News

The government’s proposed Covid-19 contact tracing app is being sold on its ability to save lives. But experts fear privacy shortcomings and a lack of detail about its development will see it rejected by an already sceptical public. By Royce Kurmelovs.

Privacy concerns over tracing app

Last Friday, Prime Minister Scott Morrison called in to Triple M Hobart for what should have been a standard interview, but instead kicked off a public furore over the rollout of the government’s new Covid-19 contact tracing app.

Asked whether he would make the app mandatory, if it failed to get the 40 per cent take-up rate needed to make the program a success, Morrison attempted to preserve his options and didn’t explicitly rule the possibility out.

“My preference is not to do that [make it mandatory]. My preference is to give Australians a go at getting it right,” he said. “I’d be calling on Australians, frankly, to do it as a matter of national service, in the same way people used to buy war bonds … to come together to support the effort.”

And with that, the app became an instant flashpoint.

The reaction was so strong, Morrison was forced to make a statement on Twitter days later to emphasise the app “will not be mandatory”.

Since then, figures as diverse as Barnaby Joyce and the Law Council of Australia have raised concerns over the app, while the government has sent in Minister for Government Services Stuart Robert to sell the initiative to the media.

Along the way, Robert has promised the source code of the app will be made available to all upon its release, while Attorney-General Christian Porter has said regulations will be introduced to ensure organisations such as the Australian Federal Police (AFP) will not have access to the information it collects.

To help address concerns, the Cyber Security Cooperative Research Centre (CSCRC), established in 2018 with $140 million of state, federal and industry funding, approached the government to test the app.

The organisation’s chief executive, Rachael Falk, has told the ABC she is so far supportive and she will be downloading it – although the CSCRC’s links to the intelligence community may do little to alleviate concerns for some.

David Irvine, former head of both the Australian Security Intelligence Organisation and the Australian Secret Intelligence Service, currently serves as chair of the CSCRC’s board, which also includes Rachel Noble, the current head of the Australian Signals Directorate.

If trust is about perception as much as action, details such as these threaten to undermine public trust at a moment when there is a vacuum of solid information.

So far, the government has not released details about who is developing the app, what additional features it may contain, how quick the turnaround will be and what legislation will be introduced to support its rollout.

When contacted by The Saturday Paper, the Digital Transformation Agency – which is overseen by Minister Robert – declined to comment except to say the app is “in development” and that “further details will be available shortly”.

What is known is that the Australian app will borrow from a similar app used in Singapore called TraceTogether, which works by sending out a stream of random, encrypted Bluetooth messages and recording similar messages it receives in return.

When two people have been within 20 metres of one another for a period of 15 minutes, the app records the encrypted ID of the other person on a phone.

In Singapore, this information is stored for two weeks. Should someone be diagnosed with Covid-19 in that time, the list of encrypted IDs will be uploaded to a central server with a key, where the details are then decrypted for people to be contacted.

It’s this “centralised” model that has some cryptographers worried, including Dr Vanessa Teague, an adjunct associate professor at the Australian National University and chief executive of Thinking Cybersecurity.

“There are privacy implications from just turning on Bluetooth, which allows you to be tracked,” Teague says. “It’s hard to say anything about Australia’s app because we haven’t been given any information, but the primary risk of the TraceTogether architecture is that whoever runs the ID server knows which IDs are whose.

“This means, obviously, that when you test positive and upload your nearby contacts, whoever runs the server learns them. Less obviously, it also means that whoever runs that server can recognise your IDs in other contexts. For example, if they also set up Bluetooth scanners in a shopping centre.”

Teague is one of 300 cryptographers from around the world who have signed a letter arguing against the Singaporean “centralised” model and in favour of an alternative “decentralised” model.

Those alternative designs do not rely on a health worker to access the phone, but instead allow a person to upload their information to an anonymous public noticeboard, which others may search to see if they have been in contact.

“There are a variety of different designs,” Teague says, “However, so far in Australia, the conversation has been more or less ‘take it or leave it’.”

 

Contact tracing is not new or controversial in itself. The act of forensically working through a person’s recent movements to identify others who may have been exposed to a virus played a critical role in controlling the spread of HIV/AIDS.

Elsewhere, it helped control epidemics including the Ebola outbreak in 2018 and the various SARS viruses – and this, says Professor David Watts of La Trobe University and former Victorian privacy commissioner, is a good thing.

Rights to privacy, Watts cautions, are not absolute – especially during an emergency – and finding a way to speed the process of contact tracing will save lives.

His concern is that any privacy failures made in the rush to roll out an app will further erode public trust, at a time when trust is vital to managing this pandemic and its aftershocks.

“You need to look at it from end to end. So, when from where the information first goes into the app and when it comes out the other end and goes to state and territories,” Watts says. “Unless you do a privacy assessment that goes to all states and territories – and I don’t think the Commonwealth has done that – you can’t do a privacy assessment.

“If people don’t trust government – and they don’t have much basis to trust government – [the app] won’t be effective and we won’t be able to use it. People will die. Not getting privacy right will kill people.”

The current government’s chequered résumé when it comes to carefully managing personal data will make its attempts to get broad uptake of this app more difficult, as will its history of pursuing ways to enable the massive collection of information about Australians.

“The government suffers from a trust deficit,” says Professor Lesley Seebeck, chief executive of ANU’s Cyber Institute. “You cannot order or legislate trust. The government doesn’t trust its citizens, so why are citizens expected to automatically trust the government?”

As an example, Seebeck points to the Telecommunications and Other Legislation Amendment (Assistance and Access) Act, which was rushed through parliament at the end of 2018.

The act gives law enforcement agencies the right to “covertly” compel Australian tech companies to provide access to encrypted communications while making it illegal for journalists to report on use of the power.

It is joined by the government’s controversial metadata retention scheme set up in 2015, which has since suffered from “mission creep”.

“Two years on, [that system] was being used by local councils to chase down parking fines,” says Alice Drury, a senior lawyer at the Human Rights Law Centre.

Drury says it’s “not enough” for the government to promise it won’t misuse information and that independent legal oversight is needed – a call echoed by Centre Alliance senator Rex Patrick.

“One of the ways the government may put people’s minds at ease is to legislate around that application to restrict use of that information to Covid-19 purposes,” Patrick said.

Patrick said any law must ensure people’s rights were protected and that the app would be dismantled when the pandemic was over. If not done carefully, however, agencies including the AFP could still end up with the information.

Due to the patchwork of laws that exists at state and federal level, what happens to information collected by the contact tracing app once it leaves the jurisdiction of the federal government means it can end up in many different places.

Some states are better than others at handling the management, access and disposal of information. Western Australia has no legislation regulating how government departments handle information, while South Australia relies on a cabinet directive to its departments that has no independent oversight and no consequences for breaching it.

“At the end point where the information leaves Commonwealth control and enters the states and territories, it is subject to state and territory law and can in some circumstances be obtained by police,” La Trobe University’s David Watts says. “Under information-sharing arrangements nationally, that information can then be shared back to the Commonwealth and then state and territory police indirectly.”

For all the promises the government has made in recent days, questions remain on whether they are capable of keeping them.

This article was first published in the print edition of The Saturday Paper on Apr 25, 2020 as "A trace of danger".

A free press is one you pay for. In the short term, the economic fallout from coronavirus has taken about a third of our revenue. We will survive this crisis, but we need the support of readers. Now is the time to subscribe.

Royce Kurmelovs is an Adelaide-based freelance journalist and author.