The applicants, Itumeleng Ditlhotlhole and Samuel Molaodi, who say are registered users of the application and identifies, as Information Technology (IT) gurus respectively in their court documents want the government interdicted for further availing the application for use until the security breaches are rectified.
Bsafe is the official digital contact tracing application, which records entry and exist of persons who have valid permits around the country. It was launched on June 14, 2020 through a media release and it was meant to improve contact tracing of those potentially exposed to COVID-19 through the use of innovative wireless technology at service points.
Now the application has been labeled ‘unsafe’. According to court papers, the applicants, who have cited amongst them the Presidential COVID-19 Task Team Coordinator and the Director of Health Services as the respondents, have filed an urgent application challenging the safety of the application.
Their main contention is that the application that has been in use since its launch, has vulnerabilities, especially the ones that expose people’s personal information.
In Ditlhotlhole’s founding affidavit, he says he registered for the application on June 19, 2020 and has been using the app ever since until he noticed the lapse on security.
He explained that on August 19, 2020 whilst logged into the application with his credentials, he took the decision to inspect the web page for the Bsafe as he usually did with other web applications that he uses and was shocked to see other people’s personal information when he inspected and edited to get his own information.
“Whilst inspecting the network interaction of the application homepage under the network tab, it came to my attention that editing the data parameters in order to get my travel history between certain dates, returned a response which contained information of people I do not know, most of which was personal. I edited the time parameters again with a different time period and the result was the same,” he said. Ditlhotlhole explained that it was then that he realised the contact tracing application has an information disclosure or data leak vulnerability.
He said following such realization, he contacted attorney Senwelo Modise to enquire as to how he could disclose the vulnerability to the relevant stakeholders and what he could do to protect himself from occasioning harm due to his exposed personal information.
According to him, the attorney asked for proof of concept of the vulnerabilities identified so that she could get appreciation of the issues raised.
“After going through the proof of concept and verifying my findings, she contacted Samuel Molaodi, a client of the firm whom she had identified on my findings amongst the many people who were exposed.
Molaodi confirmed that the details leaked by the application were his and it further verified that the vulnerability I identified indeed exists,” he said.
On the disclosure, Ditlhotlhole said by a letter dated August 24, 2020 through his attorney, he disclosed the vulnerabilities he identified and set out the impact their existence have on his constitutional right to privacy and that of all the other multitudes of users exposed.
He pointed out that the Coordinator of the Presidential Task Team, Dr Kereng Masupu and the Director of Health Services, Dr Malaki Tshipayagae responded to him through a letter dated September 3, 2020 indicating that they had made recommendations to the Task Team and that they would give him feedback as soon as there was a response.
He, however, said the response was not coming therefore his attorney on September 18, 2020 addressed the letter to the respondents’ enquiring about the feedback they were promised and they responded back noting that there has been no response from the Task Team.
“The vulnerabilities still exist as at today. The personal information of the users including us the applicants, is being disclosed improperly and this needs urgent attention, hence the urgent application,” he said.
The applicants want the State interdicted from making available the application with immediate effect, that they be directed to carry out appropriate security assessments on the application within five calendar days, that they be directed to carry out privacy impact assessment of the application.
Furthermore, they want alternatively that the State be directed to delete the applicants’ personal data that is presently being processed by the application and grant the applicants further alternative relief as court may deem necessary.
The applicants are represented by Collins Chilisa Consultants while the Attorney General, who has also been cited in the matter, represents the respondents.