The internet is a ruthless place. At some point, you won’t know whether you’re reading misinformation or facts. This has been the case with the government’s new COVID contact tracing app called COVID Alert SA recently. South African citizens are overly critical of the app’s (and the government’s) intentions. And rightly so, with the ANCs track record with tech.
Which is why it’s important to bring up important technical points in the conversation. How does the app work? What personal information does it collect? What happens to said information? And what do Google and Apple have to do with the whole thing?
The ANC, which can't build a toilet, is going to spy on you via its Covid app? Oh they'll hire evil tech companies to do it? You mean like the evil tech companies that already know everything about you because you've clicked ACCEPT on every T&C for the last 10 years? Cool cool.
— Tom Eaton (@TomEatonSA) September 20, 2020
It’s also important to note that there isn’t much information the government doesn’t know about each and every citizen yet. It can easily track mobile users through network towers, access public social media profiles (let’s be honest… there’s a LOT of information publicly available here already), or access governmental documentation.
How does it work?
The app, called COVID Alert SA, will ask for a few permissions upon installation. These include Bluetooth access as well as mobile data access. It does not ask for GPS permissions, which means that it won’t collect geolocation data at all.
It uses something called low-frequency Bluetooth protocol, which means that it won’t drain your battery and works on the lower end of the Bluetooth spectrum. This Bluetooth access is used to ping nearby devices (that also have the app installed) in public places. It then collects anonymised IDs from each nearby device through Bluetooth and stores them directly on your device.
I’ve received a few messages asking me to clarify some misconceptions out there about South Africa’s Covid Alert App.
Here’s a 🧵 answering the most asked questions.
— Alastair Hendricks (@ali_hen) September 19, 2020
Now, let’s say you’ve decided to go for a COVID test because the terrible cough won’t go away and you sound like Batman. The test concludes that you’ve contracted COVID, and you head to the app to record yourself as a positive case. You’ll need a specific code from the doc to record the positive case.
The app will only now connect via a mobile network (it has been zero-rated by networks, so you won’t pay for this data/airtime) and send all of the user IDs picked up at the store a few days earlier than they may have come into contact with a positive case.
What info does it collect?
Probably the most asked question by worried South African citizens, is how much personal information (if any) does the app record?
If you’ve downloaded the app, you’ll know that it doesn’t require a user sign-up. It’s got no Google login, Apple ID, ReCaptcha or eleven-letter password. Nothing. Nada. The Department of Health (who developed the app built on Google and Apple’s exposure notification API) has made it extremely clear that it doesn’t record personal information through the app.
All these people complaining about the Covid SA app. You are aware you can see exactly what permissions the app has access to, right? No, it doesn't track your location. Compared to this here Twitter app which has A LOT more permissions (see the size of that scrollbar) pic.twitter.com/sdsmFJMvpK
— 𝕯! (@darrynvdwalt) September 17, 2020
The only thing that resembles a user is the anonymised IDs generated when you’re in close proximity with other smartphones. It doesn’t collect phone numbers, ID numbers, names, addresses or even Google account info.
How do Google and Apple fit in?
It’s important to note that the South African government didn’t design the technology that this app is built on. The app was built using Apple and Google’s exposure notification platform developed early this year, and according to experts in the field, as well as Google’s own API explanation, it doesn’t collect or distribute personal information.
The official Google explainer on contact tracing (the API which this app was built on), details: “This technology only works if you decide to opt-in. If you change your mind, you can turn it off at any time… The Exposure Notifications System does not collect or use the location from your device… All of the Exposure Notification matching happens on your device. The system does not share your identity with other users, Apple, or Google… Only public health authorities will be able to use this system. They must meet specific criteria around privacy, security, and data use.”
In the development of this local COVID tracking app, developers would have had to adhere to Google’s (and Apple’s) security protocols for it to be made available to the general public while using the tech firm’s technology.
This means that the government does not inherently control the technology, they just packaged already available technology for the South African user. Makes sense, right?
The only way this will work
We understand South African citizens’ wary approach to the new app. Our government has a terrible track record when it comes to basic management, especially with digital technologies. We get it.
But the only way in which the exposure notification platform works, is if as many people as possible actually install and use the app. The government isn’t using it to see if you visited your 90-year-old grandma during lockdown. It’s impossible for the app to track geolocation, so that’s out of the question.
If we’re going to fight this strange disease, people would need to work together. The COVID Alert SA app is definitely not tracking more than Facebook or Twitter. Calm down.