Coronavirus

Privacy experts are concerned about the government’s coronavirus tracing app. Here’s why.

Coronavirus application Source: SBS

The Australian government is planning to release an optional COVID-19 tracking app in the near future. Privacy experts have raised a few key concerns.

The Australian government has announced that it will shortly release an app aimed at tracing the spread of coronavirus in Australia.

According to Minister for Government Services Stuart Robert, the app -- while voluntary -- is a crucial step towards rolling back Australia's coronavirus restrictions, and will help people "get back to the footy quicker".

However, tech and legal experts have raised a number of privacy concerns about the technology and the data it will collect. On Monday, more than 300 scientists and researchers across the globe released a joint statement urging governments considering such apps to rely only on systems that are subject to public scrutiny and that are privacy-preserving by design.

Experts told The Feed that the Australian government has not yet released enough information about its planned app to allay their concerns. Here's what we know so far -- and, more importantly, what we don't.

How does a coronavirus contact tracing app work?

The Australian government's app will be based on an app called TraceTogether, which is currently in use in Singapore. We don't yet know how different the Australian app will be, but interviews given by Minister Robert over the past week indicate that it will function similarly to the Singaporean version.

TraceTogether aims to keep a record of anyone its users have been in close physical contact with, so that if one of those users tests positive for COVID-19, it's easier to track down other people who may have been exposed to the virus.

The app does this using Bluetooth, the same wireless protocol you might use to connect your phone to a set of speakers or headphones. Basically, if you have TraceTogether installed on your phone, it will use Bluetooth to find and record a list of other phones around you that also have TraceTogether installed.

All of this data is encrypted and stored securely on your phone for 21 days. If you're diagnosed with COVID-19, the app will ask for your consent to upload those encrypted logs to a central server, which is able to decrypt the data and find the contact details of any other app users you've encountered in the past three weeks.

Health authorities can then contact those people to let them know they have potentially been exposed to coronavirus.

Will the app track my location?

The app will not track your location using GPS. The data it collects will show who you have recently been in close contact with, and how long you were in close contact with them, but it does not show where you came into contact.

The app will only record contact when users spend more than 15 minutes within 1.5 metres of one another.

Is it compulsory to use the app?

Scott Morrison has confirmed that it will not be compulsory to install the app.

However, the government is doing its best to encourage Australians to use it, because it's estimated that between 40 and 60 percent of the population needs to have the app installed for it to be effective.

Minister for Government Services Stuart Robert told the ABC on Monday that he was optimistic that Australians would "embrace" the app in "a Team Australia moment", but so far a number of Australians have raised privacy concerns, including several federal MPs who have refused to install the app.

Why are privacy experts concerned about the app?

A number of tech and legal experts have expressed privacy concerns about the proposed app. On Monday, Law Council of Australia President Pauline Wright said that the council "is concerned that a number of important policy details have not yet been provided, which will be material to the ability of Australians to give their informed consent to the collection and use of their personal information."

In short, there remain some big questions to be answered about how data collected by the app will be stored and used: what data will be stored, who will have access to it, where will it be stored, how long will it be stored for, and what will it be used for once the pandemic is over?

Professor Dali Kaafar is the Executive Director of the Optus Macquarie University Cyber Security Hub. In early April, he and a group of Australian researchers assessed some of the problems with TraceTogether, the Singaporean app the Australian app will be based on, and made a series of recommendations to help Australia avoid those problems.

The researchers found that while TraceTogether does a good job at keeping your data private from other users of the app, and from anyone trying to hack into your phone, it doesn't provide very good privacy from the central authority where your data is being sent -- in this case, the government.

Professor Kaafar told The Feed that the problem stems from the sheer amount of information available to the central authority receiving data from the app. Over time, that central authority will be able to build up a pretty detailed "social graph" for thousands of individuals: a picture of everyone they spend time with and how long they spend with them.

"The authority in charge of this app knows the social graph of perhaps thousands or hundreds of thousands of individuals," Professor Kaafar explained, pointing out that this information is not anonymous: the central authority has access to the phone numbers and identities of every person on that graph.

"The only information we don't necessarily have is the location. We might not know where they met, but we know that they did meet."

"So the general concern is that this technology could be used later on as a mass surveillance tool."

This is why it's so important that the government provides clear answers for some of those other questions: the who, what, when, where and why.

For instance, Australians need to know where this information about them is being stored, and who has access to it. Having all this data, Professor Kaafar says, "creates a huge responsibility of maintaining the security of this data, and the safety of all of this data. If someone hacks into the server that has this information, that's a huge amount of information that's being lost."

Even if the server is never hacked, it's still important to know who exactly is going to have legitimate access to this data.

Minister Robert has said that "no Commonwealth agency will see it, no law enforcement will see it... it can only be used by a state health official", but it remains unclear who these "state health officials" are, and how broad their access will be.

Experts would also like to receive firm assurances about exactly when this data will be deleted.

"What will happen post-COVID-19?" Professor Kaafar asked. "Can we guarantee that if someone doesn't uninstall this app after the pandemic, that the government won't keep using this data for different purposes?" This is a problem known as "mission creep" -- the idea that a technology originally developed for a specific purpose, like halting a pandemic, might end up being used for all kinds of other things it was never intended for.

Finally, Professor Kaafar wants to see users given an opportunity to actively consent to the use of their data. That means being fully informed about what data they're sending, who's receiving it, and what it's being used for -- before they sign up.

What is the Australian government doing to address these privacy concerns?

The Australian government has taken a few positive steps towards addressing these privacy concerns.

For one, it has announced that the Privacy Commissioner is involved in conducting a privacy impact assessment on the app, which will be available to the public later this week.

Minister Robert has also promised that the source code of the app will be made public, "so every university, every tech company, any conspiracist can pull apart the code and see that we're only collecting exactly what we say we're collecting". However, on Wednesday Minister for Health Greg Hunt clarified that not all the source code will be made available, sparking concerns from experts.

Minister Robert has also said that data collected by the app will be deleted on a rolling 21-day basis, and suggested that the central database of information will be deleted once the pandemic is over.

However, so far the government has not provided the clear guarantees and information experts are calling for, like a firm guarantee about exactly when the app and its data will be deleted, and exactly what it will be used for. The government did not respond to detailed questions from The Feed about these points, instead referring us to Minister Robert's recent media interviews.

"In this case, while there is now a promise not to make the app compulsory, the basis of this promise is unclear, as is the nature of the app, where data is stored, when identification may be possible, and how it might interfere with the operation of the device," said David Vaile, who works in data protection and surveillance at the Allens Hub for Technology, Law and Innovation at UNSW.

That's particularly concerning, Vaile said, given the government's past failures on issues involving technology and privacy, such as the My Health Record debacle which saw Australians added to the system without their knowledge on an opt-out basis, while the government failed to properly manage privacy and cybersecurity risks.

"Trust is only warranted if the other party is trustworthy," Vaile concluded. So far, the Australian government's track record is not fantastic.

Is there a better way?

Crucially, while the government may make it sound like installing this app is a necessary sacrifice "Team Australia" must make to fight COVID-19, there may be a better way.

Right now, many experts' concerns about coronavirus tracing apps stem from the fact that a central authority will receive a huge amount of information it's not necessarily well-equipped to protect.

But, as 300+ experts pointed out in a Joint Statement on Contact Tracing released on Monday, it's possible to create a coronavirus tracing app that does not rely on a central authority.

Right now, Google and Apple are developing technology that aims to do exactly that. Several countries are pursuing similar strategies, but Australia chose to adopt Singapore's TraceTogether design instead.

In the Joint Statement on Contact Tracing, experts called for governments to "rely only on systems that are subject to public scrutiny and that are privacy preserving by design". Where multiple technology options are available, the experts urged governments to commit to choosing the "most privacy-preserving option", unless there is a good, clearly documented reason to do otherwise.

So far, the Australian government hasn't offered a clear answer as to why it chose TraceTogether, rather than one of the other available options, as the basis for its app. It also hasn't provided a good answer as to why it believes an app will be effective at all.

Ultimately, until clear and detailed information is available, experts warn that it's going to be difficult to persuade the public to trust coronavirus tracing apps. And if not enough people trust the apps enough to use them, they simply won't work.


 

People in Australia must stay at least 1.5 metres away from others and gatherings are limited to two people unless you are with your family or household.

If you believe you may have contracted the virus, call your doctor (don’t visit) or contact the national Coronavirus Health Information Hotline on 1800 020 080. If you are struggling to breathe or experiencing a medical emergency, call 000.

SBS is committed to informing Australia’s diverse communities about the latest COVID-19 developments. News and information is available in 63 languages at sbs.com.au/coronavirus.