HOW BOTSWANA’S BSAFE APP WORKS
Last month saw the launch of Botswana’s BSafe QR code app – the first government-issued contact-tracing app in sub-Saharan Africa.
The app was donated for free to the government by a Gaborone-based company called Brastorne Enterprises after complaints that the manual contact-tracing system, where businesses would write down visitors’ phone numbers, was being exploited. Tshepo Tsheko, from Botswana’s Covid-19 government task force, told me information from these paper registers was being used to text women to ask them on dates and to bulk up businesses’ marketing mailing lists.
Tsheko, who is the task force’s ICT digital adviser, describes BSafe as the privacy-friendly alternative to this manual system. Both businesses and individuals are asked to register through the BSafe Android app in order to be assigned their own QR code. BSafe then works in two ways. Individuals can create a “digital register” of where they’ve been by scanning the QR codes displayed at shops, shopping malls or offices. Businesses can also scan their visitors’ QR codes to check they are not infected.
If a person tests positive for Covid-19, the app will be updated by the task force and that person’s QR code will no longer work. Anyone who has visited the same places around the same time as the infected person will be notified through the app and be asked to self-quarantine. Tsheko says the task force is also considering weaving Bluetooth into the design to make the contact-tracing function more precise.
When we spoke, Tsheko did not know how long people’s data would be stored because that had not yet been decided. But, he said, each BSafe user is assigned a pseudonymous ID number so a person’s location records are never stored alongside their name or other identifying details. The digital adviser added that the only government departments with access to this database are the Covid-19 task force and the intelligence unit, although he emphasised intelligence personnel are included in the task force and the database is not for “surveillance”.
In the three weeks since launch, the app has been downloaded 150,000 times and Martin Stimela, CEO of the company that developed the app, Brastorne Enterprises, said the aim is one million downloads countrywide – in a country of 2.3 million.
For the “digital register” function to work, businesses also have to register and display their own QR codes for visitors to scan. However, uptake among businesses has been much lower with users complaining on the Google Play store that they are struggling to find places to use the app. Right now the app is voluntary but the government is planning to make the system mandatory, says Tsheko.
Senwelo Modise, an attorney with data protection specialists Collins Chilisa Consultants, says BSafe is easy to use and she has used the app at chain stores including Woolworths. However, she worries what would happen if there was a data breach because Botswana still has no data protection authority to enforce the southern African country’s 2018 data protection act. “If information [from the app] is used for anything other than contact tracing, in Botswana we would not have recourse because we have a Data Protection Act that was passed but is not in force,” she says.
Tsheko, however, says the task force is looking to “accelerate” those data protection structures to give people more confidence.
NIGERIA IS DEVELOPING COVID-19 APPS BUT NO PRIVACY POLICIES
Nigeria is also experimenting with apps as part of its efforts to stem the spread of infections. But analysts have not been impressed with privacy protections. “Our findings revealed the apps were developed without recourse to data protection principles,” says Ridwan Oloyede, privacy and data protection partner at Tech Hive Advisory, a technology advisory firm based in Nigeria. I outline his analysis of the country’s three apps below:
🇳🇬 The state of Kogi in central Nigeria launched a self-assessment app to judge residents’ “Covid-19 risk factor”. However, the app has no privacy notice.
🇳🇬 The self-assessment developed by Ogun state, in Nigeria’s southwest, has no privacy notice either, according to Oloyede. To view their “risk status”, users must enter their name, date of birth, gender and phone number.
🇳🇬 An app developed by Nigeria’s Federal Capital Territory, the area surrounding the capital Abuja, was designed to share government updates with the public. But as Oloyede told me, the privacy notice seems unrelated to the app, as if it was written for completely different software. “We also found permissions used by the app are intrusive and excessive, beyond what is required for the app to function,” he adds.
WEEKLY WEB ROUNDUP
Germany now holds the presidency of the Council of the EU, and one of their first initiatives is to propose using airlines’ “passenger name records” to track Covid-19 infections. This data includes names, contact details, credit card numbers, IP and email addresses, hotels, fellow travellers and food preferences – everything passengers might have told airlines when booking a flight. Right now, this data can only be used to investigate or prosecute terrorist offences and serious crime.
Residents on the Spanish island, La Gomera, are taking part in a test run of the country’s new contact-tracing app while Ireland launched its own contact-tracing app based on Apple and Google’s system at the start of July.
When online advertising expert Patrick Berlinquette was investigating whether there was a correlation between Google search results and Covid-19 hotspots, he found the search platform could reveal infection spikes before governments do. In One Zero, he explains how there would be a spike in Google searches for “I can’t smell” before a wave of people tested positive for Covid-19.
Tanya O’Carroll, director of Amnesty Tech, has been talking about how private companies are rushing to get their hands on public health data. “Even if they cannot walk away with direct patient records, they can walk away with the lucrative AI models built from those records, which is the key that unlocks the value of the data,” she says. “This helps explain why Palantir, a data-mining firm that frequently runs contracts worth millions of dollars, has agreed to assist the [UK] government’s Covid-19 response for the cost of just £1.”