Has Safe Davao QR code resolved data security issues?

Nov. 21, 2020

DAVAO CITY, Philippines – The registration for the Davao Safety QR (DQR) Code, an electronic tracing and travel pass platform to be used in the city for this pandemic, have resumed last Monday after fixing its glitches and data security concern.

The website crashed on November 4, five days after its launch, snagged by heavy online traffic brought by perhaps a million registration forms in anticipation of its supposed implementation on November 7, throwing Davaoeños into panic.

City Mayor Sara Duterte-Carpio announced last week that these glitches have been smoothed out, with a separate registration process for establishments and for individuals.

The mayor also assured the data security concern raised earlier by information technology (IT) persons have been addressed with the help of ICT Davao.

The website to the Davao Safety QR code now has a data privacy statement which explains how the city government collects and safeguard the information provided by its users.

How will the data be used?

The city government assured that the information provided by individuals to the Safe Davao QR site will be protected and utilized “in accordance with the law [The Data Privacy Act of 2012] and [its] Data Privacy Statement.”

“The City Government of Davao shall ensure that the personal information collected are used only for the purpose of contact-tracing measures or to identify the person who was in close contact with someone who is infected with the Coronavirus disease (COVID-19),” reads part of the privacy notice.

The privacy statement said the personal data “may be used, stored, processed, shared and disclosed” only by the city government, through the City Health Office (CHO).

Upon registering to the site, individuals are asked to provide their contact details, address, birthdate email address and a copy of their government-issued identification or birth certificate.

Appropriate physical, organizational, and technical controls have been put in place to maintain the confidentiality, integrity, and availability of personal data, they added.

According to the privacy notice, all personal data collected for contact tracing measures and management of probable, suspected and confirmed patients of COVID-19 “shall be stored only for as long as necessary or until the purpose for their processing no longer exists.”

The notice said after the duration of the pandemic, the city government will dispose the data “in a secure manner in order to prevent further processing, unauthorized access, or disclosure to any other party.”

Users’ rights and security

The privacy statement is a way of assuring users how the information they shared will be used, said a member of the IT activist group Computer Professionals’ Union (CPU) who request not to be named.

He cited such right is written in General Data Protection Regulation (GDPR) Recital 39, which said “[It is] necessary to accurately describe [the] data processing activities [in a private notice] because the people have the right to know if the personal information [a person] give out will be used in the way [you] know it’s intended for.”

He added that these rights should not be hidden in lapping “legalese”.

He noted that the common fear about this is that information could be used in nefarious means like selling the data to another third party or to form trumped-up charges, especially in the context of Anti-Terrorism Law.

“With the ATL’s very vague and general provisions, simply being in the wrong place at the wrong time might be used against a person on mere suspicion that they are involved in something the ATL deems as ‘terrorism’,” CPU said.

The data security concerns were earlier raised by a Davao-based web developer MB Quinn on his Facebook post on November 4.

He noted that the Davao Safety website has no Secure Sockets Layer (SSL), and the requirement of a selfie with an identification card is used by online loan applications. He feared those vulnerabilities may end up with one’s personal information being exploited for loans without one’s knowledge of it.

Quinn also noted the website developer Millana Surveying and Mapping Services which is unknown among the IT community.

These IT experts share a common concern that bare minimum information is needed to do contact tracing should only be collected.

In other cities in the Philippines that used the QR code, some only asked for the minimum of email address and contact details.

CPU also said there must be a clear timeline to how long the data in DRQ will be stored, it added. Davao Today sent an email to the city government with this regard, but still no response as of posting.

The use of the DQR in Davao City will be mandatory starting on November 23, as “a pass for entry into and travel inside Davao City “to implement the requirement that travel must be for goods and accessing essential services or for work/business only;” in law enforcement checkpoints and barangay patrols to implement the prohibition on non-essential travel; and as a contact tracing log for entry and exit in all offices and establishments.” (Ken E. Cagula/davaotoday.com)

, , , , , , , , , ,
comments powered by Disqus