As the Covid-19 virus continues to spread across the world, governments are adopting surveillance measures to track patients, raising privacy concerns. Lebanon, like many other countries, has launched digital tools to help diagnose and monitor the spread of the outbreak. The tools launched by the Lebanese Ministry of Public Health (MoPH) do not appear to harvest data, but they require excessive user permissions, which is particularly concerning given Lebanon’s weak legal framework for data protection.
Potential Security Flaws
The MoPH has already published two apps on Play Store, which require excessive permissions. The applications include the Ministry of Public Health’s namesake application, which provides users with drugs prices, pharmacy locations, and the recently-added Coronavirus updates section; and the eHealth Lebanon application, which helps users apply for assistance from the Ministry.
We found that both applications require many unnecessary permissions. The permissions include requests to access the camera, microphone, and location. Some permissions are crucial to run the applications’ services, such as the request for storage access, which allows users to upload a document. However, the activation of all these permissions will allow the applications to collect personal information about the user and opens the door for attackers to obtain this data or leverage the permissions to access users’ devices. Therefore, the MoPH should minimize the amount of permissions needed to run the apps.
Both of the applications are also developed by third party companies and the Ministry needs to clarify its data sharing agreement with these companies. The Ministry’s namesake application is developed by Apps2You, a Lebanese company. We could not identify the developer of the second application, but we could identify that the apps use Firebase, a cloud service by Google to store their data. Though this service does not have public exposure, the Ministry still needs to clearly explain how it shares data with these companies, where the data is stored, and how it is used, especially because the applications have insufficient privacy policies and Lebanon has a weak legal framework for data protection.
Lack of Privacy Policies and Weak Legal Framework
The MoPH should prioritize protections of Coronavirus patients and their privacy, and avoid abusing data collected for political, social, or personal interests. To build users’ trust, the tools launched by the government should be transparent on the data they collect and store and the laws that govern the services provided.
The Ministry of Public Health app’s privacy policy states it applies United States’ privacy law rather than adhering to local laws. The general framework of data protection in Lebanon falls under the E-transactions and Personal Data Law, which offer weak protection for personal data and exempts data handled by the government agencies. Another local law that should be used is the Patients’ Rights and Informed Consent law that states in Article 12 that “every patient who is taken care of by a doctor or health institution has the right to have his personal life and the confidentiality of information related to it respected.” However, it is unclear how United States privacy law, which is plagued with its own issues, will hold the MoPH accountable because it is not in US jurisdiction.
Additionally, the application’s privacy policy states that it collects information, including a user’s name, email address, phone number, and “other details,” but it does not clarify what these details are. The privacy policy also states that the application will not sell information to third parties, and that users will be informed if any breach occurs, but the Lebanese law prevents users from holding the application accountable in these circumstances. Due to the vague language in the privacy policy and the weak legal framework for data protection in Lebanon, the MoPH needs to further clarify how it is protecting user data.
Recommendations to The Lebanese Government and MOPH to Improve Their Apps’ Privacy
While governments and companies are increasingly using digital technologies to provide healthcare assistance, personal privacy should not be overlooked. Having strong privacy policies and laws that hold these companies accountable is essential for building users’ trust and confidence, especially since the sharing of personal information with other entities could adversely impact users’ political rights, such as freedom of movement and expression. This will also improve protection for users against any malicious activities, including hacking.
Below are some recommendations based on guidelines by the World Health Organization (WHO), Electronic Frontier Foundation (EFF), and SMEX’s tech team’s suggestions, to help the MoPH and other government entities improve their applications’ privacy:
– Review your practices and conduct a simple review of your policies, products and services, to identify situations in which privacy and free expression issues might arise, or where these rights might be at risk.
– Provide your services without asking users for personal identifying information such as location: For instance, locations of pharmacies should not require any personal information from the user.
– Privacy policies should include the date of publishing and the date of the last update, and should clarify what data each application collects.
– Limit the number of people, companies, and entities who have access to data.
WHO:
– Put systems in place to ensure data privacy, ownership, access, integrity and protection of patient information. Ensure that these systems meet best practice legal standards. In this case, adhering to the European Union’s General Data Protection Regulation (GDPR) should be a minimum standard.
– “Procedures need to be in place to ensure that participants are not unduly pressured to provide personal information.” Get clear consent from users for using their data, which includes informing them of the “intentions to continue contacting them, over what period of time, and their right to be forgotten, or opt out.”
– All data, including sensitive content and personal data, should be stored on a secure server “with protocols in place for destroying the data when appropriate.” Data should be transferred, stored, and processed in a safe environment using end-to-end encryption.
– As for health information, WHO strongly recommends ensuring that individuals know the messages are coming from a trusted sender, such as a government or health institution, health worker, or other familiar entities worthy of their attention.
EFF:
– Ask only for the permissions necessary to run the app, and restrict access where possible.
– Make sure to use encryption in transit and at rest – “What tools are you using, and who can see your data? Is it protected?”
Abed Kataya, Digital Content Manager at SMEX for Digital Rights. He is also a digital safety trainer and freelance journalist with a focus on technology, economy, and entrepreneurship. Follow him on Twitter @kataya_abd.
Ragheb GHANDOUR is a Cybersecurity consultant for an Aviation industry company with a research background in risk and crisis management. He mainly focuses on cybersecurity risks and the rights to online free expression and privacy.
