Task force orders StaySafe developer to give users' data to DOH
MANILA, Philippines – The coronavirus national task force ordered the private developer of StaySafe, its official contact-tracing app, to transfer all citizens' information it collected to the Department of Health (DOH).
This was after IT experts and former information and communications technology official Eliseo Rio Jr sounded the alarm over StaySafe's privacy measures.
The Inter-agency Task Force on Emerging Infectious Diseases (IATF-EID) issued Resolution No 45 that ordered Multisys Technologies Corp, the app's developer, to comply within 30 days otherwise the government would revoke its endorsement of the app.
The task force ordered the firm to do the following:
- Enter into a memorandum of agreement with the DOH formalizing its donation of StaySafe's source code, data, data ownership, and intellectual property;
- Ensure the platform donated to DOH is capable of bluetooth digital contact tracing which can be connected to tracing technologies of Google and Apple and can become the frontend application system for local governments;
- Limit the function of StaySafe to the "collection" of data while storage of the data will be in DOH's Covid-Kaya system;
- Migrate data in StaySafe's database to DOH's Covid-Kaya.
If Multisys is unable to comply with the orders, IATF will withdraw its endorsement as the government's official contact-tracing app, which it formalized in April 22, in its 27th resolution.
The firm would also be required to migrate data collected by StaySafe to the Department of Information and Communications Technology (DICT).
But before Multisys can give StaySafe data and systems to DOH, the DICT and National Privacy Commission must issue a certification that the platform is "technically feasible and secure" and compliant with the Data Privacy Act.
The resolution specifies that "vulnerability assessment" and "penetration testing" of StaySafe should be conducted first.
However, it was the task force itself that had endorsed StaySafe app before it could pass technical vetting and privacy impact assessments.
Before the April 22 resolution giving StaySafe its official backing, the IATF had signed a memorandum of agreement with Multisys on April 8.
The document, seen by Rappler, was signed by the retired generals leading the government's coronavirus response – Defense Secretary Delfin Lorenzana and NTF chief implementor Carlito Galvez Jr.
Another signatory was National Security Adviser Hermogenes Esperon Jr.
Multisys CEO David Almirol Jr also told Rappler that he himself was surprised that the task force adopted StaySafe so quickly. His firm had to submit technical documents and privacy impact reports in April, but only after the MOA was signed. As of writing, the government's review of the platform is not yet finished.
Almirol said StaySafe was an existing tech being used by his firm that he decided to donate to the government in order to help fight the pandemic. He did not expect the amount of requirements being asked by government agencies.