Independent media, academics and governments alike have lavished praise on the Vietnamese government for its response to the Covid-19 pandemic, with mass quarantines, effective public health messaging, a focused testing regime and uncharacteristic transparency all applauded.
The Bluezone contact-tracing app appears to be the Communist Party’s latest success story, having been downloaded more than 20 million times and used to trace 1,400 people suspected of infection, according to state media – an efficiency that stands in contrast to the well-documented failings of similar efforts in wealthier nations like the UK.
However, tech experts fear the app has fatal data privacy flaws and contend that it can be used by the state to harvest far more information on users than its developers claim is possible.
The app, developed by leading Vietnamese internet security company Bkav and the Ministry of Information and Communications, was launched in April to little fanfare and garnered only about 100,000 downloads initially.
Since the pandemic resurged in late July though, a PR blitz has helped push the download figures above 20 million as of late August, with reports in state-controlled media, text messages from the Ministry of Health and announcements from Prime Minister Nguyen Xuan Phuc all encouraging citizens to download the app. Drafting a law to make downloading the app mandatory was even mooted in mid-August, as the Health Ministry believes 50 million users are needed to make the app effective.
According to the app’s developers, Bluezone uses Bluetooth signals to log when two phones that have the app are close to each other as a contact and a close contact if within two metres or less. If a user of the app subsequently tests positive for the coronavirus, all those they contacted will be notified, potentially making them an ‘F1’ (close contact of a confirmed Covid-19 patient) and necessitating quarantine.
Tran Viet Hai, head of the team that made the app, told the state-run Tuoi Tre newspaper in August that the app only stores user data on the users’ devices, a claim repeated on the app’s website, which went as far as to say the app “absolutely does not upload such data to the [central] server”.
But one of Vietnam’s top information security engineers disagrees, and says he has proved the app is fully capable of silently harvesting information on who users have been meeting with.
Dương Ngọc Thái has developed a degree of fame within Vietnam’s technology sector thanks to his prowess as a security engineer. One of the country’s top new sites republished one of his blog posts last year, detailing his rise to a top job at a world-leading tech company from humble beginnings.
Thái began writing about Bluezone on his blog when the app first launched in April. His curiosity was piqued after the state’s proclamations that the app was world-beating, as he thought he could help improve it further through his critiques.
In April, Thái used his blog to point out some security vulnerabilities within the app that he said put users’ data at risk of being tracked via the Bluetooth signal on their phone, the most important of which he said the developers later fixed. Once the app came to much greater prominence last month though, Thái brought his privacy concerns to the forefront and pushed back against the oft-repeated state claim that the app doesn’t upload any user data to its server.
He used the software development platform GitHub to post his reverse-engineered experiment that he says proves the app can still collect user data at any time, without the users’ consent.
“The data contains the full contact history collected by the app. This means if I was sitting next to you, and we had our phones with us, the app on my phone would record that it saw the app on your phone, at this time and for how long,” he told the Globe in a recent interview.
The server can map the data to a phone number, and from there to an actual person. This means if you run the app, the server can tell whom you met, when and for how long
While the stated aim of the app is to quickly find all contacts of an infected person, Thái said it could also be abused to determine who a user has been meeting with and for how long.
“The contact history data is kind of anonymised, but the app asks users to enter a phone number. This means the server can map the data to a phone number, and from there to an actual person. This means if you run the app, the server can tell whom you met, when and for how long,” he said.
The developer team for Bluezone did not respond to the Globe’s request for comment.
The implications of a government having access to such information on millions of citizens through Bluezone are particularly worrisome in a state which has become increasingly hostile to rights campaigners and journalists in recent years.
State surveillance in Vietnam has traditionally been run with a ‘boots on the ground’ approach, combining police with Communist Party cadres and neighbourhood wardens to keep an eye on their areas. But according to Vietnam-focused human rights organisation the 88 Project, authorities are increasingly making use of “surveillance monitoring and special relationships with technology companies” to quash dissent.
Liberal Publishing House, an independent publisher of books on public policy and political thought established by government critics in Ho Chi Minh city in February 2019, said they have been the target of extensive state harassment, claiming to have been subject to cyber attacks on their website and Facebook page. In October last year, after hearing reports that several readers of its books had been questioned by police, the publisher issued a statement on its Facebook page warning readers to not publicly comment on its page and to use an “alias, a disposable SIM card, and a different address from your real one” to receive any of their books.
Meanwhile, four members of the Independent Journalists Association of Vietnam, the country’s first such organisation for journalists free of state control, have been arrested in the last year, with the latest facing 12 years in jail for allegedly spreading anti-state information. Even state-backed media organisations have fallen foul of censorship in recent years, as Tuoi Tre newspaper was suspended from publication for three months and fined about $9,500 in 2018 for allegedly misquoting then President Tran Dai Quang and not deleting a reader comment on one article that was deemed to split national unity.
Nguyễn Bá Quỳnh, senior vice president for the Global Delivery Network of Hitachi Vantara Corp and former director of Microsoft’s public sector division in Vietnam, is another longtime Vietnamese technology expert with concerns over Bluezone, particularly regarding data security.
Quỳnh, who advised the government on the controversial cybersecurity law that took effect in 2019, told the Globe that he doesn’t use the app for a number of reasons.
“Bluezone, like many laws, is well drafted but in practice it isn’t implemented in the same way,” he said.
Vietnam lacks a robust legal framework to regulate data privacy and ethical use of data, something Quỳnh believes the country is in desperate need of – particularly as the government pushes big data as a key part of the solution to many problems, such as keeping the country Covid-free.
“Does it [Bluezone] comply with cyber security regulations? Health care regulations? There are strong standards in health care like the Hippocratic oath. No one can say it’s been certified, so how can they ask people to use it?” he asked.
While tech insiders may be reluctant to entrust their data with Bluezone and the government, the huge download numbers suggest the Vietnamese public lacks the same reticence.
ISEAS – Yusof Ishak Institute visiting fellow and former executive editor of Vietnam’s top English-language news outlet, VnExpress International, Dien Nguyen An Luong cautioned in a recent op-ed against haste to paint apps like Bluezone as an “insidious scheme” by authoritarian governments to step up surveillance. He noted that revelations to the contrary may merely be academic when it comes to public opinion.
“Many Vietnamese do not mind giving up a modicum of privacy if it means saving lives. Seen in such a light, any discussion of privacy rights at this point is a luxury and smacks elitism,” he wrote.
Luong and co-author Benjamin Hu recently analysed social media posts about Bluezone and found that positive keywords and phrases such as ‘patriotism’ and ‘protect the community’ were far more prevalent than anything mentioning the risks associated with the app.
Meanwhile, a recent study from the Ho Chi Minh City-based Indochina Research market research company found only 30% of Vietnam’s urban population feel any concern when sharing their personal data online, adding weight to Luong’s findings and suggesting that for many Vietnamese citizens, the ends may justify the means when it comes to Bluezone.
If the public has a laissez-faire attitude to Bluezone, the state is concerned with firmly controlling messaging around the app, as evidenced by the flurry of reports of organisations forcing their members or employees to download it, and fines for people deemed to have shared false information about the app.
With respect to Thái’s investigations into Bluezone, online discussions have run the gamut of emotions. Attitudes towards Thái’s work range from gratitude, to constructive debate about privacy concerns amid a pandemic, to personal attacks – with one commenter on forum LinkHay calling into question his ethics and patriotism by publicly discussing the app’s flaws, going as far as to call him “filthy and untrained”. Another commenter on GitHub even accused him of working against Vietnam’s efforts to combat the pandemic.
Whether any trolling of those speaking out about Bluezone is state-sponsored or not – Vietnam has a 10,000-strong military unit to combat “wrongful information” online – what’s clear is government messaging surrounding the app has returned to the opaqueness common before the onset of the pandemic.
“It is their unusually extraordinary level of transparency in governance and public communications since the pandemic broke out that have enabled the Vietnamese authorities to win public hearts and minds. It would thus be a risky bet for the government to gamble such otherwise unlikely transparency away on some insidious scheme,” wrote Luong in late-August.
While that gamble appears to have paid off in the court of public opinion for now, the future of Bluezone may well depend on a return to that much-applauded transparency from the Vietnamese state.
“The developer team states that they only use the data for contact-tracing, and only authorised health authorities are allowed access,” said Thai. “Basically they ask users to trust them, but don’t give anyone any means to verify.”