‘Stay Safe Sri Lanka’, the Government’s recently-introduced web solution for contact tracing of Covid-19 patients was received with deep skepticism by the public and industry experts. Such technology is a part of the battle against Covid in many countries with authorities looking for ways in which to reduce the time within which close contacts of [...]

News

People’s privacy to the fore as Govt. introduces ‘Stay Safe Sri Lanka’

(ICTA), which developed the web system says it takes responsibility as data custodian while health authorities and designated contact tracing units will use the data for purpose of COVID-19 control
View(s):

‘Stay Safe Sri Lanka’, the Government’s recently-introduced web solution for contact tracing of Covid-19 patients was received with deep skepticism by the public and industry experts.

Such technology is a part of the battle against Covid in many countries with authorities looking for ways in which to reduce the time within which close contacts of those that test positive are found. But apps monitoring user location and proximity to other users via the internet and Bluetooth have not been well-received due to privacy concerns.

And this is worrying because the success of these systems largely depends on the numbers that sign up for them: The more signed up, the more efficient the contact tracing.

Most countries that have adopted similar contact tracing methods, including Singapore, have app-based solutions, said Hiranya Samarasekara, Chief Technology Officer of the Information and Communication Technology Agency (ICTA), which developed the system. In Sri Lanka, however, app penetration is low. And limitations such as Bluetooth disconnection could render the system useless.

But ICTA’s solution, he said, is unique because it caters to the whole population. “We have overcome the digital divide by reaching even low-income people who don’t have a device,” Mr Samarasekera said.

Critics however pointed to serious privacy concerns in such a system. The information it requires a person to enter include national identity or passport number and contact details. Mr Samarasekera said, however, that it is covered by an extensive privacy protection policy available on the ICTA website, crafted meticulously to “ensure maximum user security.”

Collecting ID numbers and contact details is to facilitate tracking. A mobile number may be a unique identifier but there are practical problems in depending on just that because SIM ownership can vary.

Everything, Mr Samarasekera continued, is under Government supervision and control and ICTA. Information is stored in a private data-centered infrastructure called the Lanka Government Cloud, built and operated by ICTA for the Government. It isn’t public, like those provided by Microsoft and Amazon. It is built for Government purposes and limited to Sri Lanka. ICTA takes responsibility as data custodian while health authorities and designated contact tracing units will use the data for purpose of virus control.

For security and technical reasons, data will be retained for only 60 days, after which it will purge. This is because ICTA did not want to make it “unnecessarily vulnerable”. The information is only kept for as long as to facilitate contract tracing within treatment and quarantine periods as advised by the Health Ministry. Besides, said Mr Samarasekera, it wasn’t practical to maintain so many terabytes of data for no reason.

ICTA also claimed it was constantly upgrading protection measures with multiple security audits for the collected data. Additionally, the Sri Lankan cybersecurity community had come together to help improve the Stay Safe app.

The app has sufficient safeguards to ensure privacy of user data, insisted Jayantha Fernando, Director/Legal Advisor at Sri Lanka CERT (Community Emergency Response Team). The policy was constantly evolving, he said, and data is collected only for Covid management.

Meanwhile, there are talks to bring the system completely under health management. This will guarantee even more protection. The possibility of amending certain regulations issued under the Quarantine and Disease Prevention Ordinance is also being explored to further ethical governance of the public’s data.

“This is definitely a step up from the pen-and-paper contact tracing system we’ve been following which can be wildly inconsistent,” noted LirneAsia Researcher Merl Chandana. The speed with which first, second, even third contacts can be found will make tracing more efficient.

But that will still clash with privacy. In other countries, this type of app is referred to as a “check-in” app. It doesn’t track your location in real-time or even your proximity to other people. Since it only gathers information of the places you have “checked in to”, your movement is not constantly tracked.

The system requires you to trace and contact a large number of persons who were at a particular location within a certain timeframe and ensure they follow health guidelines including self-isolation. This might not work in large spaces and longer time periods and when case counts are not too high. However, it will see that risk of disease spread is minimized, said Mr Chandana.

LirneAsia statistics from 2018 showed smart phone penetration of around 40 percent. Confusion about the availability of the app had, however, deterred many users.

Success of such systems also depends on how much power the Government exerted over them, Mr Chandana said. In some other countries, citizen information is held under a pseudo-code to further protect identities.

But the biggest privacy concern was the stigmatization of people who tested positive, which could even lead to blackmail. Meanwhile, people might also want to mask certain places they visit. The public might be encouraged to use the app if they were told how it will help health professionals.

“People are generally skeptical of the Government but will respond to assisting the health professionals,” Mr Chandana said.

“Viability depends on how the government enforces the system,” said Sanjiva Weerawarana, Chief Executive Officer of WSO2 who had been vocal on social media about possible risks. But these have since been corrected, ICTA claimed.

“This must not be optional,” Mr Weerawarana insisted. “ICTA needs to restore the public faith in this system by backing it up with transparency and technical credibility to assure the safety and security of the people’s data.”

ICTA has no immediate plans to legislate use of the app. It hopes to spread information using media. And by emphasizing the security of private data, it anticipates a better following soon.

ICTA’s three-pronged approach
ICTA has taken a three-pronged approach with contact tracing.

The first method is the QR (quick response) code scanning method. Organizations registering for the web solution will receive a unique QR code and location ID to be printed out and displayed at check-in and check-out locations. Users scan it on their phones.

Mr Samarasekara says it was a misconception to call the system an “app”. ICTA didn’t build a new app for contact tracing. The features are piggybacking on existing local apps many smart phone users already have installed such as HelaKuru, Ipay, Solo By HNB, MyHealth, and other QR code scanning apps. It will also be available via Pickme soon.

The idea is to make the facility accessible without added download charge or device space allocation. A large segment of the population could then seamlessly enter and exit locations protected by Stay Safe. Despite piggybacking on other apps, data will go directly into the Stay Safe database.

Those without smartphones have the SMS option. They can SMS the location code to 1919 at check-in and check-out. All network providers have agreed the services will be free of charge.

The last option is a dashboard which will be provided to organizations that sign up for Stay Safe. For people with no devices, an employee at the door will collect information and enter it into an interface that will get transferred to the Stay Safe system. Private companies have responded because they want to protect their employees and customers, Mr Samarasekara said.

When a person tests positive for the virus, the contact tracing unit will extract their information and recent activity from the database. This will be used to identify other registered users who were at the same location within the same time frame. They will be notified to take the necessary precautions until the health sector arrives. Notifications, too, will be sent at the discretion of the expert team handling contact tracing.

 

 

Share This Post

WhatsappDeliciousDiggGoogleStumbleuponRedditTechnoratiYahooBloggerMyspaceRSS

Advertising Rates

Please contact the advertising office on 011 - 2479521 for the advertising rates.