FNB is using its mobile banking app for COVID-19 contact tracing among its employees, the bank has confirmed to MyBroadband.
A MyBroadband reader recently noticed that the latest FNB mobile banking Android APK – 5.8.5-33 (53) hce, version 1901 – contained traces of BlueTrace code.
BlueTrace is an open-source contact-tracing protocol developed by Singapore’s government for use in its official TraceTogether application for smartphones.
It has also been adopted in Australia, where it is employed in the government’s official COVIDSafe app.
The application protocol uses Bluetooth to determine if a user possibly comes into proximity with another user that has tested positive for COVID-19.
It is able to measure how long and at what distance users with the app were in contact.
This is similar to the way in which Google and Apple’s exposure notification API works.
BlueTrace does not track the location of users, but only flags these encounters and notifies a user if they had possibly been exposed.
They are then given the option to submit their locally-stored encounter history to the health authority.
According to BlueTrace, users have control of their personal data and are able to withdraw consent, which will result in the deletion of all personally-identifiable information from the database.
The reader discovered multiple instances of code referring to the BlueTrace protocol in the package’s Android Manifest and the R.java file.
He also provided what appears to be a screenshot of a push notification requesting the user turn on tracing again.
It was unclear how he had managed to disable the feature, but there is no mention of COVID-19 contact tracing functionality anywhere on the app or within its settings.
There are no indications that FNB notified its customers it would implement a COVID-19 tracing feature in its app, either, and the patch notes on the Google Play Store make no mention of the change.
The images below show screenshots of the notification and references to BlueTrace within the FNB Android APK.
For staff use only
MyBroadband spoke to FNB Consumer Executive Christoph Nieuwoudt and Head of the FNB Banking app Giuseppe Virgillito regarding the functionality.
According to Nieuwoudt and Virgillito, the BlueTrace COVID-19 contact tracing functionality has been integrated into the app but is limited for use by FNB staff.
The bank encourages its employees to install the same app which consumers use, but this comes with certain added functionality.
“FNB confirms that in addition to its solutions for symptom screening and temperature logging, it developed a co-location solution for its staff members to provide them with the option of receiving additional warning of potential COVID-19 exposure at work and piloted this with staff from May onwards,” Nieuwoudt stated.
The bank had implemented the contact tracing feature to supplement its manual contact tracing efforts and assist in protecting its staff members from the spread of the virus.
“The functionality is designed to fulfil Health and Safety requirements that are stipulated by the Department of Employment and Labour,” Nieuwoudt explained.
He emphasised that the solution is for FNB staff only and has not been enabled for customers.
Nieuwoudt explained that the technology is fully privacy-preserving with random tokens stored and analysed only on the device itself.
Additionally, it does not record geolocation and employees have the choice to opt-in to the feature.
“By digitising the symptom screening and temperature logging process, the Bank has empowered its employees to manage their personal safety and the safety of those they come into direct contact with,” Nieuwoudt said.
“The functionality also serves as a repository for employees to track their symptoms and temperature over a period of time, with the ability to download the information as a PDF if and when required.”
“The information of those who use the COVID-19 functionality for symptom screening and temperature logging is securely protected with all the security of the FNB app,” Nieuwoudt said.
He added that the solution protects the privacy of users and the information has not and will not be shared with any third parties.