Back to Africa Check

No, South Africa’s Covid-19 tracing app does not access contacts or any personal information

On 16 September 2020, president Cyril Ramaphosa announced an easing of Covid-19 restrictions in South Africa to alert level one.

He also encouraged people to download Covid Alert SA, a new smartphone app. The app is designed to let people know when they’ve recently been in close contact with someone who has tested positive for Covid-19.

But some people are suspicious of the app, fearing it could access and store their private information without their knowledge or consent. A message widely shared on Facebook and WhatsApp claims the app “requires access to all the contacts on your phone”.



“If you are planning to install the Covid tracking app on your phone, please remove me from your contact list and on Facebook before you install it,” a common version of the message reads.

“You do NOT have my permission to use my name, phone number or Facebook in connection with your application to identify me. I do NOT give permission for the government to spy on me as the ‘new normal’.”

Is this true? How does the app work? Can it access the contact info on your phone and “spy” on you?

App does not request access to contact details


The Google Play store, which hosts the Android version of the Covid Alert SA app, lists five permissions for access the app may request. They allow the app to:

  • view network connections

  • pair with Bluetooth devices

  • gain full network access

  • run at startup

  • prevent the device from sleeping



  •  
  •  

The app does not request permission to:

  • modify your contacts

  • find accounts on the device

  • read your contacts



  •  
  •  

These permissions are requested by other commonly used apps, including WhatsApp, allowing the apps to identify people on your contact list.

Privacy and security experts have also pointed out that the Covid Alert SA app requires fewer permissions than popular apps such as Facebook. It requires no login or signup, and does not ask users to provide personal information – their contact details, or even their names.

The app doesn’t require access to your contacts, and doesn’t ask for it. But how does it work? Are there any ways it could use personal information?

System created by Apple and Google


Covid Alert SA was developed by South African insurance company Discovery, but uses an exposure notification system designed by the US tech giants Google and Apple.

As Google explains in detail, the system is designed to require no personal information. It powers a number of exposure notification apps around the world, listed by Apple.

The system may be used only within certain legal limitations, including that an app “not require end users to provide personal data to obtain exposure notifications”, and that the service be used “exclusively for Covid-19 response efforts and not for any other purpose”.

Google says: “The system does not share your identity with other users, Apple, or Google.” And the Covid Alert SA privacy policy confirms that even the companies and government departments responsible for operating the app are unable to “draw any conclusions concerning the identity of app users.”

Random codes for anonymous contact tracing


So if it can’t identify users, how does the app trace Covid-19 contact?

The exposure notification system randomly generates a unique code at regular intervals, which it shares with any devices it detects nearby. If a user tests positive, they can choose to indicate this on the app, and it sends the previous 14 days’ of code data to a central database.

Anyone who has received one of these codes now knows that they have recently been near someone who has tested positive for Covid-19. They can’t tell who the person was, because each code is generated randomly and includes no personal information, but they may now choose to self-isolate and watch for symptoms.

Google explains that the codes are created in such a way that they do not and cannot include information about the individuals they are assigned to. For instance, the codes can’t be altered to include something like location data or personal information.

So even if someone collected multiple codes from one phone, they would not be able to connect the codes to a particular person, or trace that person’s movement.

Even the Bluetooth connection the codes are shared over is encrypted. So two different transmissions can’t be connected to a specific phone until the owner of the phone shares their unique codes with the central server.

‘Doesn’t obtain your identity or monitor your movements’


Privacy experts have expressed approval of this system. The US-based digital privacy advocacy organisation Electronic Frontier Foundation has called this kind of exposure notification system “the most promising approach so far to automated Covid tracking”.

South African data privacy researcher Murray Hunter, formerly of advocacy organisation Right2Know, told Cape Talk radio that the app was safe.

“The government does not collect your location, it doesn't monitor your movements,” he said. “It doesn't obtain your identity or try to identify your contacts.” 

Add new comment

Restricted HTML

  • Allowed HTML tags: <a href hreflang> <em> <strong> <cite> <blockquote cite> <code> <ul type> <ol start type> <li> <dl> <dt> <dd> <h2 id> <h3 id> <h4 id> <h5 id> <h6 id>
  • Lines and paragraphs break automatically.
  • Web page addresses and email addresses turn into links automatically.
limit: 600 characters