MUST READ!!! The Ghana COVID-19 ‘Symptom’ Tracker App – Flawed At Launch

“Our approach in combating COVID19 is going to be driven by science and data. Data is the most powerful weapon in our fight against COVID 19. You cannot fight what you cannot see. The data will point us in the right direction.”

The words of Ghana’s Vice President, Dr Mahamudu Bawumia at the launch for the Ghana COVID-19 Tracker App on Monday, April 13 2020. It appears, however, that someone did not take the data part of the job seriously.

Data that usually points anyone in the “right direction”, especially when it involves keeping millions of people safe, must be well structured and accurate to give the health services the right feedback to work with. That is the most fundamental flaw of the newly launched app.

I could refer to the security flaws, the question marks in the ‘Terms and Conditions’, the strange number of permissions, who is responsible for the data generated or even the identity or origins of the developer of the mobile application.

But no. Let us deal with the structure of the data first.

At the same launch event, Ursula Owusu-Ekuful, Ghana’s Communications Minister said, “we need accurate data to know where the virus is and is heading towards to be able to fight it swiftly and in the most efficient way possible.”

Perhaps her team should have paid closer attention to how that data was going to be captured using the app. Entering the following number: 022 222 2222 (clearly non-existent) with a non-existent email address: [email protected], I was able to input information into the app which was submitted without a hitch. (See video below).

The Minister, at a press conference on Tuesday, said, “I can report that as at this morning [of April 14] there have been 16,000 downloads already, even though it’s just through the web link on android. The reports on it are interesting. About 100 of those have reported symptoms which are corona related.”

How sure is the Minister that the 100 reported cases from the app gave accurate information for contact tracing to commence? The Ministry could have explored the use of a One Time Password (OTP), or a two-factor authentication process to help cut out the bots or fraudulent entries being made into the system. As a software engineer, Divine Puplampu, iterated, “the process gives everyone a false sense of hope with download numbers.”

Now let us get into the other areas of concern regarding the Ghana COVID-19 Tracker App in its current iteration.

1. Why the need to rush the launch of the app?

Apple and Google jointly control over 95% of all smartphone operating systems globally. In a joint release on April 10, 2020, the companies noted they will be, “launching a comprehensive solution that includes application programming interfaces (APIs) and operating system-level technology to assist in enabling contact tracing.” The companies will release their collaborative solutions in two phases; one in May where APIs that “enable interoperability between Android and iOS devices using apps from public health authorities” will be released. Later in the year, a “broader Bluetooth-based contact tracing platform” will be released.

The Ghana COVID-19 Tracker App currently runs on Android-based devices. You could argue that the release was to ensure government had an app ready to integrate with the yet-to-be-released solution from the tech giants. However, why the rush? Why rush and release a half-baked solution at this time? As Selorm Branttie, Global Strategy Director for mPedigree Network, mentioned, “You don’t want sensitive personal information harvested and sent to wrong hands.”

“Even with governments, especially those with autocratic tendencies, this becomes a very great opportunity to harvest private data from citizens unwittingly to further monitor and terrorise them.” Selorm Branttie added: “seeing that next week is when the two global giants will outdoor their app, with perhaps the best type of knowledge and infrastructure at their disposal, it would possibly have been more prudent to have waited for them on this one.”

2. Who developed the App and where is the data being stored?

The Communications Minister stressed during the launch, “the system’s data is encrypted such that no personal information, name, ID or address is recorded on the platform.”

The questions though are:

• Where is the data being processed?
• Who is doing the processing?
• Who developed the app in the first place?
• Are they Ghanaian?

Ash Dastmalchi, Head of Cybersecurity at Quantum Security Solution in an interview on #CitiTrends pointed out that, “we can see the data is submitted to a remote server which happens to be on Amazon which is outside Ghana’s jurisdiction.”

A close look at the weblink provided by the Ministry of Communications indicates the app is developed by IQuent Technologies and Ascend Digital Solutions. A Google search for IQuent Technologies reveals it as a company providing “telecom, consulting and technology solutions and services.” The origins of Ascend Digital Solutions are scattered to say the least.

3. How secure is the APP?
This perhaps remains one of the biggest concerns. According to Ash, “There does not seem to be any explicit permission where the user can actually choose or give consent if they want to submit that data or not.” He adds that the website where the mobile application can be downloaded from, “frankly speaking, is not secure in terms of [the fact that] it does not have https. Which again does not mean too much, but does mean that someone can sit there and inject malicious application and make transactions, should they have access to your connection.

”Weighing on the matter, Selorm Branttie notes that, “there is a huge risk of phishing. Scammers are open to use this system to scam people. All they need to do is create a web link very similar to the Ghana one, and put in a mirror of this apk file with a backdoor that mines all your personal information. He intimates that, “many of you will not take time to look at the signature or certificate of the app and the checksum to see if it’s the same as the original apk before installation. So if there is a phished sure, bam! You are in!”

4. Terms and Conditions
In a hypothetical situation, where all things fail and there is a court case, a lot of reference will be made to the ‘terms of conditions’ of the app. As a user, you sign on to use the service provided by the mobile application after you have assessed and approved those terms and conditions.

There is a provision in a section of the current version of the terms and conditions document of the app which indicates, “We reserve the right, at our discretion, to modify or replace these terms and conditions from time to time… It is YOUR responsibility to visit the most recent terms and conditions. If a modification to the terms and conditions is material, we will TRY to provide some days’ notice prior to the release of the modifications. What is material will be determined at our sole discretion.” (Emphasis all mine).

Basically, if anything should change with the app and the developer makes changes to this legal document, you will have to find the terms yourself and advise yourself accordingly. Now, why will you want to get into an agreement with someone who presents such options in a business deal?

5. “Detailed contact tracing of individuals.”

As the Minister explained, using Executive Instrument 63, “we can use the platform of all the telcos… frequent contacts by an individual can be traced through various telephone-related data… backward trace contacts through records and location history.” There is very little anyone can do about this bit.

The major worry for industry watchers such as Professor Kwadwo Appiagyei-Atua of the University of Ghana Law School is that “these obligations have the potential to normalise the deployment of mass surveillance tools which may help to deal with contact tracing but could also be used to violate privacy laws tomorrow.”

In summary, the app in its current state is not fit for purpose. It does not appear there was much consideration given to a number of things.

Was there beta testing for example, to iron out the links in the solution? Who did that testing? The idea of the app comes from a good place. It should help with contact tracing and with the USSD option, you have a good platform from where to fight the pandemic.

However, a quick look at the examples from South Korea and Singapore show clearly by how much we have missed the mark. It is encouraging that the Communications Minister says her ministry is open to suggestion on how to improve the solution. My only prayer is that they actually listen.

—
The author, Philip Ashon, is the Head of Production for Citi FM/TV and also the host of #CitiTrends on Citi FM