7 minute read
Devil’s Advocate: COVIDSafe
COVIDSafe
As our way of life continues to be shaped by the spread COVID-19, citizens in many countries have been encouraged to download contact tracing apps, which simplify the complicated manual contact tracing process. Australia’s COVIDSafe app is one such example, however it has been the subject of intense scrutiny to determine whether it might seriously jeopardise users’ personal private information. More than 5.5 million people have signed up to the Australian government’s COVIDSafe app. The app collects information including a user’s name or pseudonym, age, contact number and postcode. This information is formed into an encrypted code which, once Bluetooth is activated, is automatically shared with the apps of other users nearby. The encrypted codes are stored on both devices for 21 days before they are deleted.
Advertisement
Against
Beth Jones
Although it is undeniable that the Federal government’s COVIDSafe app is designed to protect Australians from Covid-19, there are serious privacy concerns relating to the app that cannot simply be dismissed. The app continues to be riddled with inefficiencies and experts have argued that it is effectively useless on iPhones unless it is continuously running in the forefront of the phone. The times during which the app will be most useful and crucial are when people are using public transport or at shopping centres. Unfortunately, these are times when the app will most likely be running in the background, as people will be using their phones to look at social media and check emails. Australia’s COVIDSafe app was modelled on Singapore’s contact tracing app TraceTogether, which also experienced these issues, with users complaining that they were not able to make phone calls whilst the app was functioning.
Government Services Minister Robert Stuart even acknowledged that the app might not work very well on iPhones in a press conference announcing the release of the app to the public. Even though the Government knew about the ineffectiveness of the app on iPhones, it still chose to release the app to the public before this issue was resolved. It is arguable that the app was not even necessary at the time that the country was under strict lockdown restrictions. Additionally, the government failed to provide concrete privacy protection to the millions of users of the app. If the app is not even safeguarding the public from widespread infection, then it is certainly not worth the risk that it poses to our privacy.
The Health Minister Greg Hunt has repeatedly assured Australians that only state health departments responsible for contact tracing will have access to this information, and law enforcement agencies would not be granted access to this data under any circumstances. However, the legislation does not explicitly prohibit access via warrants or court orders. Perhaps the most concerning feature about the laws regulating the use of information collected by the app, is that the laws were only passed on 14May, nearly three weeks after the release of the app.
When an individual tests positive for COVID-19, the app prompts them to upload the encrypted codes collected by their app onto a central server located on Amazon’s Web Services server in
Australia. Experts have warned that this central server will be viewed as an irresistible honeypot by hackers hoping to gain valuable information about the Australian public. All of the data stored on these servers will be deleted once the Health Minister declares that the pandemic has ended. This ambiguous timeframe is concerning, as the Health Minister is afforded broad powers which could easily be exercised for improper purposes, and the data could potentially be stored for years before it is declared that the pandemic has officially ended. It would be safer for the data to be deleted as soon as the contact tracing process for each confirmed case is complete.
The government released the source code for the app on 15May, but it has yet to release the server code, which is a deviation from Singapore’s approach as they released both. The release of the source code allows independent security experts to scrutinise the app and determine possible security weaknesses. However, the server code shows what the server, i.e. the government, is actually doing with the data. Clearly, there are multiple ways in which the personal data of millions of Australians could be breached, and these privacy concerns cannot be outweighed by the intention that the app will protect public safety by stopping the spread of Covid-19.
For
Rachel Hay
It may be tempting to dismiss the Australian government’s COVIDSafe app as an untrustworthy and opaque initiative, belonging to dystopic narratives. In some ways, this fear is not difficult to understand. The 2016 Census DDoS attacks, controversial ‘My Health Record’ protections and more have all contributed to a perceived ‘cavalier disregard’ for Australians’ privacy. However, as the global health crisis continues to develop, embracing technology and its strengths could be key to our return to normality.
Firstly, COVIDSafe has potential to significantly improve the efficiency of the current contact tracing process. The app will reduce time spent identifying, notifying and isolating people at risk, preventing the further spread of COVID-19 and supporting the gradual ease of lockdown measures. While contact tracing apps are certainly not bulletproof, people can be reasonably confident in leaving their home safely if
they have not had close contact with a confirmed case. This is important as between one-third to one-half of COVID-19 transmissions occur before individuals are symptomatic, as demonstrated in a recent Oxford University epidemiology study. It was also found that, while making various assumptions, if 56% of the population used the app, it could effectively avoid any resurgences of COVID-19 in a country. In South Korea, extensive digital surveillance has been utilised to successfully manage the COVID-19 outbreak. Contact tracing has been conducted through surveying individuals’ movements through debit card or credit card transactions, precise phone locations and also CCTV footage. People at risk are notified and locations of infections are made publicly available. These measures, together with widespread testing, have been instrumental in containing the outbreak.
In this sense, the COVIDSafe app’s primary objective is to protect the collective community, not the individual. We have already witnessed the rapid global devastation that COVID-19 has wrought; if the appropriate privacy protections are afforded to users of COVIDSafe, it is perhaps a small individual sacrifice of personal information to pay compared to the thousands of lives that may be lost. At least, it could alleviate the severe social, psychological and economic impacts of lockdown measures until a long-term solution like a vaccine or treatment becomes available.
Secondly, in a bid to increase public trust and uptake of the coronavirus app, the Australian government has implemented the ‘strongest privacy safeguards that have ever been put in place by any Australian parliament’, as described by shadow Attorney – General, Mark Dreyfus. The Privacy Amendment (Public Health Contact Information) Bill 2020 (Cth), passed on 14 May 2020, amends the Privacy Act 1988 (Cth) and replaces the interim Biosecurity Determination made under the Biosecurity Act 2015 (Cth). The legislation makes it an offence for anyone to collect, use or disclose data gathered by the app, with the exception of State and Territory health authorities using app data for the purpose of contact tracing. Similarly, it is an offence to upload data without consent, retain data outside Australia, decrypt encrypted data from the app and to coerce individuals to use the app. These offences attract up to 5 years imprisonment and/or a $63,000 penalty. Accordingly, the data cannot be used by other government agencies such as police, even with a warrant. The OAIC has also been empowered with greater oversight of state and territory authorities. Further, all user data will be deleted from the COVIDSafe server and all users will be informed that they should delete the app once the app is determined no longer necessary. As an added measure, the app deletes information about user ‘Bluetooth handshakes’ after 21 days, roughly the COVID-19 incubation period, and does not track location of users, only when close contact is recorded with another user.
Therefore, in light of the significant protections that have been afforded to users under legislation, privacy concerns are arguably not compelling enough to outweigh the potential improvements that COVIDSafe could offer in this devastating pandemic.
