In its rush to restart the economy the federal government is keen to get us all signed up to a new COVID-19 contact tracing mobile phone app. There are legitimate concerns about how our data and privacy would be affected.
Prime Minister Scott Morrison wants the app rolled out in the next few weeks. It is based on the TraceTogether app being used in Singapore, which uses Bluetooth to detect when COVID-19 positive app users have been in close proximity to other app users.
Rather than logging the location data from the phone’s GPS signal, which is not accurate, the app uses the strength of the Bluetooth signal to measure proximity. When someone tests positive for COVID-19 the app is used to see who they were in close proximity to for 15 minutes or more in the weeks prior to infection.
From the information the government has released so far we know that: the data on each phone would be encrypted and only stored for 21 days; and only state health officials would be authorised to track carriers of the virus and alert those who have had contact with the infected person to get tested and self-isolate.
For such an app to be effective, people need to download it and consent to sharing data using the app. People also need to have their phones on, and with them, and with Bluetooth enabled at all times.
Government services minister Stuart Robert told Radio FiveAA Adelaide on April 16 the app merely digitises a manual process. “Currently, if someone contracts the coronavirus or COVID-19 virus, we go through a manual tracing process to ask them who have they been close to, so we can contact them to see if they’ve got any symptoms and encourage them to get tested. All we are now going to do is to digitise that tracing capacity, very similar to what Singapore has done.”
Robert and Morrison have been on the public relations offensive following Morrison’s radio interview on Hobart’s Triple M on April 17, in which he refused to rule out that the app may become mandatory. After blow back from the Nationals' Barnaby Joyce, he clarified the next day that it would not be mandatory.
To be effective for its stated purpose, the government needs 40% of the population, approximately 10 million people, to download and consent to using the app. Interestingly, only 20% of Singaporeans have downloaded it.
Leaving aside the security concerns about Bluetooth itself and why requiring people to walk around with Bluetooth enabled is not a good idea, there are also questions as to whether mobile phones are even up to the task.
Importantly, it is not clear is how laws already governing encryption could impact on the COVID-19 data collected and used by the app.
Australian Lawyers Alliance (ALA) national president Andrew Christopoulos pointed out that while the app may make sense “as a public health initiative”, there is a political context.
He said trust is missing, pointing out that “since 9/11 governments have had a poor track record when it comes to misusing surveillance laws and powers”.
“Without clear laws in place, the risks of the data being illegally accessed, used for unintended purposes or used beyond the immediate health crisis are high,” he said.
The ALA wants the government to agree to have the operation of the app reviewed every three months by the Australian Information and Privacy Commissioner to ensure there is no breach of the Privacy Act.
It also wants assurances that the information collected has only been used for the management of the COVID-19 pandemic.
“The legislation that governs the app must clearly state that its use is limited to minimising the danger of community transmission of the COVID-19 virus.
“A sunset clause is essential, but we caution that these have previously been inserted into anti-terror laws, only for them to be later removed, proving that they do not provide adequate protection,” Christopoulos said.
The Electronic Frontier Foundation also weighed in, pointing out that “Contact tracing applications cannot make up for shortages of effective treatment, personal protective equipment, and rapid testing, among other challenges”.
While making the app source code publicly available might allay some concerns, the government’s inconsistency on COVID-19 and its bad record of privacy and civil-rights stomping legislation in the tech area do not instill trust. Neither does its dodgy record for digitising manual processes.
While the government is pushing ahead using the carrot and stick approach — take up the app voluntarily so we don’t have to force it on you — its assurances that people’s data and privacy will be protected ring hollow.
It is another reason why a bill of rights is needed to protect us from government electronic surveillance and snooping.