Case study: how the use of Progressive Web Apps may trigger data protection

I was hesitant to speak about contact tracing apps because so many people speak on the subject and the ratio of repeating the same cliches over and over is also high. Little insightful things are left to be said in this rather simple problem. But recently it emerged that a particular contact-tracing app is using an approach that triggers a potentially controversial issue.

Covid-19 contact tracing is a sensitive area. Not only concerns the health data of millions of users. It is also about tracking proximity and contacts between those people, and about installing state-supplied apps. The topic is so big that Google/Apple updated  operating systems to deliver a special API. Until now most controversies in contact tracing revolved about the collection of geolocation data, or the architectural approach - centralized or decentralized . Now there is another case in point.

A particular contact tracing app, ProtegoSafe (developed for Poland as an official state-supported app) is dynamically loading (like, from the internet) some logic of its operation using Progressive Web Application approach  (documented here: 1 , 2 ).

Progressive Web Applications( PWA ) is a design method that allows building rich web applications that from a user point of view behave (look and feel) just like native apps. PWA allows a simple way of updating the app. When used in mobile apps, PWA could provide faster updates than through the official Android or iPhone app stores.

The way it works is that when an application is using the PWA model, some of its parts must be downloaded from remote servers . In case of a web browser this is typically about downloading a file called Manifest , with definitions describing the app configuration (look also at my privacy analysis of Progressive Web Applicationshere). This happens for example when the app is first installed or when PWA is updated dynamically. In practice, this is an HTTP(s) request to the site. Meaning - the IP address of the application user is communicated to the server controlled by authorities (here in the case of this particular app, the Ministry of Digital Affairs ).

But because the Ministry is a public institution and so it has authority over resolving the IP address to the actual identity of the user , IP addresses in this context may potentially be regarded as personal data, singling out individuals .

This means that the already sensitive data processed in contact tracing app would be even more sensitive because they - if so happens - would be of identified persons . This then would make the case of the system being even more sensitive and forms a fascinating GDPR case study . In line with EDPB opinion , this should of course be reconciled in the privacy impact assessment (which is advised to be made public, as of this day this did not happen).

But this is also a much broader and so more interesting issue.

Is the use of Progressive Web Applications by public institutions in line with data protection or does it violate user’s privacy? Court of Justice of the European Union has ruled that indeed IP addresses are in some cases personal data . It’s the influential Breyer case :

IP address registered by an online media services provider when a person accesses a website that the provider makes accessible to the public constitutes personal data within the meaning of that provision, in relation to that provider, where the latter has the legal means which enable it to identify the data subject with additional data which the internet service provider has about that person.

Which, one could imagine that it may apply to the particular situation of using Progressive Web Applications by public institutions, in general ?

But if in some contexts the use of PWAs brings certain consequences that may be different than in some native standalone applications, the issues must be tackled. In general, systems (so apps) should always ensure that the right  grounds for data processing exist. The particular point described in this note may in certain cases need to be taken into consideration by the development teams.

Did you like the assessment and analysis? Any questions, comments, complaints or offers? Feel free to reach out: me@lukaszolejnik.com