A Singapore-based cybersecurity firm has raised alarms over Thailand’s covid-19 tracking apps, citing overboard user permissions and a lack of transparency in the terms and conditions.
Straits Interactive, the cybersecurity firm, mentioned both Mor Chana and Thai Chana – tracing apps recommended by the Thai government – in their report, alerting users to the apps’ request for excess user permissions.
The Data Protection Excellence Network (DPEX) report found that the Thailand covid-19 tracing apps demand more user authorizations than their ASEAN counterparts.
According to DPEX, Mor Chana mandates nine overboard and dangerous user data approval, such as the phone’s GPS location, camera access, and the device and application’s history.
Mor Chana was developed by several collaborating national organizations and developers to help provide data to the Department of Disease Control.
The app was created to aid medical workers and government officials in tracing covid-19 infections.
The security firm said that app developers could also access the phone’s web history and the data logs of other applications.
The report added that the app makers have access to the aforementioned user data as long as the app is running.
The chief executive of Straits Interactive, Kevin Shepherdson, said:
“It is like giving access to your entire phone to the developer.”
The cybersecurity firm official added:
“We are not asking for change, per se, but more clarity by the app on how the data will be stored and used and how it is relevant to tracking covid-19 outbreaks.”
The other Thai tracing app, Thai Chana – which requires fewer user permissions compared to Mor Chana – also has vague and short terms and conditions agreement for users. The full length of which is only two paragraphs long.
The agreement paragraph for the app also fails to outline the safety of user data.
Thai Chana was developed by Krungthai Bank, a state-owned financial institution.
The tracing app allows its users to check-in and our of businesses using a QR code.
To put it into perspective, the terms and conditions agreements for other apps are categorically long and concise compared to Thai Chana’s short, brief, and ambiguous user agreement.
The lack of tracing apps data usage clarity could violate Thailand’s Personal Data Protection Act (PDPA).
The law outlines that applications must clearly state in detail of its user data.
Prapanpong Khumon, an associate dean from the Thai Chamber of Commerce, stated:
“Under the PDPA, preventing a pandemic like this one is one of the justifications to use personal data, but you must be very clear what you are using the data for.”
The academician added:
“You can only use the person’s data for the purpose that you notify the people using the app.”
Mor Chana may have violated PDPA due to the ambiguousness of the app’s data retention.
Thai Chana, on the other hand, plainly states:
“Collecting, using, and disclosing the following data included [sic] telephone number and place and time of giving consent … for the purpose of controlling and preventing Covid-19 and other communicable diseases.”
The PDPA, under Section 23, outlines that a user must be informed of how their data will be utilized.
The inspector-general of the Digital Economy and Society Ministry, Polawat Witoolkollachit, directly oversaw Thai Chana’s development, stating that the data gathered from the app hasn’t been used yet as the app was released before the outbreak of covid-19 in the country.
Witoolkollachit attempted to soothe the concern of users, stating:
“Use of the app is under the enforcement of the emergency decree and has the support of Thais. This was done in the Thai context under a very tough situation, and we are using it to move our society forward from the covid situation.”
Also, iPhone users of Thai Chana reported receiving spam messages after directly installing the application into their mobile phones.
Several other mobile users stated that they received suspicious messages regardless of whether they’ve installed the tracking application.
Presently, almost 220,000 businesses nationwide have collaborated with Thai Chana, with 400,000 Thais registered under the app.
Activists in Thailand are crying foul over both the applications over-reaching user agreements – compounded by the disappearance of lead activist Wanchalearm Satsaksit in Cambodia.
They state that the app could be used to track democratic activists to stifle dissent.
Thai student-activist Netiwit Chotiphatphaisal said:
“Technically, it does require the user to give several permissions for his or her phone. As we do not really have evidence about how the government will utilise this, it is safer not to use the app and just act like you scanned the QR when getting into places.”
It should be noted that in June, the Thai government confessed to sharing mobile tracking data with the Defense Ministry.
Source: Bangkok Post