Protecting health workers and their data

In the 2020 report by Oxford Languages, one cluster of words considered significant for the previous year relates to the health workers of the world. It’s supposed to reflect their indispensable role during this very trying time of dealing with a raging pandemic.

Unfortunately, despite their supposed importance, health workers are not exactly getting any favors. Here in the Philippines, one could argue that they are actually among those who experience the most discrimination and other types of abuse during this same period. It is, without a doubt, a heavy burden, especially when one considers the fact that it is already on top of the physical, mental, and emotional toll wrought by their constant presence in the frontlines of this “war”, made even worse by the very little support they receive from the government.

Unsecure apps

Set against the current backdrop, the findings of the 2020 study carried out by Canada-based thinktank, The Citizen Lab (CitLab), seemed like a devastating punch in the gut. That report showed that COVID-KAYA, an application used by Philippine health workers to collect and share COVID-19 cases with the Department of Health, contained vulnerabilities that allowed unauthorized access to information found in the app. Among them was a flaw that exposed the full names of over 30,000 health workers affiliated with local government facilities around the country.

As if risking their lives were not enough, health workers apparently need to worry about their personal data, too.

The use of COVID-KAYA was mandated by the Philippine government, particularly the Department of Health (DOH). Its actual development was overseen by the World Health Organization (WHO) and Dure Technologies, a private entity. After discovering the app’s vulnerabilities, CitLab disclosed them to the authorities and confirmed that as of November 2020, the leaked credentials had already been invalidated.

Sadly, the issue is limited to COVID KAYA. CitLab also looked into other technology-facilitated COVID-19 efforts in Southeast Asia, including contact-tracing applications. In an online event last year organized by the DigitalReach Foundation, Irene Poetranto, Senior Researcher for CitLab, also raised their concerns regarding the possible “mission creep” of COVID-related technologies. This refers to situations wherein technologies are used for purposes that are not part of their original objective or design. It frequently leads to a similar expansion in the types of data collected and processed. Poetranto also pointed to the lack of data protection measures—even as basic as privacy policies—among these apps, including COVID KAYA.

It’s not as if civil society hasn’t tried to help either. In July 2020, DigitalReach and local non-profit, Foundation for Media Alternatives, were joined by fifteen other local, regional, and global civil society organizations in writing an open letter to the DOH, WHO-Philippines, and MultiSys Technology Corporation to call for better transparency in relation to COVID KAYA and StaySafe.ph, which is the Philippine government’s official contact tracing app. The initiative came in light of concerns surrounding these technologies, which were not developed under an open-source license, thereby preventing security professionals from conducting independent audits. The letter called on the concerned entities to release a white paper and the source codes for both apps. It also prodded them to conduct human rights and privacy impact assessments on both systems, and subsequently release the results to the public. That was six months ago. To date, there has been no response from the government.

Data protection and safety

Any casual observer ought to find this remarkable lack of urgency on the part of government authorities appalling. One need not look around that long before the obvious implications of a lackadaisical approach towards data protection and health workers become clear.

In December 2020, Dr. Mary Rose Sancelan, the only doctor in Guihulngan City, Negros Oriental, was killed along with her husband after previously being red-tagged by a local anti-communist group. The incident was just the latest in a spate of killings in the region, many of whom could be traced to the “hit list”. It had only been months since Zara Alvarez, a community health activist from the Negros Island Health Integrated Program, was also gunned down. Alvarez was also on the vigilante group’s hit list. It is still unclear at the moment if the notorious list and the group supposedly responsible for it has ever been investigated.

It’s also important to note that the issues have not always involved killings. The pandemic has thrust into the spotlight the many forms of discrimination—and, in some cases, physical violence—the improper disclosure of health workers’ identities and whereabouts can lead to. In March last year, during the early stages of the government-imposed lockdown, a hospital worker in Sultan Kudarat was attacked with bleach on his way to work. An ambulance driver was also shot at by a civilian in the course of doing his job. Others were prevented from leaving their own homes or from returning to them.

Taken together, all these cases demonstrate the often-downplayed link between data protection and physical safety. The government needs to do more to address this. And the public needs to pay more attention and must become more vocal in expressing their worries in order to make sure it does.

As the current administration ramps up its technology-facilitated contact-tracing efforts while also rolling out the country’s first national ID system, it is crucial that personal data, especially those of high-risk populations like health workers and COVID-19 patients are protected. Measures must be in place to prevent platforms from being exploited, abused, or even used to perpetuate violence and discrimination.

Pressed for their reaction to Alvarez’ death, the Council for Health and Development issued a statement saying: “We may have lost [Alvarez] to the hands of those murderers but we pledge to keep on keeping on (sic) the struggle for a better society where the right to health and right to life are fully recognized, and the people are empowered to build a brighter future.”

Given the current state of the nation, such aspirations may seem far-fetched right now, but protecting health workers’ data seems like a good place to start.
----------------------

Jessamine Pacis is a Program Officer at the Foundation for Media Alternatives. While she works mostly in the areas of privacy and data protection, she also takes interest in related fields like digital labor, cybercrime, and freedom of expression.