available in English)
In Spanish you can read about: