Reassurances after concerns noted over access rights of the mobile app.
The Hong Kong Office of the Government CIO’s (OGCIO) recent creation and launch of the “LeaveHomeSafe” COVID-19 exposure notification mobile app, has garnered media concern over privacy issues regarding the access rights of the mobile app.
The concern centred around access to photos and media, files and storage space, modification or deletion of content, and access to Wi-Fi network and network permissions.
However, the Office of the OGCIO stated the “LeaveHomeSafe” mobile app assists the public in recording the date and time for checking into and leaving different venues by scanning the venue QR code or the registration mark located at the inside of the taxi door.
The app requires the camera function of the mobile phone to scan the venue QR code and the taxi registration mark. After scanning, relevant check-in data, including the venue name and address, taxi registration mark, date, arrival, and departure time, will all be stored in the storage space of the mobile phone. The app therefore requires permission to access the camera and storage space of the mobile phone.
In addition, cloud-based Optical Character Recognition (OCR) technology is used to enable scanning of the taxi registration mark. Text images captured by the camera will be converted to text files for storage. The mobile app will then delete relevant images instantly and user’s check-in data will also be erased automatically after 31 days.
The mobile app thus requires access permissions to mobile network, Wi-Fi network (to conserve data usage), media and files to protect user’s privacy.
The Centre for Health Protection (CHP) has been releasing information on premises visited by COVID-19 confirmed cases in the form of open data.
The “LeaveHomeSafe” mobile app needs to run in the background, and use the network function to download the data from CHP for comparing with user’s venue check-in data regularly in the mobile phone, in order to notify any user who has visited the same venue as the COVID-19 confirmed case at around the same time automatically.
The mobile app requires network access, Wi-Fi access and relevant permissions in allowing the app to run in the background and send notifications when needed. Moreover, the “LeaveHomeSafe” mobile app would perform checking (with access permission to the “retrieve running apps” under “device and app history”) in order to ensure previous task of data download has been completed, and retrieval of the correct version of data.
The spokesman for the OGCIO stressed that the Government understands public concerns over privacy, and therefore uphold the principle of protecting personal data privacy when designing the “LeaveHomeSafe” mobile app. The program designs of the app on Android and iOS are the same. The app only needs the least amount of access permissions to enable smooth operation and it has also passed relevant code reviews of Google and Apple.
The spokesman reiterated that the Government recognises public concerns over the access permissions that the “LeaveHomeSafe” mobile app uses and will continue to explain to the public in this regard, and also invite more members of the public to use the app so as to minimise the risk of virus transmission.