Australia's COVIDSafe App needs more legal protections and transparency to gain trust
According to the Privacy Impact Assessment, the COVIDSafe App records all “digital handshakes” between users’ phones when they are in Bluetooth signal range for as little as one minute.
The COVIDSafe App launched by the federal government to assist in contact tracing during the pandemic has been downloaded by over 3 million Australians since it was released on a Sunday less than a week ago.
However, this is less than a third of the users experts claim would be necessary for digital contact tracing to be effective. To win the trust of those who are undecided, the scheme will need to be amended.
The app was released alongside a Determination by the federal Health Minister under the Biosecurity Act, intended to put in place privacy protections necessary to secure public confidence and downloads.
While the Determination contains a number of worthwhile protections, the launch creates three reasons this public confidence is not yet warranted: misleading initial statements by the government about the operation of the app; insufficient transparency; and flaws in the protections in the Determination.
These may be remediable. This article summarises the steps Australian governments need to take if public trust is to be justified.
Misleading initial statements should be corrected, and data minimised
A very significant issue, which has the capacity to undermine trust, is the government’s misstatements in the media about the data collected and disclosed by the app, and the excessive collection of data by the app in practice.
The Government Services Minister, Stuart Robert, has repeatedly stated in the media – and the media has widely reported – that COVIDSafe only records contacts with other app users when their phones are within 1.5 metres of the user’s phone for at least 15 minutes. The Minister and others have also said that, when a user tests positive and gives their consent, the app only sends a log of their contacts with other app users who were within 1.5 metres of the user for at least 15 minutes.
Neither of these statements is correct. The government should alert the public to these misstatements and correct the misunderstanding.
According to the Privacy Impact Assessment, the COVIDSafe App actually records all “digital handshakes” between users’ phones when they are in Bluetooth signal range (not just within 1.5 metres), and even for one minute, not 15. If a user tests positive and gives their consent, all of those contacts over the previous 21 days are uploaded to the National COVID Data Store and all are decrypted, regardless of duration or distance.
This means that vastly more potentially revealing data concerning a person’s interactions and associations may be collected than the popular understanding. It also far exceeds the data which could be relevant for contact tracing.
At this stage, the 1.5 metre / 15-minute parameters only come into play as a limit on the contact data state and territory health officials are permitted to access. But prohibitions on health officials looking at decrypted data which they have no need to receive in the first place is not good enough protection.
The collection of data by the app should instead be minimised, in line with the recommendations made in the Privacy Impact Assessment conducted by Maddocks law firm.
Transparency and expert opinion
The Minister has stated that he relied on the advice of three officials to be satisfied the Determination was necessary to prevent or control the spread of COVID-19 in Australia – the CEO of the Digital Transformation Agency, the Acting Secretary of the Health Department and the Commonwealth’s Chief Medical Officer – but has not revealed any of these advices.
These should be made public. This app should only be introduced if it is effective, necessary and proportionate, based on convincing expert advice related to Australia’s current situation. Ideally, there should be evidence – from health experts not politicians – that this app will be more effective than using the same resources to increase testing and (human) tracing. The public is entitled to see that evidence.
Contrary to the Prime Minister’s claims, using the app is not “like putting on sunscreen”. The government should avoid creating the impression that Australians are safe from the virus when they have the app in operation, and should publish independent studies as to its actual effectiveness.
The federal Privacy Commissioner should also be required by the Parliament to state and justify her opinion of whether the COVIDSafe app and its operation (including proposed legislation) is a necessary and proportionate response to the risks to privacy that it involves, and to make any recommendations she considers necessary.
Media reports cite ministers saying that the source code of the app – or at least those parts of it which do not pose ‘security issues’ – will be made available in the coming weeks. If this means only part of the source code for the app will be released at the government’s discretion, it is unlikely to increase trust, given the possibility that malignant code could be in the non-disclosed part.
The full source code for the app should be made public, at least a week prior to the COVIDSafe Act being enacted, so that experts can verify the privacy protections the government claims to have incorporated.
Flaws in the privacy protections
Although the Determination under the Biosecurity Act provides some protections against misuse, there are many aspects that parliamentary legislation must add or strengthen.
The protections in the Determination only apply to certain data and the definition of that data does not capture critical personal data created and used in the process of COVIDSafe contact tracing.
‘COVID app data’ is defined as data collected or generated through the operation of the app which has been stored on a mobile phone or device. This would capture the encrypted contacts stored on a user’s phone. However, if the user tests positive and uploads those encrypted contacts to the national data store, the decrypted records of their contacts over the last 21 days do not clearly fall within that definition. The decrypted records are not collected or generated through the operation of the app or stored on the mobile phone. Nor is data transformed from that data by state and territory health officers.
The legislation will need to redefine COVID app data to expressly include data transformed or derived from the data originally collected or generated through the operation of the app, including data transformed or derived by state or territory health authorities.
Other improvements required in the legislation include that:
- Individuals need the right to take civil action to enforce all of the requirements of the law, including the privacy protections and protections against coercion, by obtaining both injunctions and compensation. They should not be forced to rely on prosecutions initiated by government bodies. They should be able to take enforcement actions before the Courts, Privacy Commissioners, and other tribunals.
- The Determination contains some good protections against coercing individuals to use the COVIDSafe app, but these need to be made stronger by closing loopholes, and providing individual rights of enforcement. This is especially necessary given that various groups, including chambers of commerce, have already raised plans to make participation or entry conditional on app usage. The app is claimed to be voluntary, and this must be enforceable.
- Consent to upload data from a phone to the national data store should be required from ‘the person who normally uses the device’, not just from the person who is currently in possession or control of it, which could be the Police or a Health official.
- Complementary State and Territory laws, with individual rights of enforcement, are needed to avoid problems of any limitations on Commonwealth power. Merely to have some agreement between the Commonwealth and the States, with no individual enforcement, is insufficient.
- A COVIDSafe Privacy Advisory Committee should be created to exercise independent oversight and advise both the public and the National Cabinet.
- Conditions for termination of the operation of the app and deletion of all data collected as part of its use are not yet sufficiently precise. These conditions should include a determination ‘based on advice from the Australian Health Protection Principal Committee’ to ensure that objective advice of health experts, not political advice, determines when the pandemic has ended.
How do we choose in the meantime?
In some respects, we are ‘all in this together’, but in other respects each person’s individual circumstances are unique, due to a combination of factors such as age, work, underlying conditions, family composition and living arrangements, whether in self-isolation or back at work every day in essential services, and even ownership of the right type of phone.
Individuals will also make different assessments of the extent to which their actions may or may not contribute to the public good, and the need to protect themselves or those close to them.
Many in the media and government, as well as high-profile figures in business and tech, have openly exerted moral pressure in favour of using the app, even shaming those who don’t, characterising them as putting trivial privacy concerns ahead of the interests of the nation.
A more balanced approach is required, one that recognises there should be no requirement for Australians to give up more privacy than is necessary and proportionate, and that the need for privacy has even greater immediacy for some, including journalists; victims of stalking and domestic violence; and those out of favour with state powers at home or abroad.
Decisions about whether to install and run this app remain individual decisions, but are best made after obtaining as much information as can reasonably be obtained and put in the balance. This does not require a choice between health and privacy. With the right rules and design, the government can support both.
A full analysis of these issues is in Graham Greenleaf and Katharine Kemp ‘Australia’s ‘COVIDSafe App’: An experiment in surveillance, trust and law’ (Work-in-Progress Draft, April 30, 2020) (on SSRN).
Graham Greenleaf is a Professor of Law & Information Systems at UNSW Law. His research concerns the inter-relationships between information technology and law: legal information systems, cyberspace law, and the global development of data privacy laws and agreements.
Dr Katharine Kemp is a senior lecturer in UNSW Law and Academic Lead on the UNSW Grand Challenge on Trust. Her research focuses on competition law (particularly misuse of market power), consumer protection and data privacy in financial services regulation.