StaySafe, the Philippine government’s official “contact tracing” digital system, will soon be making use of Google Apple Exposure Notifications, a feature that allows people to detect COVID-19 cases near them using their phones.
StaySafe is the only platform in the Philippines that will be allowed to use the Google Apple Exposure Notification (GAEN) System, according to its developer, Multisys Technologies Corp CEO David Almirol Jr on Monday, March 29.
He told Rappler on Friday, April 2, that the Department of the Interior and Local Government (DILG) is set to activate the feature on the week of April 5.
How does it work?
The GAEN System is supposed to allow both Apple and Android devices to detect each other using bluetooth, a feature which can then be used for contact tracing and to alert users of exposure to positive cases.
“Exposure Notifications System was built with your privacy and security central to the design. Your identity is not shared with other users, Google, or Apple,” reads Google’s FAQs about the system.
Once the user opts in to contact tracing in their phone, the system generates a unique ID per smartphone and uses bluetooth to detect other IDs in the area. It then notifies the user when it detects an ID associated with the phone of a COVID-19 positive case.
To ensure privacy, the system changes your phone’s ID every 10 to 20 minutes. Also, it does not share your personal information or location to authorities. The bluetooth technology only detects phones nearby and does not tell authorities where the detection took place. The matching of IDs happens on your device.
For the exposure notification system to be effective, all StaySafe app users have to opt in to contact tracing on their phones.
Google said it only allows public health authorities to use the GAEN System. These government bodies are supposed to “meet specific criteria around privacy, security, and data use.”
DILG is now end-user of StaySafe
The DILG, which supervises local governments nationwide, is now the end-user of StaySafe’s backend. Staysafe was turned over to DILG last March 29, in a virtual event.
In initial talks with the government, Multisys was originally supposed to turn over the platform to the Department of Health, given its mandate to lead pandemic response.
But it was later decided that the system should go to the DILG since the DOH had delegated the department to lead contact tracing efforts.
The DILG, for example, had been given the budget to hire 50,000 more contact tracers.
Users can delete their info
Citizens can now also supposedly delete their own personal data from the system whenever they want, Almirol said during the turnover.
“For example, the pandemic is over, you can delete your own data. That’s 100%. You can have it verified by the [National Privacy Commission] if it was really erased,” he said in Filipino.
The feature that allows citizens to delete their data from the government’s system was required by the NPC to assuage concerns that the data could be used for purposes other than those related to the pandemic.
“This was what the NPC wanted us to add and we complied – that each individual has the right to erase their own data if they no longer need StaySafe,” said Almirol.
He showed options in the StaySafe app for users to either “Permanent (sic) Delete Account” or “Deactivate Account.”
Deactivating your account means the user’s information “will be temporarily disabled.” The account can be reactivated by logging back in.
Meanwhile, permanently deleting your account means reactivation will not be possible and the user won’t be able to retrieve information they submitted to StaySafe.
In the Philippines’ data privacy law, there should be a sunset period for the use of data collected from users.
StaySafe’s privacy notice had once stated that StaySafe and the government would retain users’ information “when required by law,” a phrase criticized by some data privacy experts as being too broad and indefinite, and thus prone to abuse.
But StaySafe has changed the privacy notice on its site.
It now says “users can completely delete their registered data within the platform” and that manual contact tracing data “shall be destroyed after a 60-day period.”
The 60-day period is supposed to be enough time for the government to use the data for contact tracing of first, second, and third generation close contacts.
Meanwhile, digital contact tracing data (or data obtained purely using contact-tracing apps) are to be destroyed after 30 days or “any time that it is required by private establishments,” reads the privacy notice.
These changes were made after media scrutiny on StaySafe led the government to order modifications to the platform.
Late turnover to government
The March 29 turnover was 8 months late. Last year, the pandemic task force had ordered Multisys to donate the platform and users’ data to the government by July 10, 2020, or else it would withdraw its official endorsement.
Despite Multisys failing to meet the deadline, the government did not withdraw its endorsement. In fact, it even promoted StaySafe further by requiring it for entry in government offices and even private establishments starting November 2020.
StaySafe’s turnover comes after the country’s own contact tracing czar Benjamin Magalong admitted that contact tracing was deteriorating amid an alarming surge in COVID-19 cases in Metro Manila and nearby provinces.
The government is now facing criticism over its weak contact tracing efforts, amid its imposition of lockdowns hurting the economy. – Rappler.com