Last November 26, the Inter-Agency Task Force for the Management of Emerging Infectious Diseases mandated the use of the Staysafe.ph among all national government agencies and offices, including local government units (LGUs). Staysafe.ph is supposed to be the Philippine government’s digital contact tracing app “of choice.”
The task force made this clear via its Resolution No. 85 (s. 2020), where it also promoted the use of the platform among private sector establishments. It also “enjoined” those with their own contact tracing apps to integrate their respective systems with Staysafe.ph. What this last directive means exactly is unclear. If one looks up the definition of the word, “enjoin,” one is informed that it could mean any one of the following: order, prohibit, or urge. Given the context, it’s likely that the Resolution is referring to either the first or the third one. But which one is it? System integration is no simple matter. With so many issues to consider — especially the compatibility of the affected systems — knowing if you have a choice (or not) matters.
But don’t sweat it yet. This is not the only thing that needs to be cleared up by the government when we speak of its technology-driven approach to contact tracing. From the looks of it, it has completely botched up its duty to provide a sound contact-tracing ecosystem in response to this pandemic.
Minimum Data Requirements
According to this new IATF Resolution, data collected by digital contact tracing apps must conform with the minimum data requirements set by the Department of Health’s (DOH) Memorandum No. 2020-0436.
If you look at this document, though, you quickly realize that it is referring to COVID-19-related information systems used by entities acting as surveillance units of the agency. We’re talking about “disease reporting units (DRUs) or hospitals, local epidemiology and surveillance units (LESUs), regional epidemiology and surveillance units (RESUs), and the Epidemiology Bureau.” In other words, it is not referring to apps like Staysafe.ph, which are meant for regular government offices, business establishments, and individual users.
DOH’s surveillance units are expected to submit a lot of information because they already include case investigation details. The apps that we know of are only supposed to collect information necessary for authorities to conduct contact tracing, in case the need for it arises.
The closest we’ve gotten to a government policy prescribing data requirements for contact tracing purposes have been issuances by the likes of the Department of Labor and Employment and Department of Trade and Industry (DTI), DTI (on its own), the Maritime Industry Authority, and the Land Transportation Franchising and Regulatory Board (see: Memorandum Circular Nos. 17, 18, 19, 23, 25, 26, and 51). Their policies essentially dictate the data fields we find in most health declaration forms.
Also in Resolution 85, the IATF created another multi-agency body called the “Data Resiliency for Ease of Access and Management” Team or “DREAM Team,” whose purpose is to “deploy, build capacity, and monitor the use of ICT solutions that are part of the official COVID-19 ICT ecosystem.” This ad hoc unit is composed of the Department of Information and Communications Technology (DICT), DOH, Department of Science and Technology (DOST), Department of the Interior and Local Government, the Philippine National Police, and the Armed Forces of the Philippines.
First off, what are law enforcement and the armed forces doing in this body? Nowhere in the Resolution does the IATF hint of a possible crime prevention or national security aspect that justifies this odd composition.
Second, how does this DREAM Team differ from the existing IATF sub-TWG charged with convening and proposing ICT solutions “in the government’s response to the COVID-19 situation”? This latter group is bigger, composed of the DICT, DOH, Department of Social Welfare and Development, DOST, Department of Education, Anti-Red Tape Authority, the National Privacy Commission (NPC), the National Security Council, the National Telecommunications Commission, and other agencies the DICT, as chair, considers appropriate.
Third, how do the DICT’s vetting/evaluation guidelines figure into the work of this new body. Those guidelines mandate that “all ICT services, products, and applications for government use in addressing the COVID-19 situation” must go through the agency’s vetting and evaluation. What has become of that regulatory regime anyway? With all these LGU-initiated digital contact tracing systems popping up, is it safe to assume that they have all been screened by the DICT?
Then, let’s not forget that the NPC, alongside the DOH, also issued a Circular requiring “all ICT solutions and technologies used for collection and processing of personal health information of COVID-19 cases and/or identified close contacts” to be registered with the Commission. Similar question: are all these digital contact tracing systems we have today registered with the NPC?
My gut tells me the answers to my questions are all in the negative. If so, what is the government doing about it? How will this DREAM Team make things better? Or perhaps it just add more confusion into the mix?
Official Contact-tracing App
To this day, the actual significance of the designation of “official” contact-tracing app, or the government’s “app of choice,” remains unclear.
With Staysafe.ph, keep in mind that Resolution No. 85 is not the first time the IATF has described the app’s critical role in the government’s COVID-19 response. Last September, in another Resolution, it already called for the “training, integration, and the use” of the app and its integration “in the country’s COVI-19 response, particularly, in the response of local government units.” Meanwhile its title of “official social-distancing, health-condition-reporting, and contact tracing system” was bestowed by the IATF way back in April and reaffirmed again two months later, in June.
If Staysafe.ph is the official version, how should we treat the other government-endorsed apps like SafePass (IATF, Department of Tourism), Trazer (Philippine Ports Authority), and Traze (Civil Aviation Authority of the Philippines, Bureau of Immigration). These are on top of the growing list of LGU-specific systems.
Does the government expect us to have multiple apps installed on our devices, even if they are all meant to serve the same purpose?
Or how about this: is there a system to this madness? If there is one, it’s nowhere in sight. And by now, it’s been proven that not even some prodding from civil society could convince those in charge to do something about it—not even to embrace more transparency in its ways.
Last July, a group of local and international civil society organizations wrote to the government, asking for the release of the white paper and source code for Staysafe.ph, as well as details about its COVID-KAYA system. It would have allowed independent experts to examine the vulnerabilities of these systems and suggest remedies designed to secure the privacy and security of their users and their data. The government’s response? A deaf ear.
It was not an unreasonable request. Singapore, for instance, made the code of its TraceTogether app open-sourced as early as April 2020.
Had the government welcomed that opportunity, the results of an independent study that was released recently and which exposed the vulnerabilities of its COVID-KAYA might have been very different.
Sadly, there is very little left to say to this administration and its deplorable strategy towards this pandemic. It is onion-skinned and tends to be vicious when responding to legitimate criticisms. On the other hand, if you try to offer your help, it is often dismissive and likes to pretend it knows what it is doing.
And so, when the contact tracing czar offers the view that contact tracing in the country is still weak today — nearly nine months into this public health crisis — no one is the least bit surprised, and the government only has itself to blame.
The author is a lawyer, artist, photographer, and privacy advocate. Additional information and queries may be sent to firstname.lastname@example.org.