Covid Alert SA: ‘I really do think people should download this app’ – privacy law expert. LISTEN!

Written on 09/19/2020
Jarryd Neves

The recently launched Covid Alert SA mobile app will undoubtedly help in the fight against the virus. However, many South Africans are understandably skeptical of the app, which many believe may collect private data. BizNews founder Alec Hogg talks to Emma Sadleir, a leading expert on privacy and data. The chief executive of the Digital Law Company discusses the safety and privacy of the essential app, and outlines why she thinks it’s definitely worth downloading. – Jarryd Neves

Emma Sadleir is the founder and chief executive of the Digital Law Company. We’ve spoken a few times over the past few months about issues like data privacy. Now, we’ve got the new app that we all have to download so that we can fight Covid-19 together. But there are many people worrying that big brother is going to be following them in some way. What are the legal ramifications of an app like this? Have they taken the right precautions? 

So I want to stop you right at the beginning and say that the first thing is that we don’t have to download it. I really do appeal to everybody to download it because I think the only way that we’re going to contain this epidemic is through contact tracing, containment, etc. But it’s a very important point from a privacy law point of view, that there is absolutely nothing compulsory about this app. I have looked at it just from a general interest point of view. I haven’t been properly involved in any aspect of it.

Emma Sadlier
South Africa’s leading expert on social media law Emma Sadleir. Photo published courtesy of www.thedigitallawco.com

There has been a brilliant senior counsel giving legal advice to the team of developers throughout the process who was mandated rarely just to consider the privacy issues and the privacy law implications. Anything to do with big brother watching you and privacy really does interest me. I’ve had a look at the app in quite a lot of detail. I downloaded it as soon as I was able to and I think that there are a few very important points. The first is that it is voluntary, so it’s not something that’s automatically been inserted onto everybody’s phone and that they’re going to be traced at all times.

I think that we really have to say this is a voluntary app. From a privacy law point of view, I don’t see any reason that people should be nervous that big brother is watching us and that this is going to have huge privacy concerns. I just want to say that at the outset. The second is that it takes very little personal information and we can go into this in more detail. It is an entirely anonymous app, which means that any of those privacy concerns that people have out there surely should be very small, if any.

I think the issue at the moment is that people do have a kind of a distrust of the government, and they do feel a bit like civil disobedience is the order of the day and they’re not going to be told what to do by anybody else. That seems to be the sentiment around a lot of people at the moment.

It must be tough for the people trying to do public health, because if you don’t have cooperation from the public, then how can you keep them healthy? But Google and Apple designed this in a way that the privacy issues were also apparently taken into account at a very deep level. Have you had a chance to look at that? 

I’ve had a look at all of it. Firstly, I must echo your thoughts and that is that the success of this app will rest and fall on the extent of the uptake. What we’re dealing with is an app that uses Bluetooth. A lot of people are nervous about having their Bluetooth on. I’ve got my Bluetooth on pretty much all the time. When I get into my car. I need to be able to carry on that conversation that I started before I got in the car and it automatically connects to the Bluetooth in my car.

A lot of people use their Bluetooth on their phones for their health tracking watches. For me, that’s not a big concern. There are some concerns to do with hacking that involves having your Bluetooth connection on at all times. But I really don’t think that it is a real risk for the average person.

It relies on your Bluetooth. The app doesn’t collect any personal information. It doesn’t collect your name, it doesn’t collect your email address, your phone number. No location is collected or stored. All it does is that it tells you if within the previous 14 days you’ve come into contact with somebody who has voluntarily disclosed that they have tested positive. It doesn’t tell you who that person is. It doesn’t tell you exactly where that exposure took place. It just tells you that on a specific day you came into close contact with somebody who was tested positive. 

Read also: How the Covid-19 alert app works in SA – govt expert

That might have been at a braai – obviously of less than 10 people because that’s what you’re allowed at the moment – or it might have been in the queue at the Spar. It could have been anywhere. That’s the brilliance of the app, because at the moment we’re doing manual tracing. Which is good if the exposure has taken place to somebody that you know, but it doesn’t help you with exposure to somebody who you don’t know, because that person that you stood behind in the queue at Woolworths is not somebody you know. If they test positive in the next couple of days, they can’t phone you and say “Look, I’ve had this issue and I used that credit card machine just before you did.” There isn’t that kind of thing. 

So manual contact tracing really does have its limitations, which is why this technology is so brilliant. Just to go back to this, there’s no pairing which is required. It uses random Bluetooth identifiers which rotates every 10 to 20 minutes. That helps prevent tracking. The only exception to the information that it does collect is when you voluntarily open the app and self report that you have been diagnosed positive. In order to do that, you have to put in your date of birth. Now, that’s just an extra step to make sure that people are accurately reporting so that the app isn’t misused. You get sent a pin and put in your date of birth. With those two pieces of information, you’re able to successfully notify the app and therefore notify all of your contacts that you have been exposed.

You’ve been telling us for quite some time now to be careful about privacy, particularly online. You’ve made a career out of explaining to the rest of the world how that works. So why did you not feel bad about downloading this app, or indeed, why did you actually take that step? 

The first thing is that I don’t want to get Covid. So it’s always a give or take. There’s always a balance, but here we’ve got sort of public health on the one hand and privacy issues on the other hand. Now, if it was a question of downloading an app like they’re using in China – there is no voluntary uptake of it, it gets forced upon you. I’ve got a friend in China who, if she goes to a shop for too long, the authorities come and have a chat with her. It is really big brother watching you, tracing you and tracking you at all times. 

It’s living in a proper police state. This is not that. Firstly, it requires your consent. Now we talk about POPI – the Protection of Personal Information Act. POPI defines consent as any voluntary, specific and informed expression of will in terms of which permission is given for the processing of personal information. Basically, this act does require you to give your specific consent throughout the app usage. So that doesn’t bother me. We are dealing with a special kind of personal information. Under POPI, there’s your personal information, which are things like your name and your email address. Then there are things called special personal information. Your health information would certainly fall under that classification of special personal information, which requires even greater protection.

Now, the thing here is that it’s anonymous. I downloaded the app and I didn’t have to give them my first name, my surname, my phone number or my email address. I just downloaded the app. So there’s this thing on my phone which is a location based app. It’s not like the Department of Health knows that this app was downloaded by Emma Sadleir on this day ‘and she was exposed to this person and she spent two hours at the braai and we can tell that there were 20 other people there and therefore we should prosecute her under the regulations.’ It’s none of that. It’s really just your phone – which has your Bluetooth enabled – came into contact with somebody else’s phone -which has their Bluetooth enabled – and they have self-reported that they have tested positive. 

When we’re dealing with what we call anonymized data. We fall outside of the realm of POPI. Now, when you’re dealing with an app that doesn’t take any personal information, that personal information does not attach to a specific person. Therefore you do not have to comply with the requirements of POPI. That said, this app – and as I said, they’ve been using brilliant lawyers throughout the process – does comply with POPI. What I’m saying to you is that it doesn’t actually have to comply with POPI because all the information is anonymised and actually encrypted as well. This means that if anyone does intercept it, it’s just gobbledygook. They can’t tell what it says. Basically, you don’t have to worry about the privacy concerns.

I’ve been getting resistance even from my own family members when I’ve said to them they must go download the app and people tell me, “Oh no, it’s too big brotherish for me.” I appreciate that some of the apps that have been rolled out around the world are big brotherish, but this is not that.

So there’s really nothing logical stopping you from downloading it. The only reason why we haven’t all done so is because of the perception that it could be tracking you. It is tracking you, but it’s not tracking you specifically. It’s tracking a phone.

Because it uses this sort of rolling Bluetooth, it changes every 15 to 20 minutes. If I go to my phone and say, ‘Where was I at this particular time?’ It can’t tell me that information. It’s not storing or collecting your location. We’ve just got to really come to people out there that privacy concerns have been really maximised in this, in order to increase the uptake. Everybody is super conscious of the fact that the success of this app will rest and fall on the extent of the uptake.

Read also: Inside Covid-19: tracing app and your privacy; what’s next for vaccine, SA deaths, and pandemic – Ep 82

If I go into the shops and I’m the only person who’s downloaded the app, the app won’t be very useful. But even if a small percentage of people in that shop have downloaded it, then it will be useful. We require critical mass here. As I’ve said, the manual methods – although helpful – are quickly overwhelmed. Let’s use this amazing tech that’s available to us. There is no reason to be suspicious. Come and contact me if you find out that your information has been misused, I’ll take the hit. 

I really do think that people should download this app. I think it’s a good step because we all want to get back to normal life and this is a step towards that. This will allow us to live our lives as normally as possible because we will have the comfort of quick notification. It’s immediate. It’s not like we have to go through the list of every person we come across. Immediately, you get a pop-up on your phone saying you’ve been exposed on this day and then you can take the steps required. 

So it is a little bit about selflessness. You don’t really want to go out there and make other people sick. If you believe in that, here is a tool that can help you to achieve that more noble ambition, than somebody who lives in ignorance and might unwittingly be making lots of others ill by not really knowing their status.

Absolutely. It’s selflessness, but it’s also allowing me to be selfish because it allows me to go on with my normal life and be exposed to people that I don’t know, with the comfort of knowing that I will be notified if there is any potential exposure. For me, it’s a no brainer. Exposure notification and early exposure notification is really absolutely critical to how we contain this epidemic going forward. The technology is there and let’s use it.