The Stop COVID-19 application was developed by APIS IT for the Croatian Ministry of Health, based on Google / Apple Exposure Notification (GAEN) technology, which uses Bluetooth and works on Google's Android mobile devices and Apple's iPhones. The technology is designed to detect a contact between persons and send a record of it to a decentralized database. It needs to be embedded in applications developed by health facilities of each country.
Politiscope considers that this application and similar digital solutions can be extremely useful, but we are also convinced they can be effective only if they enjoy the full trust of citizens and the public. We believe that public trust, as a prerequisite for widespread voluntary use of such technology, can be built only if the highest levels of privacy protection and full transparency are applied. This analysis is therefore aimed at detecting possible deficiencies in the protection of privacy and personal data of users. Legal and technical analysis assess the compliance of the application with the basic principles of the General Data Protection Regulation and publicly available information on its functioning. The analysis is intended for decision-makers in the executive branch, whose range of responsibilities include the development of digital solutions for pandemic management. The analysis contains recommendations that should be applied when designing digital solutions in the future, especially contact tracing solutions created to manage possible new pandemics. The legal analysis of the application was conducted by Duje Kozomara, Deputy Executive Director of Politiscope, a personal data protection expert certified by the International Association of Privacy Professionals (IAPP). The technical analysis of the application code was performed by the developers: Tomislav Homan (Flabbergast d.o.o) for Android, Ivan Blagajić (Source Code d.o.o) for iOS.
The authors of the technical code analysis recommend removing third-party dependencies that are not necessary for the core functionality of the application. This is especially true for Google Analytics on the Android version, the library which is evaluated as the highest data protection risk. The way the Google Play service works in the Android version of the app is extremely worrying by itself, as it sends the entire range of user data to Google on average of every 20 minutes. At the same time, by using Google Analytics, this technology giant, also known as the biggest invader of privacy, receives an additional set of personal data. It is known that the company uses such data for the purpose of profiling and serving targeted ads to users. We believe that citizens certainly do not want their data related to information on whether they have been in epidemiologically risky contact to be processed in this way, without their knowledge and explicit consent.
Croatian Personal Data Protection Agency (AZOP) needs to have the technological capacity to independently analyze digital solutions and detect deficiencies identified in this analysis. AZOP is in a subordinate position to the Government due to the director’s permanent conflict of interest arising from his close ties to the Government and the ruling party. AZOP is not a truly independent oversight body that would warn the government of the shortcomings of digital solutions it develops, let alone ban its use until all key shortcomings are dealt away.
Photo: Electronic Frontier Foundation