By Malcolm Crompton and Chong Shao

The Australian Government’s COVIDSafe app has been met by both widespread scrutiny and widespread adoption. Is the app safe? Is the public’s response revealing the true Australian character? Are the privacy fears overblown? The picture is fascinating when you step back and look at what this app says about privacy in Australia both now and going forward.

Making the grade

Let’s address the most important thing upfront: the app appears to be mostly sound from a privacy and security perspective. Contrary to the FUD (fear, uncertainty and doubt) swirling around – no, the app does not collect any location information; no, it does not “track and monitor” you at all times (contrary to existing apps in other countries). Here is a good explainer on how the app actually works. 

The Australian Government commissioned a Privacy Impact Assessment from a law firm which it has published. From our perspective, the key privacy protections are:

  • The layers of opt-in consent and control built into the app, from registration to uploading information to the National COVIDSafe Data Store

  • Access to the information in the Data Store will be strictly limited to health officials in the States and Territories, and the purpose will be strictly limited to COVID-19 contract tracing and notification – these restrictions will be backed by federal legislation

  • All data held in the Data Store will be deleted at the end of the pandemic – this is very important because retaining information is a necessary feature of the centralised model (as opposed to the decentralised model proposed by the Apple-Google partnership), which could lead to potential misuse or compromise of the information.

There are some remaining issues where more clarification would be welcome:

  • What will be the arrangements that govern how State and Territory officers use the gathered information? What will be the mechanisms for oversight, enforcement and responding to failure in those jurisdictions?

  • The government has stated that it will introduce regulations to prevent police and other government agencies from accessing the information collected by the app. This is a good move to increase trustworthiness, but will it extend to national security agencies (as it should)? Will it extend to State and Territory police forces?

  • Why the delay in the promised release of the source code and will the source code of the inevitable updates also be released? Has it been sufficiently security tested? 

  • Can we be sure about the assurances that Amazon Web Services will abide by Australian law rather than US laws should the US demand (secret) access to the data?

  • Why hasn’t there been wider consultation with interested parties beyond the chosen federal agencies? Will there be such consultations from now on?

The big missing piece

While the app’s privacy protections are commendable, as always, the proof of the pudding is in the eating. A recent post by the UK Information Commissioner, summarising the discussions of more than 250 participants from the privacy domain on the use of technology to combat the pandemic, highlighted the importance of governance and accountability processes.

This is where we think the government’s current implementation is lacking. For example: how will we know that only the right people are accessing the information and using it for the right reasons? How will we know that the information will be deleted once the pandemic is over? How secure is the system – in the exchange of Bluetooth signals, the information in transit to and from the Data Store, and information at rest in the Data Store?

The PIA recommends additional independent assurance and testing from security experts, and to make this publicly available. This should extend to all aspects of data handling by participants in the ecosystem including Commonwealth, State and Territory agencies as well as private sector participants such as Amazon.

To maximise privacy and trust, the government should not only make the right promises, but also (i) explain how it will keep them and (ii) demonstrate, via expert and independent validation, that they are indeed being kept.

The creation and the creator

We have observed an interesting dichotomy in the responses to the COVIDSafe app. There is widespread recognition, even from usually sceptical voices, that the app is not especially problematic from a privacy perspective. At the same time, there is a general sense of concern about a new method of data collection by the Australian Government. The problem is not with the creation, but with the creator.

It would be an understatement to say that the government has a chequered past with respect to privacy and data handling (see here for a recent history lesson). This has resulted in a trust deficit where anything it proposes is subject to negative publicity. So far, adoption rates indicate that many Australians are willing to try the app notwithstanding the government’s track record. 

Is this because of the objectively strong privacy measures implemented and promoted by the government? And/or is this because of the extraordinary circumstances we are in, with Australians doing their part to help combat the pandemic and hasten the reopening of our society? It may be too soon to tell, although it is fair to hypothesise that both are playing a role.

Our hope is that this augurs well for future government initiatives, that the Australian Government will take lessons from the positive response to the app – achieved through a combination of taking privacy seriously (including legislatively) and appealing to public solidarity. This represents a break from its past behaviour and could serve as the new and better precedent going forward.