STAYAWAY COVID: The four "mortal sins" of the Portuguese app in the vision of the association for the defense of digital rights

STAYAWAY COVID: The four "mortal sins" of the Portuguese app in the vision of the association for the defense of digital rights

The association says that there were those who have already warned about this issue and pointed out the article by Prof. Joana Gonalves de S in the Public, where she mentions the enormous difficulty in successfully implementing a technical solution of this kind, with the aggravation of the multiple deficiencies of the adopted system, some of them insurmountable.

a study by Trinity College Dublin, which deeply questions whether these apps are even effective, condemns the lack of transparency in their implementation. And a Swiss report to D3 says it goes further and points out a serious set of inefficiencies and risks to privacy that all ARCs have, stating that their use could result in worse scenarios than if they did not exist.

"Thus, we repeat that Stayaway is far from deserving the optimism of the Prime Minister or any other citizen", underlines the association.

Show the code!

"The Prime Minister and several of the Government ministers have expressed, several weeks before the projected launch date, their intention to install this ARC without even having seen or used it", refers to D3, stressing that with the leakage scandals data with apps of the genre "one would appreciate some caution in endorsing a technical solution whose working methods are still unknown to anyone, because their source code is still kept secret", and refers to the purpose of India, where there are reports that it is possible to access the location of the infected.

Recognizing that there is a promise to publish the code when Stayaway is launched, D3 argues that it is essential that this be done more quickly. "The publication of the source code of the application, in an integral and reproducible way, is fundamental for any notion of democratic control of an application that we will all be encouraged to install. Only then can we analyze what the application actually does, and include citizens in an effort to ensure that there are no failures or risks on the Stayaway ".

The association states that in the case of the application of contact tracking in Germany the code was published two weeks before the launch and that numerous people participate in the effort to alert to problems found in the apps, having solved several problems thanks to this open process.

"So far, nothing is published", stresses D3, noting that several news reports say the app has been ready since the beginning of June. "Why is the code still secret?", Asks the association.

We have to talk about Apple and Google

The use of Apple and Google APIs is pointed out as another problem. "Stayaway uses API from Apple and Google to be able to work, which means that it interacts with the operating system in a way that Apple and Google control; that is, even if the Stayaway code is fully published, it remains to publish the part of the operating system code that handles the information obtained by the app ", explains the association.

Even believing in the promise of inviolability of our personal data, these companies continue to have access to the installation and use data of the app (as with any other), the statement said. "It is of obvious interest to obtain information about how a person handled the app (installed or not? How many times does it open a day?), to cross-check with the login data of each person's app store, and thus complement the profiles used for the targeting of ads: a medical products company will thus be able to point its ads to people who installed Stayaway, as they are more likely to accept magic solutions to deal with the desperation that the pandemic causes ", he identifies, saying that privacy protections promised by Stayaway cannot prevent it.

For D3, the dependence on the Apple and Google API has another consequence: these companies can unilaterally change the functioning of their code, and there is no way for people (or the Government) to know what has changed. "Against this, neither Inesctec nor the Government can do anything, because they accept to resort to these closed components that cannot be audited", underlines the association.

"The Portuguese government is officially supporting an app that sends information to Apple and Google, without any agreement with these companies to ensure that the app's usage data will not be used for other purposes. We demand another respect for the integrity of citizens' data , particularly at a time when many are taking advantage of the current instability; it is not acceptable that these two giants could be fundamental parts of a public health mechanism, without any transparency for the way they operate ", says D3.

Requirements for those responsible for the app and appeals to the Government and Parliament

Following this analysis, D3 requires STAYAWAY officials to immediately publish the Stayaway source code and the Apple + Google operating mechanisms to clarify the privacy of the app's usage data, and also disclose the amount of public funding. development of Stayaway.

The appeals extend to the Government and Parliament, which want it to implement specific legislation to prohibit discrimination based on the option of using or using the app, affirming the exclusively voluntary nature of its installation and ensuring that technological solutions carried out with public funding must have your public code.

We ask the Portuguese Government to review the enthusiasm for joining solutions that can only complicate the problem, and to refrain from encouraging the installation of Stayaway by the Portuguese population. And the Portuguese population, we recommend the utmost precaution before embarking on this technological artifice until there are guarantees that the drastic situation that we are all and everyone will be experiencing will not worsen even further, underlines Ricardo Lafuente, vice president of D3.