Explainer: The COVIDSafe App

Unprecedented Times Require Extraordinary Solutions

Covid-19 is the most significant and unprecedented event of our times. The strict social distancing measures that were rolled out starting in early March have helped flatten the curve, thus avoiding the possibility of mass infection rates in Australia similar to what occurred in other parts of the world such as Europe and the US. However, it was evident early on that these measures and the pandemic in general would have drastic consequences for the economy. In the June quarter the GDP is forecast to fall by more than 10% while the unemployment rate is predicted to reach around 1.4 million people.

In this context, on 26 April 2020 the Federal government launched the COVIDSafe app. It is part of the government’s strategy to ease some social distancing restrictions and use the app instead to continue combating the ongoing Covid-19 pandemic by tracing and isolating infected individuals. It is hoped that the ease of some restrictions would allow for a rebound of the economy. Many Australians readily accepted the government’s advice to download the app. Within 10 days of its launch, the number of downloads of the app reached more than 5 million.

How does the App Work?

The COVIDSafe app is based on the BlueTrace open source application protocol developed by the Singaporean Government. Singapore released its own tracking app known as TraceTogether on which COVIDSafe is partially modelled.

The app is available for download from Apple App Store or Google Play Store. Upon downloading the app the user is required to provide their name, mobile number, and postcode as well as their age range. A confirmation text message is received to complete installation and the system will create a unique reference code for the user. For the app to work users are required to allow the app running as they go about their daily lives especially when coming into contact with other people. The app recognises other devices that are Bluetooth enabled and have the COVIDSafe app installed. The two devices exchange temporary IDs which are then stored on the user’s phone. The contact information is kept on a 21-day rolling cycle. If the user tests positive then State and Territory health authorities can request the stored information from the user and upload it to an information storage system. The authorities may use the accessed information to trace contacts captured by the app as part of their contact tracing operation.

Early Troubles

Despite millions of Australians having already downloaded the app, a number of questions about its effectiveness have been raised. For instance, the app turned out to be incompatible with older phones. The Deputy Chief Medical Officer Paul Kelly conceded that up to 10% of phones may not be able to download the app due to their older operating systems. Then there is issues stemming from Apple. If an iPhone is in low power mode then the app is unlikely to refresh. This may impact the ability of the app to track contacts. Apple’s iOS also prevents third-party apps from transmitting Bluetooth signals when running in the background and more generally the app is unlikely to work if the phone is locked or when there are too many apps running on it at the same time.

Questions over the effectiveness of the app will continue to be brought up and debated. However, as Karliana Reid had already foreshadowed in an earlier article published on the VSCL website in April when the government had first suggested launching a tracking app, there are more serious concerns over privacy that have been raised in relation to the app.

Privacy Guarantees from the Government

The main controversy surrounding the app is due to privacy concerns. So far the government has taken many steps to assuage those concerns. These include the following:

  • Location: the app does not collect user’s location.
  • Deleting the COVIDSafe App: the government has indicated that in the aftermath of the pandemic there will be no need for the app and that the information gathered in the storage system will be destroyed.
  • Opt-out option: since downloading the app is voluntary, a person who has already downloaded it can delete the app from their phone at any time.
  • Privacy Impact Assessment Report: this report was released alongside the launch of the app and is meant to make certain that privacy risks have been addressed.
  • COVIDSafe Privacy Policy: his policy details how personal information collected in the app is to be handled.
  • Voluntary download: although the app is voluntary, if enough people do not download it then there is a likelihood that the government might have to take certain mandatory measures to increase the number of people using it.
  • Release of source code: under pressure the government was pushed to provide the app’s source code which shows how the app works in practice. However, there have been calls to also release the ‘server source code’ which shows what the government actually does with the data.
  • Determination: The Health Minister Greg Hunt initially issued a ‘Determination under the Biosecurity Act’ to restrict access to information from the app. The government has further insisted that federal agencies such as the Home Affairs, Centrelink and law enforcement agencies will not be able to access user data.
  • Proposed Legislation: to guarantee that the privacy of the app’s users is protected the government has introduced a draft bill – the Privacy Amendment (Public Health Contact Information) Bill 2020 which will be introduced in Parliament in the week of 11 May 2020. The bill criminalises the collection, use or disclosure of information collected by the app for purposes not related to contract tracing. It further makes it a criminal offence to decrypt the app data or transfer it to a country outside Australia. Failure to abide by the rules could lead to a maximum penalty of five years imprisonment or $63,000 in fines. As indicated earlier, in spite of the government insisting repeatedly that law enforcement agencies will not have access to the data stored on the phone, the bill itself does not make any reference to those agencies in particular.

The Focal Concern over the COVIDSafe App: Centralised Storage 

The noteworthy apprehension raised by critics of the app is its centralised technology. Information collected from users like their names and phone numbers will be stored in a centralised location. This could leave sensitive data unguarded prompting fears of its misuse by government or even its potential susceptibility to breaches. The data will not be hosted by a government service provider or an Australian firm but the US tech giant Amazon Web Services. Although the data will be stored in Australia, there are fears that the US government could demand access to the app data under that country’s domestic laws such as the Clarifying Lawful Overseas Use of Data (Cloud) Act.

Alternatives to a centralised storage system do exist. For instance, Apple and Google have partnered together to develop a contract tracing system called Exposure Notifications which keeps personal data private by using a decentralised storage system. Countries such as Germany and Britain are also considering employing a de-centralised model.

Regardless of the seriousness of these privacy concerns it is not certain whether the government would have the capacity to start all-over again by either scrapping its agreement with Amazon’s AWS in favour of an Australian firm or moving towards a decentralised storage technology. Especially in light of the fact that the government has already spent weeks both before and after the launch of the app trying to reassure the Australian public that all privacy concerns have been taken care of.

From the early stages of the pandemic Australians generally showed a sense of solidarity and shared community sentiments with each other. The government’s policies of strict social distancing measures which required them to sideline their fundamental democratic principles of free movement and freedom of association were promptly accepted. It is in light of these circumstances that millions have once again accepted the advice of the government to download the app. Therefore, it is imperative for the government to ensure that the privacy of the COVIDSafe app users is protected. Failure to do so may further entrench mistrust between the government and the public.

NOTES

[1] Privacy Amendment (Public Health Contact Information) Bill 2020

https://www.ag.gov.au/RightsAndProtections/Privacy/Documents/exposure-draft-privacy-amendment-public-health-contact-information.pdf

[2]       https://www.abc.net.au/news/2020-05-12/treasurer-josh-frydenberg-addresses-parliament-on-coronavirus/12237860

[3]       https://www.theguardian.com/australia-news/2020/may/04/government-releases-draft-legislation-for-covidsafe-tracing-app-to-allay-privacy-concerns

[4]       https://www.health.gov.au/resources/publications/covidsafe-application-privacy-impact-assessment

[5]       https://www.abc.net.au/news/2020-05-06/coronavirus-covidsafe-5-million-download-officials-concede-flaws/12221004

[6]       https://www.afr.com/technology/amazon-and-security-concerns-hamper-covidsafe-app-push-20200508-p54r71

[7]       https://www.theguardian.com/world/2020/apr/20/coronavirus-digital-contact-tracing-will-fail-unless-privacy-is-respected-experts-warn

[8]       https://www.smh.com.au/national/covid-tracing-app-needs-a-makeover-not-new-laws-to-keep-privacy-safe-20200509-p54rfe.html