The federal government is asking Australians to download a coronavirus contact tracing app to help stop the spread of COVID-19, but questions over privacy and security remain.
Prime Minister Scott Morrison has said the app will not be mandatory, but politicians and civil liberties experts have raised concerns about the government collecting personal data and information.
The app is set to debut in the next few weeks, and is designed to help authorities identify people potentially infected with COVID-19.
It works by using Bluetooth technology to home in on people that have been within 1.5 metres of someone with COVID-19 for more than 15 minutes.
“When this occurs, each device will swap an encrypted package (if they both have the app installed) containing the mobile number, name, age range and postcode of the person,” the ABC’s Paul Farrell explained
“The app must be open on a person’s phone to collect data, although it can run in the background when other apps are open.
“Importantly, the app will not collect information from other users’ phones that do not have the app installed.”
The government has emphasised that the app will track contact with other people, and not users’ locations.
It is based on Singapore’s TraceTogether app, which has been downloaded by an estimated 17 per cent of Singapore’s population since it launched last month.
However, the effectiveness of coronavirus contact tracing apps is still being tested, and low participation rates reduce their efficacy.
A University of Oxford study released last week found that 80 per cent of smartphone users in the UK (56 per cent of the population) would need to sign up to a contact tracing app for it to be effective.
The problem with surveillance technology
The government’s tracing app should not be turned into a debate around privacy versus public health, Flinders University criminology and human rights law expert Marinella Marmo told The New Daily.
“Unfortunately, this app comes across as if we are told to either care for our privacy or to care for the health of the people around us,” Dr Marmo said.
“But the two can be combined – if the regulation around privacy is clear and accurate, with precise and upfront indication on data sharing, and on the period the data will be retained.”
Emergency rules introduced by governments have a bad habit of becoming permanent, Dr Marmo said.
“Surveillance technology to monitor the movements of individuals has always been problematic,” she said.
If we base our opinion on past experiences, perhaps we can’t be too assured that governments could be trusted with a scheme that collects our data.’’
Dr Marinella Marmo
Australians may be more inclined to sign up to the scheme “if they are offered specific clarifications and assurances,” Dr Marmo said.
We need to be given a reason to have trust and confidence that data will not be abused.’’
The government must also address “the core of the UN definition of right to privacy, which is ‘arbitrary interference’’’, Dr Marmo said.
“By defining the rationale, scope and limits, and by ensuring that a proper design of technology takes place, there could be more trust into this governmental move.”
Security questions remain
In a bid to boost public confidence and participation, Government Services Minister Stuart Robert said on Monday that the source code and a privacy impact assessment of the app would be released.
While these details are yet to be released, David Glance from the University of Western Australia’s Centre for Software and Security Practice said that Singapore’s TraceTogether app raises concerns.
“There are some privacy concerns with [adopting Singapore’s] approach because of the role of the health authorities in collecting and using the information gathered and the use of personally identifiable information,” Dr Glance said.
“It has a major deficiency when operating on iPhones and this will make it hard to use even for those who want to contribute to the government’s efforts to relax present restrictions,” he said
There are also unknown security issues with the application that can only be discovered once the application is made available.’’
Although the technology will “help in the tracing efforts and is possibly necessary under the current environment”, Dr Glance said “strong assurances about its limited use and making the right choices regarding its implementation will be critical to its adoption and use”.
Clive Harfield, an associate professor at the University of the Sunshine Coast’s Institute for Cyber Investigations & Forensics, criticised claims that the COVID-19 app will not track users’ locations.
“Assertions that these apps do not provide live tracking data disguise the whole point of these apps, which is to trace – and so track – contacts between people and thereby identifying individuals who may have been infected with the virus but are not yet presenting symptoms,” Associate Professor Harfield said.
“The purpose of contact tracing is to track the movements of individuals (all be it historically rather than in real time) and identify where they have been, who they have been with, and where they might have spread the contagion.”
Any app is also vulnerable to “hacking or coincidental uses”, Associate Professor Harfield warned.
“Once gathered and collated, any data is vulnerable to unauthorised access through information sharing between entities or agencies who (mistakenly) believe they are authorised to share such information, or to unauthorised access through hacking,” he said.
More needs to be explained in detail about how the app actually works, and who will have access to the data it generates, where the data will be stored, and – in each case – for how long.
“Even allowing for the fact that these are emergency circumstances, investing in the direct benefit of increased testing for the virus seems more worthwhile – and morally more justifiable – than increased investment in surveillance technologies which offer, at best, an indirect benefit with accuracy shortcomings.”