With no regulation “data protection depends on users, developers and organisations”

With no regulation “data protection depends on users, developers and organisations”

Developing a contact tracing app in a non-regulated environment.

Developing quality software is usually a big challenge, but how to do it when your country is still developing the laws that would regulate your activity? Data News talked with Addis Alemayehu, general manager of Ewenet Communication PLC, the Ethiopian company creating the Debo contact tracing app. 

Alemayehu explains that the solutions have to be implemented together with user education, responsible data handling, and trust between the users and the institutions building the application.  The manager describes a process where sensitive data is kept on the user side until it has a reason to be collected, then it will only be shared once there is approval from the user side and a clear responsibility from the institution gathering it.

Read the full interview. 

Debo is the Ethiopian contact tracing application you developed, tell me more about it:

Addis Alemayehu: “We developed Debo for contact tracing purposes, we are working with the Ethiopian Public Health Institute supporting the effort against COVID-19. The application work on Android Phones, because 93.3% of Ethiopia’s smartphones are android. It uses a Bluetooth protocol because internet here is costlier than other African countries, so if we went with a GPS application, people would not open the internet for it. Whenever people is nearby, within two meters radius, and both have the app activated, they exchange a code.
Every Ethiopian user can download the app on google play, and they will fill the name, age, sex, city and phone number. These are the very important informations that the contact tracer needs. Once the user is registered, the data will be uploaded to the database with only one purpose: contact tracing. After that, all bluetooth data will be stored on the user’s phone.
Also, the user can manually register their own contacts, because some people may fail to open their bluetooth or not cary a smartphone at all. A user can add his family, friends and coworkers Whenever a user becomes positive, after a test, the app will ask if the user is willing to be traced. This is very important, because the closer they are, higher the risk will be.
There is also a passcode to avoid someone opening your phone and looking through your contacts.
The app is live for a week now, with almost 56 thousand users registered without any promotion. Now the government is planning to promote it aggressively, for this we need more marketing. We have already prepared the marketing strategy and submitted it to Ethiopian public institutions. As you know, with contact tracing all over the world, the more is downloaded, better the tracing will be.

What is the challenge to develop this system?

Addis Alemayehu: "We are developing it together with a team of contact tracers, there is a lot of documentation submitted, lots of different tests, after this we need to comply with the National Information Security Agency (INSA), they also check the system and the app, then other governmental agencies."

How does your application protect user’s privacy?

Addis Alemayehu: "Before developing our own system, we checked other ones, line Singapore. Most of them go with GPS plus Bluetooth. We went another way, in our system, the data is only stored on the user’s phone. Not on our database. Whenever the user becomes positive, we will ask him the willingness to give us the information. Its a consent based system.
Once he is tested positive, he will be notified by the contact tracing agents and will be given a code, only once the code is put into the app, the agents will have access to the user’s contacts. And the data will be only in the contact tracers’ agency database."

The data goes directly to the government and the company does not have access to it?

Addis Alemayehu: "Exactly, the company does not have access. And the data does not goes directly to the government, but to a more independent public health institution, and after COVID-19 stops, the data will be automatically deleted. This is the right of the individual and the responsibility of the public institute."

Do you have any laws regarding data protection that you need to take into account when developing this kind of applications?

Addis Alemayehu: "Currently, the minister of information technology is working on data protection law, they are working on a pipeline to approve. There are actual governmental policies, but they are not well articulated, and communicated to the developers, this is one of the main problems, once the tech community is better informed, it will be easy to follow data protection regulations.

Right now data protection depends on users, developers and the organisations that build the applications. Related to contact tracing, the INSA checked the applications and approved that the system is secure from user and government side. For it to  work , everything must be very clearly stated in all public communications and in the consent screens so the right is in the user’s hands."