January 20, Asia Meetup: Difference between revisions

From TCU Wiki
No edit summary
Line 24: Line 24:
12 attendees  
12 attendees  


# Topic Sharing : Government-launched COVID-19 Apps in Indonesia and the Philippine
=== Topic Sharing : Government-launched COVID-19 Apps in Indonesia and the Philippine ===
The Pellaeon and The Citizen lab's research briefing:https://citizenlab.ca/2020/12/unmasked-ii-an-analysis-of-indonesia-and-the-philippines-government-launched-covid-19-apps/
The Pellaeon and The Citizen lab's research briefing:https://citizenlab.ca/2020/12/unmasked-ii-an-analysis-of-indonesia-and-the-philippines-government-launched-covid-19-apps/
One of the findings is a lot of unnecessary requests: multiple dangerous permissions, including location permissions capable of recording geolocation, camera permissions capable of taking photos and recording video, as well as device storage permissions capable of reading users’ photos and other files.
One of the findings is a lot of unnecessary requests: multiple dangerous permissions, including location permissions capable of recording geolocation, camera permissions capable of taking photos and recording video, as well as device storage permissions capable of reading users’ photos and other files.
Line 34: Line 34:
Luckily, not many users because it specificly for health workers.  
Luckily, not many users because it specificly for health workers.  


## How to determine if an app follows data minimization principles?
=== How to determine if an app follows data minimization principles? ===
Does it make sense for the app to collect data using this permission?
Does it make sense for the app to collect data using this permission?
For example, Foodpanda, a food delivery app, why does it need camera permission? You should be able to just click and enter your address and order items, without needing the camera. Therefore, the camera permission requested in Foodpanda does not make sense. This shows that the app does not follow data minimization principles, so it is better to choose other food delivery apps which collects less data.
For example, Foodpanda, a food delivery app, why does it need camera permission? You should be able to just click and enter your address and order items, without needing the camera. Therefore, the camera permission requested in Foodpanda does not make sense. This shows that the app does not follow data minimization principles, so it is better to choose other food delivery apps which collects less data.




## A good tool
=== A good tool ===
Exouds analysis system https://exodus-privacy.eu.org/en/, you can check what data items the app collects and what trackers it includes
Exouds analysis system https://exodus-privacy.eu.org/en/, you can check what data items the app collects and what trackers it includes
StaySafe-ph:(but not safe?) It has many users.  
StaySafe-ph:(but not safe?) It has many users.  
The code structure of this is better than COVID-KAYA
The code structure of this is better than COVID-KAYA


## Vulnerabilities  
=== Vulnerabilities ===
Vulnerabilities were also found within StaySafe and COVID-KAYA. The vulnerabilities exposes user data.
Vulnerabilities were also found within StaySafe and COVID-KAYA. The vulnerabilities exposes user data.


## PeduliLindungi
=== PeduliLindungi ===
It sends user device identifier for advertisement tracking service operated by Telekom Indonesia
It sends user device identifier for advertisement tracking service operated by Telekom Indonesia


 
=== COVID-19 App can be better ===
## COVID-19 App can be better
In Europe, some similiar Apps are  open source and have good security policy  and audits.
In Europe, some similiar Apps are  open source and have good security policy  and audits.


Q:App needs to require permission, how to allow App running but not give out too many? Is that possible to grant the permission for one time.  
'''Q:'''App needs to require permission, how to allow App running but not give out too many? Is that possible to grant the permission for one time.
A: there will be ok permission, such as internet access is a reasonable permission for FoodPanda to run. Need to think if this permission is critical and necessary for the App.  
'''A:''' there will be ok permission, such as internet access is a reasonable permission for FoodPanda to run. Need to think if this permission is critical and necessary for the App.  
After Android 7 (TBC), the permission can be graduatlly set. On Android 11, it should be able to grant the permission for only once.  
After Android 7 (TBC), the permission can be graduatlly set. On Android 11, it should be able to grant the permission for only once.  


Q:Why specifically look at the App in this two countries?
'''Q:'''Why specifically look at the App in this two countries?
A:Team decided in the begining (not me), but even for these 3 Apps, we took more than 3 months to do the analysis.  
 
'''A:'''Team decided in the begining (not me), but even for these 3 Apps, we took more than 3 months to do the analysis.  
 
'''Q:''' I know that Singapore and Malaysia has gov-made COVID-19 App too, do you have information about their App?


Q: I know that Singapore and Malaysia has gov-made COVID-19 App too, do you have information about their App?
'''A:'''The gov COVID-19 App - "BlueTrace" in Sigapore actually is the best in SouthEast Asia. It is even partly open-source. Sadly no other countries adopt it.  
A:The gov COVID-19 App - "BlueTrace" in Sigapore actually is the best in SouthEast Asia. It is even partly open-source. Sadly no other countries adopt it.  
There are too many Apps, we are not able to look into all of them.  
There are too many Apps, we are not able to look into all of them.  


Q:Is it the same research framework? Or are you looking at other aspects of it? Mysejahtera I mean
'''Q:'''Is it the same research framework? Or are you looking at other aspects of it? Mysejahtera I mean
A: I will use Part 3 research framework to analyze Mysejahtera.  
 
'''A:''' I will use Part 3 research framework to analyze Mysejahtera.
 
'''Q:'''There are too many Apps, is there idea how to do the research? Personal Data Protection Law?
 
'''A:''' In Indonesia, we don't have it, still being drafted, but not yet ratified.
 
'''A:''' In Philippines,  the one we have doesn't cover government sector. there is a data privacy law in the Philippines, and we have a National Privacy Commission. but I don't think NPC has been informed of the study. The Filipino data protection agency had probed into staysafe, but the app was published before the probing completes.


Q:There are too many Apps, is there idea how to do the research?
'''A:''' The App transpracy in Thailand is worse.


Q:Personal Data Protection Law?
'''A:''' In Malaysia, gov COVID-19 App is not moderatory to install.
A: In Indonesia, we don't have it, still being drafted, but not yet ratified.
A: In Philippines,  the one we have doesn't cover government sector. there is a data privacy law in the Philippines, and we have a National Privacy Commission. but I don't think NPC has been informed of the study. The Filipino data protection agency had probed into staysafe, but the app was published before the probing completes.
A: The App transpracy in Thailand is worse.
A: In Malaysia, gov COVID-19 App is not moderatory to install.

Revision as of 16:46, 3 February 2021

Asia Meetups

Date: January 20, Wednesday

Time: Delhi 13:30 (UTC+5:30) / Taipei-Kuala Lumpur 16:00 (UTC+8) / Tokyo 17:00 (UTC+9) / NYC 3am (EST)

Who: Facilitated by Lulu Keng,Don, Kaia, and Nica

Where: The Meetjitsi link will be shared in the following rooms on the IFF Mattermost one or two hours before the start of the meeting: Southeast Asia, Central Asia and East Asia.

Agenda: Research about COVID tracing app in Southeast Asia.

Notes

Community Updates

12 attendees

Topic Sharing : Government-launched COVID-19 Apps in Indonesia and the Philippine

The Pellaeon and The Citizen lab's research briefing:https://citizenlab.ca/2020/12/unmasked-ii-an-analysis-of-indonesia-and-the-philippines-government-launched-covid-19-apps/ One of the findings is a lot of unnecessary requests: multiple dangerous permissions, including location permissions capable of recording geolocation, camera permissions capable of taking photos and recording video, as well as device storage permissions capable of reading users’ photos and other files.

Such as COVID-KAYA, why it needs camera premission? Based on source code inspection, the app does not actually use the camera for anything Requesting this permission is unnecessary If vulnerabilities are found within the app, the attacker may utilize the camera access that the app has access to to spy on victims. Luckily, not many users because it specificly for health workers.

How to determine if an app follows data minimization principles?

Does it make sense for the app to collect data using this permission? For example, Foodpanda, a food delivery app, why does it need camera permission? You should be able to just click and enter your address and order items, without needing the camera. Therefore, the camera permission requested in Foodpanda does not make sense. This shows that the app does not follow data minimization principles, so it is better to choose other food delivery apps which collects less data.


A good tool

Exouds analysis system https://exodus-privacy.eu.org/en/, you can check what data items the app collects and what trackers it includes StaySafe-ph:(but not safe?) It has many users. The code structure of this is better than COVID-KAYA

Vulnerabilities

Vulnerabilities were also found within StaySafe and COVID-KAYA. The vulnerabilities exposes user data.

PeduliLindungi

It sends user device identifier for advertisement tracking service operated by Telekom Indonesia

COVID-19 App can be better

In Europe, some similiar Apps are open source and have good security policy and audits.

Q:App needs to require permission, how to allow App running but not give out too many? Is that possible to grant the permission for one time.

A: there will be ok permission, such as internet access is a reasonable permission for FoodPanda to run. Need to think if this permission is critical and necessary for the App. After Android 7 (TBC), the permission can be graduatlly set. On Android 11, it should be able to grant the permission for only once.

Q:Why specifically look at the App in this two countries?

A:Team decided in the begining (not me), but even for these 3 Apps, we took more than 3 months to do the analysis.

Q: I know that Singapore and Malaysia has gov-made COVID-19 App too, do you have information about their App?

A:The gov COVID-19 App - "BlueTrace" in Sigapore actually is the best in SouthEast Asia. It is even partly open-source. Sadly no other countries adopt it. There are too many Apps, we are not able to look into all of them.

Q:Is it the same research framework? Or are you looking at other aspects of it? Mysejahtera I mean

A: I will use Part 3 research framework to analyze Mysejahtera.

Q:There are too many Apps, is there idea how to do the research? Personal Data Protection Law?

A: In Indonesia, we don't have it, still being drafted, but not yet ratified.

A: In Philippines, the one we have doesn't cover government sector. there is a data privacy law in the Philippines, and we have a National Privacy Commission. but I don't think NPC has been informed of the study. The Filipino data protection agency had probed into staysafe, but the app was published before the probing completes.

A: The App transpracy in Thailand is worse.

A: In Malaysia, gov COVID-19 App is not moderatory to install.