While the government's COVIDSafe Bill has made significant improvements in the last two weeks, substantial concerns remain, according to UNSW experts.

The Australian government yesterday introduced the COVIDSafe Bill in federal Parliament, with the aim of improving privacy and other protections surrounding the recently released COVIDSafe contact tracing app. While the COVIDSafe app has yet to be used for contact tracing by health officials, it has been collecting contact data.

The government’s Bill has made significant improvements to privacy protections for the COVIDSafe app since it was released a little over two weeks ago. However, there are substantial remaining concerns including:

  • open-ended collection and retention of personal data;
  • loopholes in the prohibitions against coercion;
  • ongoing technical issues which jeopardise security; and
  • the need for independent reporting on the effectiveness of the app.

In this article, we outline these issues and explain the sensitivity of the data collected by COVIDSafe. While there are currently increasing calls for an alternative, more decentralised form of contact tracing app – and potentially the ‘Gapple’ (Google+Apple) model – amendments can and should be made now to fix flaws in the current COVIDSafe solution.

COVIDSafe collects and decrypts more data than necessary

The COVIDSafe app was originally advertised by the government as an app that only collects (and potentially uploads) data about your contact with other users up to 1.5 metres away for at least 15 minutes. However, the app in fact collects, and can upload, data about your contact with any other COVIDSafe app users within Bluetooth range (which could be 20 metres away) even for a minute.

The COVIDSafe Bill does not place limits on how much of this data can be collected or decrypted at the central data store, if you test positive and consent to upload your contacts. The Bill only refers to recording other users in your “proximity”, and “proximity” is not defined.

The Department of Health has separately indicated that it at least intends to place limits on how much of this data State or Territory health officials can use in their contact tracing. But not even this limitation is included in the Bill itself or explained in its Explanatory Memorandum.

The government should investigate technical methods of limiting the amount of data that is collected, decrypted and disclosed to that which is necessary for contact tracing, and these restrictions should be incorporated in the COVIDSafe Act itself. The government should also correct the original misstatements about the operation of the app.

Contact logs could be kept for months or years

The government has emphasised that the COVID app data should only be used for contact tracing purposes. Nonetheless, the Bill allows the government to retain the contact logs of all users who have tested positive and consented to upload their contacts to the central data store, until the Health Minister declares the ‘COVID app period’ is over.

This could mean the contact logs are kept for months or even years, depending on the life of the pandemic. This retention is clearly excessive having regard to the purpose of contact tracing. The longer data is retained, the longer it is exposed to the risks of repurposing or improper disclosure, including disclosure through employee error or hacking.

The Bill should provide that this data will be regularly automatically deleted after a fixed period, allowing for all proper uses, both by the national data store and the state and territory health authorities. Regular purging of data will increase public trust.

To be clear, while users have a right to request deletion of some data under the Bill, this is only their registration data (name, mobile number, age range and postcode) and not the contact logs uploaded and used by state and territory health officials.

Closing loopholes in voluntariness

The Bill is based on use of the app being voluntary. It includes some very good protections preventing individuals being forced to download the app or have it in operation, including a very recent addition to ensure that people cannot be deprived of financial incentives or discounts for failing to download or use the app. However, too many loopholes remain.

The Act should also prohibit employers downloading the app onto ‘work-owned’ phones used by employees, given statements by some employers indicating their intent to do so. No one should be required to disclose or demonstrate whether they have the app installed. Discriminatory treatment of those who do not, such as isolated seating or additional ID requirements, should be prevented.

The Health Minister should not write his own report card

The app should only exist for so long as it contributes a necessary and proportionate improvement to contact tracing. Once it is not effective, it is just onerous surveillance, to be thanked and discarded. But the Bill does not provide any credible means for assessing that effectiveness.

Under the Bill, the Health Minister will be required to report on the effectiveness of the app at six-monthly intervals. He should not be left to write his own report card.  The legislation should provide that independent researchers will be provided with access to the data necessary for them to investigate and report on the effectiveness of the COVIDSafe app in improving contact tracing.

We also recommend the entirely feasible protection of ongoing privacy oversight and reporting by a National Privacy Advisory Council, composed of the federal, state and territory privacy commissioners, not only a six-monthly report by the federal Commissioner.

Why COVID app data is sensitive

Although politicians have expressed the view that COVID app data is “relatively innocuous”, this data is in fact potentially highly sensitive. COVID app data can reveal:

  • the fact that a user has tested positive to a highly dangerous disease and one for which the long-term effects of infection are not yet understood; and
  • a log of every other COVIDSafe app user who has come near the user in the past 21 days, as well as the user’s proximity to any other user in the 21 days before they test positive.

Given that this data is only being used for the health purpose of tracing a potentially life-threatening disease, ‘COVID app data’ should be expressly included in the definition of ‘sensitive data’ in the Privacy Act. At this stage, it is not clearly included in the definition of ‘health data’ but obviously should be.

Technical flaws, source code and “stalkerware”

Experts in cryptography have requested access to the source code of the National COVIDSafe data store to enable them to assess the type (and security) of encryption used by the COVIDSafe app. In contrast to the early release of such server code in Singapore, the Australian government has not yet released the server code. It should do so unless it can provide a convincing explanation as to why this could not be released, not just a one-word excuse (‘security’).

Developers have also raised technical issues with the COVIDSafe app, claiming it exposes users to risks that third parties will use the app to track their movements through signals containing a user’s temporary identifier. The government should respond to developers’ proposals on how to fix these flaws.

Recognising the vulnerability of others in our community

It is encouraging to know that many Australians making a decision about the COVIDSafe app have been motivated by a desire to cooperate for the wellbeing of our community. We should remember, though, that our community also includes victims of domestic violence and stalking; journalists meeting with sources; those who fall out of favour with governments at home or abroad; and those who have justifiable mistrust of the government’s abuse of technology against its citizens. To maximise trust in this app, amendments to the Bill are necessary to protect privacy as best we can while protecting our health against the pandemic.

Graham Greenleaf is a Professor of Law & Information Systems at UNSW Law. His research concerns the inter-relationships between information technology and law: legal information systems, cyberspace law, and the global development of data privacy laws and agreements.

Dr Katharine Kemp is a senior lecturer in UNSW Law and Academic Lead on the UNSW Grand Challenge on Trust. Her research focuses on competition law (particularly misuse of market power), consumer protection and data privacy in financial services regulation. 

MENTIONS
Graham Greenleaf
Katharine Kemp