Law enforcers with court warrants could access data from Hong Kong’s Covid-19 risk exposure app for crime detection purposes, according to security and legal experts, despite officials stressing it would only be used for contact tracing.
While concerns about possible abuses of the app resurfaced after officials announced that patrons of restaurants and some other venues would be asked to use it from Thursday, analysts said the information could only be accessed if it was stored by a third party, and the court would apply the same stringent standards it did for other devices that stored personal data when handling warrant applications.
The Office of the Government Chief Information Officer on Tuesday also reiterated that records of the “Leave Home Safe” app were only stored on users’ devices, while warning the public against downloading fake programmes with similar interfaces.
Get the latest insights and analysis from our Global Impact newsletter on the big stories originating in China.
Officials on Tuesday announced the easing of strict social-distancing rules from Thursday including allowing restaurants to offer dine-in services until 10pm, while cinemas, massage parlours, gyms and theme parks will also be allowed to reopen. But patrons must either use the app to record their visits or otherwise provide details for potential contact-tracing purposes.
App downloads have exceeded 840,000 since it was released in mid-November and more than 70,000 venues had signed up as of Tuesday. The app requires users’ permission to access a device’s camera, mobile network and storage.
Users can then record the date and time they visit a venue by scanning a QR code at the entrance. Data stored in phones is erased automatically after 31 days or if the app is uninstalled.
The Centre for Health Protection said last week it would upload the itineraries of Covid-19 patients who used the app to calculate the infectious period. Other users who visited the same places in that time period would then receive an alert.
After downloading the app, users must sign a statement that, if necessary, the information they provided might be transferred to law enforcement agencies or other authorised departments, deployed “for epidemiological investigations and contact tracing” and for all related purposes.
Personal data held for the prevention of crime, apprehension, prosecution or detention of offenders is exempted from the Personal Data (Privacy) Ordinance, along with health-related purposes.
A police investigator, who spoke anonymously, said if the data was centralised with a third party, Hong Kong law enforcers, including those from customs, immigration and the anti-corruption agency, could practically access the information with a court warrant when detecting crimes.
However, such information generated from the mobile app would not be of “groundbreaking aid” to investigations, the insider said.
“To bring a suspect to book, we need to gather a lot of evidence, which could include security camera or dashcam footage, communication records, digital footprints, bank and Octopus card transaction records. We could obtain this data under court warrant,” he said.
With or without the tracing app, he said, investigation methods remained the same, as it did not necessarily mean a person had been at a location even if his or her phone had recorded a visit.
“Using such a tool is just like people checking in at a location on social media,” he said. “Such data alone does not serve as sufficient evidence that could yield an arrest or a prosecution.”
He added officers needed to present the facts of the criminal case when applying for a court warrant for specific information, and to explain why such data would help the investigation.
It was not an easy job, the investigator said, as magistrates often challenged officers and rejected the applications on insufficient grounds, while those applying could bear liability for their presentations in court.
Former Law Society president Stephen Hung Wan-shun said if data from the virus exposure app was stored in a third-party device, such as a government server, police would need to apply for court warrants to access it for crime detection purposes, just as they did to obtain Octopus card records.
“I believe the court will apply the same stringent standards when considering the retrieval of personal data via this mobile tracing app,” he said.
Francis Fong Po-kiu, honorary president of the Hong Kong Information Technology Federation, said despite repeated assurances the data was only stored in users’ devices, the public might still be sceptical of how the government would handle the information.
He called on the government to specify situations when data collected via the app would be accessed by police.
“If the government fails to address privacy concerns, it will only prompt more people to evade the requirements by giving false information. This will defeat the purpose of identifying potential infections,” he said.
He also warned against people intentionally uploading incorrect information, as they could be penalised for deception.
The Post earlier reported that at least two “substitutes” for the “Leave Home Safe” app, which have similar interfaces, are on the market to help patrons skip the recording procedures.
The spokesman for the Office of the Government Chief Information Officer appealed to the public to stay vigilant, saying unknown mobile apps or websites could contain computer viruses or Trojan horse software that posed security risks.
Addressing the privacy concerns, the spokesman said: “There is no central system to record the data, and venue check-in data is saved on users’ mobile phones only … Users’ whereabouts will not be disclosed to others.”
Various countries have developed similar Covid-19 apps that allow tracers to swiftly contact anyone who might have been infected.
In Singapore, the government previously promised that users’ data from its “TraceTogether” app would never be accessed for any other purposes, unless they tested positive for Covid-19. But officials later admitted that police could access the data.
Unlike the Hong Kong app, it requires registration with a real name. The privacy statement on the TraceTogether site was later updated to state that “the Criminal Procedure Code applies to all data under Singapore’s jurisdiction”.
More from South China Morning Post:
This article Coronavirus: can Hong Kong law enforcers access data on city’s official Covid-19 contact-tracing app? first appeared on South China Morning Post