mObywatel follows Poles like Pegasus? Let’s get this straight

Comments in the same style appear under almost every text we write about mObywatel. Many people repeat like a mantra that the government application spies on citizens. Where did this come from and how much truth is there in it? I’m translating now.

The entire panic stemmed, among other things, from one entry on the X platform (formerly Twitter). Its author is Dawid Adamczyk, who describes himself as a lawyer, political scientist and liberal. He published the list of permissions to which the mObywatel application has access. The problem is that while Mr. Adamczyk may know law and politics, he does not necessarily know new technologies.

In his entry, he mentions, among other things, that the mObywatel application has access to the camera, so it can record citizens at any time and then transfer such materials to external servers. He also complains about the functions of biometrics, Internet access (???) and even NFC.

It should be noted that Mr. Adamczyk probably did not rely on his own knowledge. He also posted a link to the video on YouTube on X. This is material by Jan Piński, former editor-in-chief of the monthly “Uzywam Rze”, in which he talks to Tomasz Szwejgiert – a journalist, writer and former employee of the CBA and ABW.

This material contains information about the alleged tracking of citizens by mObywatela. The authors of the film claim that the application is surveilling Poles. They even compare it to the famous Pegasus, which was used to actually track politicians, lawyers and journalists. Piński and Szwejgiert also refer to the list of application permissions, but they do so without understanding how they work in practice.

Moreover, in the comments under both the YouTube video and the post on X, the majority of voices talk about the authors’ lack of knowledge. Despite this, some people apparently believed this sensational information and continue to repeat it to this day, also in comments on TELEPOLIS.PL.

The case received such wide coverage that the Ministry of Digitization, i.e. the ministry responsible for the development of the mObywatel application, also decided to react to it. An article appeared on the government website dealing with false information.

Mobile applications use various device functions to perform their basic tasks. mObywatel has access to a camera to scan QR codes during identity verification, the application has access to the location to show precisely points on the map, e.g. in the service of making appointments at ZUS or Air Quality. The application may also have access to files, but those specified by the user, e.g. in order to download and save confirmation in PDF format.

It is also worth remembering that mobile applications do not work completely independently. They can only do what the operating system allows them to do, in this case Android or iOS. Both have advanced privacy controls. If the mObywatel application actually spied on citizens, it would not be allowed in the Play Store or App Store.

But let’s get down to specificsbecause such reports must have met with a response from people who actually know how to create mobile applications. A film on this topic was prepared by, among others, Mateusz Chrobok, an expert in cybersecurity and artificial intelligence.

In Android, from the very beginning, the system was designed in such a way that each application was in a separate sandbox. What does this even mean? This means that among themselves (…) if they want anything from the operating system, any permissions, they have to ask for it politely (…) Maybe ask for a camera, to save files on disk and other such things. What is important? If the application has any write permissions, it saves these things only in its own space. This is the whole concept of sandboxing and separating applications from each other.

What is it used for? In situations where an application wants to save some information locally that it needs. It may be, for example, a database, a certificate, a driving license or simply a PDF file that we want to download from it. This does not mean that mObywatel can read other information on the phone, e.g. our photos.

The author deals with all the rights of mCitizen step by step (I recommend reading the material). It refers, among other things, to her use of a camera, which in this particular case is used to read QR codes. They, in turn, are used, for example, to log in to government websites. Importantly, it is the user himself who decides whether to grant such access to the camera. If you don’t agree, the operating system simply won’t allow it.

List of running applications. This doesn’t return anything at all in the latest Androids and doesn’t work. It’s a workaround for things in old Androids. They won’t see what applications you have running on your phone if you have Android newer than 11. When it comes to FireBase, i.e. collecting information via Google, it is configured so that only encrypted push messages go through it. No analytics, no personal data.

Another expert also commented on the topic – Marcin Bunsch, who is the creator of mobile applications. He mentions, among other things, SENTRY, which – according to Piński and Szwejgiert – is supposed to record everything we do on the phone. The thing is, it’s a bug monitoring app. It does have a Replay function, but the point of it is to see what happened in mObywatel when an error occurred.

But why spread panic and talk nonsense about things you don’t understand?

Additionally, it should also be noted that: By installing the mObywatel application, we give the government access to our data – ID card, driving license, etc. Yes, such absurd arguments also appear. No, we do not give the government access to this information. He’s had them for a long time. This is, among other things, the role of the state. It’s quite the opposite. We are the ones who get access to the data that the government already has about us on our phones.