More than two million people have downloaded the Federal Government’s COVIDSafe app since its release on Sunday, and the government is hoping for about 3 million more Australians to do so.
But many are concerned about the app for a range of reasons – including the level of access it will give to their data, how it may curtail privacy and personal freedom (after all, without privacy there is no freedom), how the data will be stored, how the information gathered may eventually be used or shared, how safe the data will be from hackers and which company will be responsible for its storage and safekeeping.
Data collection and use
While most understand the app’s stated purpose: to help health authorities trace and prevent COVID-19’s spread by contacting people who may have been in proximity (to a distance of about 1.5 metres) with a confirmed case, for 15 minutes or more.
The majority also understand – in general terms – how Bluetooth technology is used to record users’ contact with other app users. The app says collected data is encrypted and can’t be accessed by other apps or users without a decryption mechanism. It also says the data is stored locally on users’ phones and isn’t sent to the government (remote server storage).
But already there have been problems. Federal police have been called in to investigate a text message that some users have received when they are more than 20km from home. The message says they have breached lockdown and must contact the government within 15 minutes of receiving the message. The government says this is a hoax, and that whoever is found to be responsible for it, will be charged with a serious criminal offence.
The second area of concern is the news this week that COVIDSafe data will be hosted not in Australia, but by US by tech giant, Amazon.
Managed by Amazon
Amazon secured the contract after an ‘invitation only’ tender process run by the Department of Home Affairs.
And there are fears that potentially, this could mean that Australian data is obtainable by US law enforcement, under national security legislation introduced in 2018, which compels US-based technology companies to provide data to federal law enforcement under warrant, regardless of whether the data is held in the US or overseas.
The tracing app is now officially the responsibility of the Digital Transformation Agency, which comes under the portfolio of Government Services Minister Stuart Robert.
Prime Minister Scott Morrison and Mr Roberts have both given assurances to Australians that the US law would apply, saying that the data – which includes contact information – will be stored in Australia in highly secure servers and protected by additional laws to restrict access to health professionals only.
Further assurances given by the government include the fact that because the data is Australian and being kept in Australia it’s protection is guaranteed through a determination through the Biosecurity Act and other legislation, under which it will be a criminal offence to transfer data to any country other than Australia, punishable by five years in prison, or a $63,000 fine.
Commonwealth officials and law enforcement are also not able to access the stored data and at the end of the pandemic, the information storage system would be destroyed.
Distrust in the US company
Irrespective of assurances, a lot of Australians will be put off downloading and activating the app simply by the fact that the data is hosted by a US-based company rather than a perfectly capable local one, bound by Australian laws only. It’s understood that some of the privacy laws in relation to the app will be introduced in Parliament next month, although the app is already up and running.
Several senior government officials are dismayed that the contract has been awarded overseas, given that there are several wholly Australian-owned cloud storage services who have already been security vetted for high-level contracts such as this.
Despite assurances, many Australians are concerned the Federal Government isn’t providing the full story about the app, and that the potential benefits of downloading the app fail to outweigh the risks and intrusions associated with providing the state with such unprecedented access to personal information.
The distrust stems, at least in part, from the Federal Government’s appalling track record of adhering to its promises when it comes to using technology for stated purposes and of protecting the data that is accessed.
An example of failing to adhere to promises is the meta data retention laws, which the Government assured would be used to ‘catch terrorists and organised criminals’ but have in fact been used for such ‘unintended’ purposes as hunting down whistleblowers who have exposed corruption in state departments, targeting doctors and journalists who have been critical of the Government and its policies, detecting those suspected of evading tax, catching rubbish dumpers and even monitoring police cadets to determine whether they were sleeping with one another.
In just a year, over 60 governmental agencies accessed the scheme for purposes very different from ‘catching terrorists and organised criminals’, and the Australian Federal Police recently admitted accessing the metadata of Australians more than 20,000 times over a 12 month period.
As to failing to protect data, the Government assured the populace that the data stored through its My Health Record scheme would be safe and secure, but as widely reported in the media it has been anything but – with dozens of data breaches being recorded within its first few months of operation alone.
At the end of the day, residents have a choice as to whether or not to download the Government’s app – for now at least.