• The COVID-19 tracing app uses the Bluetooth on your phone to track people you've been in contact with. (Flicker)Source: Flicker
The proposed COVID-19 tracing app raises several privacy concerns and has drawn criticism even from Coalition MPs. So what is the risk to privacy? What happens to the data? And is the app mandatory? Rae Johnston has sought out the answers to your questions.
Rae Johnston

25 Apr 2020 - 12:17 PM  UPDATED 25 Apr 2020 - 12:17 PM

This week Prime Minister Scott Morrison announced that an app to trace cases of COVID-19 is in the final stages of development.

The PM has previously described the app as "a public health tool" that will assist state and federal health agencies to trace the points of social contact of persons who has contracted the coronavirus. This data mapping then enables health authorities to contact anybody who may have been put at risk, said the PM.

"Every Australian will be safer if those health officers are able to contact you more quickly if you have been exposed to the coronavirus," said the PM.

"Importantly, that means you will be less at risk of infecting others if they can get to you fast." 

However, Nationals MP Barnaby Joyce and Deputy Speaker Llew O'Brien have both spoken out against the app, saying they won't be downloading it. 

So what is it all about, and what is the concern?

What is the app supposed to do? 

"Contact tracing" involves listing everyone you've physically come in contact with prior to testing positive to an infectious disease. It's a way health services can contact people who may also be infected, allowing them to be isolated to help stop the spread further.

Health services have been doing this manually, but that method is slow, and potentially inaccurate.

Using Bluetooth technology, the proposed app aims to automate most of the contact tracing process, which in theory will make it faster and more precise.

"Right now, if you test positive to coronavirus, health officials will sit down with you and ask you to trace back where you were and who you've been with," said Minister for Government Services Stuart Robert.

"COVID trace, as an app, digitises that and allows the tracing aspect to be sped up."

How does the app actually work?

Australia's app is based on the existing TraceTogether app, currently used by Singapore. 

If you and another person have the tracing app downloaded, come within one and a half meters of each other for 15 minutes or more, and have Bluetooth switched on, your phones will send each other information to be recorded for tracing purposes. The information will be stored for 21 days. 

Government Services minister Stuart Roberts said in a press conference on April 18 that the app will collect your name and your phone number. This information will be encrypted so that it can only be read by the people who need to access it.

When information, or data, is encrypted it is "locked up", and only someone with the key can unlock it. In the case of this app, the government would have the key. 

If you test positive to COVID-19, your phone will be checked (via the app) for the identifiers of people you've come in contact with - your "physical social network". The identifiers will then be contacted, via the app, to let them know they also will need to be tested.

It is important to note that this app does not "track" your location, in the traditional sense. It doesn't use GPS to see where you are. When the app is installed, it will ask for permission to access the services it needs to operate. If this app operates as advertised, it should not ask for access to your location services.

What happens to my data?

Scott Morrison said the data collected will go to a "National Data Store", that is encrypted. 

On April 24, the ABC revealed Amazon will be responsible for storing the data, which raises a number of additional concerns.

The Seattle-based tech giant won the contract after responding to an invitation-only tender organised by the Department of Home Affairs.

Legally, the US law enforcement can access data stored anywhere in the world by a US-owned company. 

According to Australian federal privacy law, the data would need to be physically stored in Australia, and this was confirmed by the Prime Minister at a press conference on Friday. The PM also confirmed that the government has worked with Amazon previously “on many, many sensitive issues”.

The Minister for Government Services Stuart Robert said on April 17 that when the pandemic is over: "I, the minister, will blow away the national data store and therefore no data will be kept." 

However, there is no current legislation to ensure this occurs. 

Will it be a privacy risk?

Professor Katina Michael, from the Faculty of Engineering and Information Sciences at the University of Wollongong, said: "Definitely, after a confirmed case has been determined, someone's privacy is 'in practice' encroached; as well as their corresponding physical social network, whether family, friends, colleagues, or strangers."

"But it has to be noted that this is done willingly, with the participants' consent. A user is entrusting the health organisation, or government agency, with their privacy, allowing access to their handset data but that is deemed proportional given the pandemic crisis."

Prof Michael said we need to make sure that privacy, security, trust and safety are a part of the design process of the app.

The PM said there will be a privacy statement accompanying the app, which is being developed with the privacy commissioner.

We haven't seen the details of this statement yet. 

What we do know is that this app will have a record of everyone you've been in contact with for the last 21 days, but again the PM assures that the data collected by the app will be encrypted and only accessible to authorities of the states and territories. 

"The Commonwealth can't access the data. No government agency at the Commonwealth level, not the Tax Office, not government services, not Centrelink, not Home Affairs, not the Department of Education - the Commonwealth will have no access to that data."

"It will be locked in a data store, an encrypted data store, that can only be accessed by the state health 'detectives' if you like." 

Laws passed 18 months ago under the Crimes Act allow law enforcement agencies the powers to gain access to a suspect's phone and metadata through a search warrant.

Currently, these laws also apply to information collected by the proposed COVID-19 tracing app. 

According to government sources who spoke to the SMH, new legislation is set to be introduced to parliament in May that will address these concerns, but the details are still sketchy. 

Will the app be mandatory? 

In other countries, like China for example, tracing apps are now mandatory - they are checked by the authorities and required if you want to move around freely.

Initially, Mr Morrison said participation in the app would be completely voluntary. And that is clearly the plan - to begin with.

But there have been statements made that indicate it may end up being mandatory. 

When asked on April 17 if he would consider making the app mandatory, the PM responded: "My preference is not to do that. My preference is to give Australians a go to get it right."

The Deputy Chief Health Officer Paul Kelly backed the PM, saying he believed that "a voluntary approach, at first, is definitely the way to go."

On April 18, Mr Morrison announced the app will not be mandatory.

But it is important to remember that all of the COVID-19 restrictions currently in place are governed by the state - not federal - governments. So, similarly to the issues around accessing the data, it will be up to the states and territories as to how the app is used and what rules and requirements are in place.

Even if the federal government says the app is not mandatory, the states actually hold the power and could make it mandatory.

This raises even more questions: What about those people who don't have smartphones? Or the ability to download the app due to an older operating system on their phone?

To date, the states have been quiet about the app. 

How many people need to download the app for restrictions to be lifted?

Scott Morrison has said that if a percentage of people download the tracing app, we can lift restrictions sooner. 

"We'll be asking people to download an app that helps us trace this virus quickly," he said last week.

"The more people who do that, the more we can get back to a more liveable set of arrangements." 

At a press conference on Friday, the PM emphasised the need for the app, "so we can have the protections in place for you, your family."

"So you can get back to work, so you can get your kids back to school, so you can get back into community sport - that is what this app helps you do," he said.

According to the federal government, the download benchmark for the app to work is 40 per cent, but Prof Michael is wary of that claim.

"I don't think a participation rate in the app, whether 40 per cent, 60 per cent or 80 per cent, can aid in lifting restrictions," said the University of Wollongong's Prof Michael, "but it is certainly true that the greater the uptake, the more effective the app will be in meeting its primary objective.

"At best, the app is 'after the fact'. It will help in reducing transmissions possibly, but certainly not in eradicating COVID. 

"It will also allow for early intervention of suspected carriers of COVID, and preparing the medical supply chain and health infrastructure necessary in a given location to better respond to local outbreaks," she said.

That's if it works, and Prof Michael said there's no evidence it will: "It does make sense in principle but where are the successful use cases?"

"If we relax social distancing measures too quickly, with or without the app, we will most likely find ourselves going through a second smaller peak of infection. And we are trying to avoid that," she said.

What about Apple and Google's app? What's that all about?

Tech giants Apple and Google are working together on their own platform that can work with government apps, but keeps all the information needed for contact tracing stored on the phone rather than in a data centre.

These companies are already collecting this information - you'd just need to switch it on. And they would have the power to remove government access to the data at any point. 

When asked if he would consider using this system, Mr Morrison said: "The Google and the Apple proposal does exactly the same thing. It's just that it's not a consent-based model."

So, should you install the tracing app?

This is a personal decision. Do you trust the state and territory governments with the information you are providing them? Have they or the federal government answered enough of your questions about this app that you are comfortable sharing your data? 

Minister Robert said: "Right now a Privacy Impact Assessment is being conducted, the Privacy Commissioner is involved, and all of that will be made public. The source code will be made public." That was on April 17. 

Releasing the app's code to the public for an independent audit would help ensure it is only capable of doing what they say it is doing, and allow experts to point out any potential flaws. 

Until this - and all the needed legislation to ensure there won't be any misuse of this data- is in place - I'm going to hold off. 

Coronavirus explained: Did Covid-19 come from a lab in Wuhan?
The Trump administration is launching an investigation into the origin of SARS-CoV-2, so we asked the experts: was the coronavirus that caused COVID-19 made in a lab?