COVID, SAFE? PROPORTIONALITY AND SURVEILLANCE OF THE GOVERNMENT TRACING APP

Andrew Ray and Yasmin Frost*

Photo Credits: Australian National University

1. Introduction

The COVID-19 pandemic has required rapid response by governments worldwide, including in Australia. As Australia’s national cabinet sprung into action, a range of measures were introduced by the Commonwealth and State and Territory governments in an effort to flatten the curve.[1] At a national level this included the development and release of the COVIDSafe app (the App). The release of the App was accompanied by amendments to the Privacy Act 1988 (Cth) aimed to protect user data. In implementing these amendments, the Government expressly outlawed the use of App data by security agencies, and introduced offences to prevent misuse of data and ensure that individuals were not coerced into downloading the App.[2] Questions remain however concerning the security and utility of the App and whether it is fit for purpose. Proponents of the App have shouted down these concerns – citing public health benefits as justifying any impact on privacy.[3] This has prevented a proper discussion of the issues and created a false dichotomy between public health and privacy.

2. Balancing Privacy and Security Utilising Structured Proportionality

There are clear benefits to society through ensuring that citizens feel safe and maintaining public health is therefore important. Protecting privacy however offers similar benefits and increases public participation and trust in government institutions. In situations involving national security or a public health crisis these objectives are often difficult to appropriately balance, especially without an accepted framework to apply. While surveillance agencies in Australia often refer to the need for proportionate measures,[4] this does not always flow through to implemented measures. The COVID response by the federal government is no exception, with limited public debate regarding the App. Instead, individuals have felt “shamed” into downloading the App to feel that they are “good” public citizens.[5] Indeed, some commentators have suggested that the rhetoric around the App has prevented individuals from being able to properly consent to the collection of their data for a public health purpose.[6]

We will assess the appropriateness of the COVIDSafe App using a structured proportionality assessment by asking:

  1. What is the public health benefit/need for the App?
  2. How great an impact on privacy does the app have?
  3. Balancing these, is the App proportionate to the threat it aims to prevent?

In answering these questions, we are aiming to determine whether a “less restrictive” means could achieve the health objective – as if so, this would be preferred to the App.

3. What is the Public Health Benefit of the App?

Legal commentary surrounding the App is warranted but these concerns will not materialise if the App, quite simply, does not work. The Digital Transformation Agency (DTA) has released documents detailing the App’s Bluetooth Encounter Logging results. While the App’s performance has improved over time, the current success rate remains underwhelming. Under the DTA’s classification a success rating of “moderate” only requires 25%-50% of encounters to be logged, with the majority of interactions between locked phones achieving this classification or lower. This compares to an expected log rate using Bluetooth 5.0 of 99.9%. [7] This indicates the App’s code is flawed. The public has been quick to point out bugs in the source code, such as the absence of a simple ‘return’ function, resulting in an error that prevents encounter logging. These technical shortfalls could explain why the Government has abandoned their forty percent download target[8] and why only one person has been notified of potential exposure via the App’s alleged abilities.[9]

Additionally, there remain concerns regarding the App’s ability to detect the distance between phones in line with the government 1.5m advice.[10] This means that the App is likely to overreport contacts, and given the low uptake it is unclear whether simpler measures around encouraging Australians to actively keep contact logs would have enabled more accurate contact tracing to occur. Absent significant further uptake, it is unlikely that the App can perform a significant public health function in allowing Australia to flatten the curve.While these implementation hiccups are somewhat amusing, they ultimately divert attention away from the App’s key legal issues. The rationale of those abstaining from using the App do so because it ‘doesn’t work’ rather than engaging with the serious privacy implications of the App.

Due to these flaws in the App design and rollout as outlined above the public health benefit of the App is unclear. While this issue has now been patched, the initial advice given to App users that it could run well while a phone was locked (contrary to independent expert assessment).

4. What is the Impact on Privacy?

The government has relied heavily on the principle of consent to mitigate any privacy concerns, alongside several changes to the Privacy Act to encourage citizens to download and use the App. These amendments are however insufficient to fully protect individual privacy. As outlined above the concept of consent is challenged by the public pressure surrounding downloading the App, including by institutions such as the NRL as well as the ANU.[11] Regardless, the amendments to the Privacy Act are not strong enough to protect individual data. While commentators have raised a range of concerns, the primary issue is the reliance of the Australian App on a central repository of contact information. This model, while effective is less privacy-centric than the Apple-Google proposal which would store identifiable data locally on an individual’s phone, and only store an anonymised token in the cloud.[12] Storing identifiable data locally reduces both the threat and risk of a cyber-attack, a clear issue given the recent wide-ranging attack on government and business in Australia. Local storage also gives individuals more control over what happens to their data, increasing confidence and by extension the potential uptake of the App. The final issue concerning the use of the COVIDSafe data is the potential access by US law enforcement agencies under the CLOUD Act.[13] The Australian government has stated that the risk of this is low, however has refused to release the legal advice supporting that position. The potential for US access would be removed if the Apple-Google proposal were adopted as no identifiable data would be stored by a US company.

5. Is the App Proportionate?

It is undeniable that public health is an important government objective. However, given the inherent privacy risks of the COVIDSafe App, and the significant improvements offered by the Apple-Google proposal the current privacy framework is not sufficient. Low uptake is limiting the utility of the App, and greater privacy protections would not prevent the government from achieving their public health objective. The App as it currently operates is therefore not proportionate to the public health risk and Australia should follow the UK in adopting the Apple-Google proposal.

*Andrew is a final year LLB(Hons)/BSc student at the Australian National University, Yasmin is a penultimate year LLB(Hons)/BSc(IT) student at the University of Technology Sydney. Yasmin is employed by Apple Australia, however, is not working within a team designing or implementing the Apple-Google API. The piece reflects only the personal views of the authors and not those of their respective employers.

The authors would like to thank Associate Professor Matthew Zagor and Senior Lecturer Dilan Thampapillai for their guidance and feedback on this piece.

[1] See, eg, Department of Health, ‘Government response to the COVID-19 outbreak’ (Web Page, 30 May 2020) https://www.health.gov.au/news/health-alerts/novel-coronavirus-2019-ncov-health-alert/government-response-to-the-covid-19-outbreak.

[2] Privacy Amendment (Public Health Contact Information) Act 2020 (Cth).

[3] Stephen Wilson, ‘I’m a privacy expert – and I’ve downloaded the COVIDSafe app’, The Sydney Morning Herald (online, 4 May 2020) https://www.smh.com.au/politics/federal/i-m-a-privacy-expert-and-i-ve-downloaded-the-covidsafe-app-20200503-p54pc6.html.

[4] Australian Security Intelligence Organisation, Submission No 3 to Parliamentary Joint Committee on Intelligence and Security, Parliament of Australia, Review into the effectiveness of the Australian Security Intelligence Organisation Amendment Bill 2020 (29 May 2020). While this type of assessment does not have any domestic legal effect, it does accord with Australia’s approach to complying with our obligations under the International Covenant on Civil and Political Rights.

[5] For discussion, see, eg, Kate Galloway and Melissa Castan, ‘COVIDSafe and Identity: Governance Beyond Privacy’, AusPubLaw (online, 11 May 2020) https://auspublaw.org/2020/05/covidsafe-and-identity-governance-beyond-privacy/.

[6] Ibid.

[7]  Senate Select Committee on COVID-19, Parliament of Australia, Answers to Questions on Notice (22 May 2020).Bluetooth, ‘Bluetooth 5’ (Report, 2019). It is worth noting that initial government advice suggested to users that the App would work even when operating in the background with their phone locked.

[8] Ariel Bogle, ‘COVIDSafe has been downloaded by millions, but yet to identify contacts (and authorities say that’s a good thing)’, ABC News (online, 11 June 2020) https://www.abc.net.au/news/science/2020-06-11/coronavirus-contact-tracing-app-covid-safe-no-close-contacts/12343138.

[9] Josh Taylor, ‘How did the Covidsafe app go from being vital to almost irrelevant?’, The Guardian (online, 24 May 2020) https://www.theguardian.com/world/2020/may/24/how-did-the-covidsafe-app-go-from-being-vital-to-almost-irrelevant.

[10] UNSW Allens Hub for Technology Law and Innovation, Submission No 4 to Senate Select Committee on COVID-19, Parliament of Australia, Inquiry into the Australian Government’s response to the COVID-19 pandemic (13 May 2020).

[11] Andrew Ray, ‘Is the Australian National University’s COVID-19 Response Privacy Safe’ (Blog Post, 15 June 2020) https://anulrsj.wordpress.com/2020/06/15/is-the-anu-covid-response-privacy-safe/.

[12] Apple and Google, ‘Exposure Notification Frequently Asked Questions’ (Report, May 2020) https://blog.google/documents/73/Exposure_Notification_-_FAQ_v1.1.pdf.

[13] Clarifying Lawful Overseas Use of Data Act (2018) HR 4943 §103(b)–(c). For further discussion see Andrew Ray, Bridie Adams, Charlotte Michalowski and Kate Renehan, Submission to Senate Select Committee on COVID-19, Parliament of Australia, Inquiry into the Australian Government’s response to the COVID-19 pandemic (28 May 2020).

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

Create your website at WordPress.com
Get started
%d bloggers like this: