About this App and its creators
Name of the App
- Coronavirus (COVID-19) self-assessment tool
Short description of the App
- Helps you decide when to visit a healthcare center, distance yourself or get tested
Icon of the App
Languages supported by the App
-
ar
-
bn
-
de
-
en
-
el
-
es
-
fr
-
hi
-
id
-
it
-
ja
-
pt
-
ru
-
ur
-
vi
-
chi
-
zho
-
URL of the App on iTunes
- N/A
URL of the App on Google Play
- N/A
Website of the App in English
- https://www.humandx.org/covid-19/assessment
Website of the App in the local language (if applicable)
- N/A
What’s the region and purpose of the app (for one-line overview)
- Global COVID-19 self-diagnosis tool.
What are the main features of the App? How are these features intended to help with fighting the disease?
- self-assessment
Who develops the App?
- humandx
Who operates the App?
- humandx
Who sponsors the App?
- humandx
Who governs the App?
- humandx
What third-party Service Providers are used for the App?
We found third-party trackers on the website from:
- Amplitude.com: website visitor analytics
- Google Analytics: website visitor analytics
- Stripe: electronic payments None of these are necessary to offer the provided service. The site itself is hosted on Google web hosting. Source: [technical-analysis], checked on 2020-07-27
Are all Service Providers under legal obligations consistent with the needs of the App? This may particularly be an issue if a Service Provider is subject to a different jurisdiction than the App Creators or App Users, or if the Service Provider can be legally compelled in their jurisdiction to break their obligations to stakeholders of the App.
- Not known.
Stated goals of the App
What are the stated goals of the App?
- “This tool will help you decide: when to visit a healthcare center, whether to distance yourself, if you should get tested”. Source: [website], checked on 2020-07-27
Side effects of the App
Are there any others goals, not stated by the App Creators, that they are known to also accomplish with this App, or that they could also accomplish with this App in the future?
- Statistical analysis of users, e.g. what symptoms to users from which geographic region experience?
Are there any other goals that others (not App Creators) could also accomplish because this App exists, or is used by certain Users?
- Not known.
Are there notable side effects in the use of this App?
- No.
App users
Social context of using the App
Is usage of the App required under some circumstances? If so, by whom? What are the consequences of not using it?
- No.
Are there non-trivial incentives (e.g. financial, access) for using the App? Are there social pressures to use the App?
- No.
Is a minimum penetration of App usage required in some population before the App can start to be effective?
- No.
Are there social pressures on the App User resulting from the use of the App, or from information shown by the App? (E.g. if the App indicates that the App User has likely been infected.)
- Not known.
Are there social pressures on anybody resulting from information shown by the App run by another App User? (e.g. pressures on an App User’s family or friends if the App identifies the App User as likely infected)
- Not known.
Is the App available in all languages and localizations most appropriate for the intended App User population?
- Yes.
Operations
Describe the principle of operation
- The App User answers a series of questions related to their demographics, recent behavior and current health, from which recommendations are generated on the subjects of contacting a health provider, distancing and testing. No documentation is available how the provided information leads to the generated recommendations. Source: [website], checked on 2020-07-27
Usage metrics
- 200,000 users have accessed the tool. Source: [website], checked on 2020-07-27
Effectiveness metrics against the disease
Privacy
Can identities of App Users be tied to, or can they be correlated to specific individuals, and if so, by whom?
- No.
How are new App Users onboarded on the App? What information do they need to provide to be able to use the App?
- As part of the questionnaire, the App User is asked for age range, whether they are a healthcare professional or care for a family member. It is not possible to skip answering these questions. Source: [technical-analysis], checked on 2020-07-27
How long is collected data retained, and where?
- Not known.
Are any Backups being made whose retention is longer than the declared Data Retention Period? How is it guaranteed that Backups are deleted on time?
- Not known.
Has a Privacy Impact Assessment been performed, and if so, where can it be obtained? Which recommendations have been implemented, and which not? If no such assessment has been performed, why not?
- Not known.
Is the App compliant with local regulations on privacy, in particular on privacy of health-related information?
- Not known.
Is the App consistent with global best practices on privacy, in particular on privacy of health-related information?
- Not known.
What assurances exist that the App will be shut down promptly when appropriate (e.g. when the pandemic has passed, or better approaches for combating the disease have been found)?
- Not known.
Is any data collected by the App transmitted beyond the App? If so:
- Who is the receiver of the data?
- What is the data that is being transmitted?
- What are the terms under which the data is transmitted, and what are the safeguards that guarantee the terms are not being violated?
- Can the transmitted data be correlated by the received with other data they may have or may be able to obtain?
- Not known.
Is any data imported by the App from other sources? If so:
- Their privacy policy allows them to combine data provided by the App User with data from other sources. Whether they actually do so for this tool is not known.
Is there a Privacy Policy, and if so, what type of privacy policy is it?
- privacy-policy
If there is a privacy policy, where can it be found, and how loose/airtight is it?
- It is unspecific with respect to what happens with the data entered into the tool. Source: [privacy-policy], checked on 2020-07-27
Retention
Is data not required any more for the stated goals promptly deleted?
- Not known.
Security
What technical approaches (e.g. cryptography) does the App use to protect all aspects of the App (e.g. confidential information, operational integrity) from Attackers?
- Not known.
How is Data At Rest being secured? Discuss all locations at which Data At Rest exists.
- Not known.
How is Data In Motion being secured? Discuss all transfers between locations at which Data At Rest exists.
- Website is accessible with https.
If an App User’s unlocked mobile phone is stolen, what is the maximum impact of the breach on the App User, other App Users, third parties including the App system itself, and effectiveness against the disease?
- Assumed to be negligable.
How are the operations of the App monitored with respect to attempted, or successful, Attacks?
- Not known.
What operational approaches does the App use to protect all aspects of the App (e.g. requiring two-factor authentication, approval of commits by a second person) from Attackers?
- Not known.
What are the operational procedures for access to highly privileged credentials (e.g. server or encryption root keys)?
- Not known.
Can App Users verify their build of the App User (e.g. using technologies such as Reproducible Builds)?
- N/A
Has a process been defined for reporting and responding to a security breach? If not, why not?
- Not known.
Which entities are required to be trusted by App User to not cause or prevent adverse effects against them?
- The App Creators and the Google hosting infrastructure.
Have there been any reports on attempted or successful attacks on the integrity of any aspect of the App? Do the App Creators report on such attempted or successful Attacks? If not, why not?
- Not known.
Are there any reports on attempted or successful correlation of any of the data handled by the App with data from outside the App, or any attempted or successful Re-identification of anonymized or pseudonomized data?
- Not known.
Are there any reports on attempted or successful Data Poisoning of some of the data handled by the App?
- Not known.
Has an independent security review been performed, and if so, where can it be obtained? Which recommendations have been implemented, and which not? If no such independent review has been performed, why not?
- None found.
What are the procedures and requirements for eligibility of any App Creator employees or contractors to participate in any aspect of the development, operations or governance of the App?
- Not known.
User education, consent, support and agency
- N/A
If the source code is available, under which license is it available?
- N/A
How do new App Users discover, and obtain access to the App?
- The App Creators encourages visitors to promote the website on Twitter and Facebook. Source: [website], checked on 2020-07-27
How is user support handled?
- Not known.
How is the user experience, user understanding, and technical performance of the App being monitored in the field?
- Not known.
Can App Users request a copy of the data that has been retained about them? Is the process simple and quick? Is the obtained data easy to understand, verify and use?
- No related functionality found. Source: [website], checked on 2020-07-27
Can previous App Users request a permanent deletion of the data collected about them? Is the process simple and quick?
- No related functionality found. Source: [website], checked on 2020-07-27
Can App Users request a correction of data about them? Is the process simple and quick?
- No related functionality found. Source: [website], checked on 2020-07-27
Can parents or guardians act on behalf of their children in all aspects of the App?
- Yes. Source: [website], checked on 2020-07-27
Is there an effective complaint process by which App Users can raise issues with the App, or issues with the impact of the use of the App has on them? (not bugs, not technical issues; that is handled in the support question)
- None found.
Are App Users being educated about what it means to use the App, and give their informed consent prior to using the App?
- The website is clear that it does not want to be considered to be providing medical advice. It is unclear how the data collected by this tool is being used.
If the App performs several distinct functions, can the App User opt-in to some and opt-out of others?
- N/A
Usability
Managed or processed data
What data does the App handle? Where in the Architecture is which data stored or processed? Is all data handled by the App strictly required for the stated goals?
- Submitted through the user’s browser, and all processed and stored in the Cloud Component.
Federation with other Apps
Is the App a standalone system (“stovepipe”) or is it intended to be used in Federation with other Apps created by others? If so, what are the supported Federation technologies (e.g. protocols/standards), operations and governance?
- Standalone.
Service Providers used with the App
What third-party Service Providers are used for the App?
We found third-party trackers on the website from:
- Amplitude.com: website visitor analytics
- Google Analytics: website visitor analytics
- Stripe: electronic payments None of these are necessary to offer the provided service. The site itself is hosted on Google web hosting. Source: [technical-analysis], checked on 2020-07-27
Protocols
Technology
What Architecture does the App use?
- architecture-cloud
Is source code of the App available?
- source-licensing-closed
What kind of Cloud Component does the App use?
- cloud-only-operator
What approach does the App take to contact tracing? (If it does)
- N/A
Is the App based on anonymous, pseudonymous, or fully identified App Users?
- userid-anonymous
Governance
How are decisions made about technology and operations of the App?
- Not known.
How are decisions made about governance of the App?
- Not known.
Is there a public roadmap for the App, and if so, where can it be found?
- None found.
Is there a whistleblower process for people involved in any aspect of the development, operation, or governance of the App? If not, why not?
- Not known.
Should assertions by App Creators prove to be false, or their behavior to be negligent, what are the remedies available to App Users?
- Not known.
Is the entire process of App development and operations publicly documented?
- No.
Validation by third parties
Which third parties have researched the effectiveness of this App against the disease? Are their reports publicly available, and if so, where?
- The website states that it has “incorporated input from our community of tens of thousands of physicians along with clinical guidelines from … institutions” such as the World Health Organization and others. However, it is unclear whether any of those institutions has verified the correctness of recommendations by the site.
Which third parties have researched the potential downsides or risks of this App? Are their reports publicly available, and if so, where?
- None found.
Has any third-party audit been performed of the App? Who performed the audit, are their reports publicly available, and if so, where?
- None found.
Are any major discrepancies known between self-assertions by the App Creators and Inference or Audits by third parties?
- N/A
Are all relevant technologies, processes, governance and their internal and public documentation periodically and timely updated?
- None found.
Audits
Source code
If source code is available, where can it be found?
- N/A
Other notes
Any other notes that may be of interest
- N/A
Disclaimer and open issues that do not fit into any of the other questions.
- Please note the general disclaimer. We appreciate feedback and corrections.
Sources
List the information sources used for this assay, plus URL and whether they are self-asserted vs inferred vs from an Audit.
-
Website (self-assertion) [website]
-
App Assay Technical Analysis (inference) [technical-analysis]
-
Privacy Policy (self-assertion) [privacy-policy]
-
Rating
Ratings by self, third parties and any audit for the effectiveness of the App
-
self-green
-
others-dontknow
-
Explanatory comments for the rating of the effectiveness of the App
- Insufficient information is available to assess the effectiveness or correctness of the provided recommendations. The statement that “we have incorporated input from our community of tens of thousands of physicians along with clinical guidelines from the following institutions …” does not mean the site’s recommendations must be correct.
Ratings by self, third parties and any audits for the avoidance of potential risks and downsides of the App
-
self-dontknow
-
others-dontknow
-
Explanatory comments for the rating of the avoidance of potential risks and downsides of the App
Issue a recommendation to App Users
- There are many similar websites for COVID-19 self-assessment. Given the open questions, the website of your healthcare provider or public health authority may be a better choice.
Recommendations to the App Creators
- Publicly document how you derive the recommendation from the provided data. For example, you could publish the source code of the algorithm, together with all relevant numerical parameters.
- Just like you explain that you are not providing medical advice, explain, in detail, what happens to the data users enter. Is it stored? For how long? Who has access to it? And so forth…
- Remove all third-party trackers from the parts of your website where medical or personal information is entered.