No Social Licence for Effective App Take-Up: An Interview With Digital Rights Watch’s Lizzie O’Shea

The prime minister outlined last week that the nation might be able to start lifting some of the restrictions involved with the COVID-19 lockdown in a month’s time. And this is in part based on the proviso that at least 40 percent of Australians start using a virus tracking app.

Following widespread concerns raised by privacy and rights advocates, Scott Morrison advised a press conference on 21 April that “the app only collects data and puts it into an encrypted national store which can only be accessed by the states and territories”.

“The Commonwealth can’t access the data,” the PM further assured those gathered. “No government agency at the Commonwealth level, not the tax office, not government services, not Centrelink, not Home Affairs, not the Department of Education, not childcare, nothing.”

However, what Morrison assurances basically did was reflect the widespread distrust the public has in his government poking around in its private data, even if it’s in the name of public health. Indeed, this unfortunate lack of trust in our leaders is something they’ve earnt.

A transnational warning

Meanwhile, just to raise any concerns around whether the COVID-19 tracking app is really a cause for worry, more than 300 scientists and researchers around the globe issued a joint statement on Monday warning governments of the “mission creep” involved with such proposals.

The experts assert that while some Bluetooth tracking options wouldn’t impinge upon the right to privacy, others would constitute “a form of government or private sector surveillance that would catastrophically hamper trust in and acceptance of such an application by society at large”.

The statement outlines that it’s vital governments don’t create tools that permit the large scale collection of population data in an attempt to remedy the crisis. And this includes “social graph” data, which is the details of who someone has met over a period of time.

Via the accessing of social graph data, the scientists further explain, states would be able to “spy on citizens’ real-world activities”. And they go on to point out that some countries are already building systems that would enable the accessing and processing of social graph information.

More access, more assistance

The app being spruiked by the Morrison government will record and store information on the individuals a user has been in close contact with for a period of over 15 minutes. And then if such a contact is later diagnosed with COVID-19, the user is notified.

The PM’s insistence that data will be encrypted is slim assurance when you factor in that his government passed the Assistance and Access Bill in late 2018, which allows law enforcement and intelligence agencies to require that communications providers open up their encrypted systems.

Digital Rights Watch is one of the human rights organisations that has issued cautions over rushing to take up the app solution. It has raised the anti-encryption laws, as well as the metadata retention regime, as instances when the government has simply disregarded citizens’ privacy.

Sydney Criminal Lawyers spoke to Digital Rights Watch chair Lizzie O’Shea about her concerns regarding the tracing app, the reasons why not enough of the public are likely to voluntarily commence using it, and how she thinks it’s about time government begins earning the public’s trust.

Firstly, the Morrison government has suggested that Australia might be able to start lifting COVID-19 restrictions in about a month if enough citizens choose to download and use a virus tracing app.

Digital Rights Watch has raised concerns about this. Ms O’Shea, broadly speaking, why are you wary of the tracking app proposal?

There are a few reasons. The first one is that the government doesn’t have a strong record in protecting people’s privacy.

It’s spent the last two decades passing laws that are invasive and prioritise the interests of law enforcement and intelligence over the rights of users.

So, the context politically and legally for the instruction of this app is not promising.

The second reason is that for an app like this to be effective in theory it does need to be backed up with practical real-world responses that complement any information on advantages gained.

For example, there should be an attempt to deal with false positives – so making sure that that’s appropriately dealt with in the code.

There should also be widespread testing to avoid situations where you might learn of this information but not be able to act upon it.

The other thing is that if you look at similar regimes in somewhere like Singapore the take-up rate was only about 20 percent for a similar app. And Singapore is a place that has a tradition of respect for authority in a way that Australia doesn’t.

All these things are related. So, if you were to take away the lack of confidence in the government’s attitude towards privacy, then we might be more inclined to take it up.

But, we’re in the context that we are in, and to get to a 40 percent take-up rate – which is what the chief health officer seems to think is necessary – we need to see much harder work from the Australian government in order to earn the social licence to do that.

The suggestion that we should have to take this compromise to relax social distancing measures is an unfair bargain to require Australians to make.

It has been claimed that the details of individuals stored on devices will be anonymised, and there will be no way of identifying who they were. Why are these guarantees not enough in your opinion?

There are all sorts of difficulties about this kind of application. Of course, for it to be effective it would have to be able to identify people in order to track them – effective contact tracing does require some giving up of privacy.

But, it could be done in a way that’s better. There are guarantees that could be on offer, such as the information not being cross referenced with other regimes, like the anti-encryption legislation that was passed a couple of years ago, or the metadata retention laws.

If the government provided a guarantee that information collected through the COVID tracing app was not going to be cross referenced or used in collaboration with other apps, there might be more confidence in the proposal.

There are a number of things that the government could do. They’ve talked about releasing the source code for example. That would be a good thing.

Although, there is the concern that they may not do that until the app is made available, by which time it would be too late to find any concerns with the code.

So, it’s pleasing that the government is able to release the code, but it should be done now, so privacy advocates can have the opportunity to scrutinise it for any problems or weaknesses.

There are lots of ways that this can be done in a better manner. I appreciate that in needing to make a contact tracing app effective you need to collect data in a way that breaches human rights in normal circumstances.

But, human rights law has a way of dealing with that, which means it has to be necessary, proportionate and in these circumstances, it would be good if it was temporary.

They’re the types of protections that are needed when you are going to engage in a technical program like this that does require some people to give up some privacy for the greater good.

As you’ve mentioned, the app needs at least 40 percent of people using it for it to be successful. The PM initially said installing it would be voluntary. Then, towards the end of last week, he suggested it might be mandatory, and on the following day, he reneged on that.

How confident do you feel with the prime minister’s assurances around the way the app will be rolled out when he’s toing and froing like this in the media?

That toing and froing is not encouraging. There are real difficulties with making it mandatory. You’d either need the people managing the operating systems – like Apple or Google – to require it to be downloaded, which would be unlikely in practice.

The second option would be to do it in a similar way to the requirement to have a driver’s licence.

That’s difficult to enforce en masse, but it’s a rule that is generally complied with by many people, and that’s because they can see why it’s important and they trust that system.

That second option is the most likely one, which does require a social licence to make it effective, which they don’t have.

And there are worries that they might look to more coercive means in how they engage with users and encourage them to download the app.

That might be in accessing government services, or other similar things. They’ve done that with other programs before, and it takes a long time to implement.

The point is making it mandatory is practically difficult. And I am concerned the government seems to think their most appropriate pastime which is developing public trust in order to get to the necessary threshold for effectiveness is not the path they’re going to take.

They’re going to look to other options to require people to start using it more extensively. But, I’d encourage them to work on developing a social licence instead.

What do you think about Morrison issuing this proviso to the public: that we can somehow start to get back to the way it was only if enough people start using an app that can monitor their movements?

It’s a very unfair bargain to require Australians to draw. Our ability to contain this virus and return society to a semblance of what was normal, is going to be contingent on many factors, not just the development of this technology.

It will require healthcare capacity and protection of vulnerable people, who often may not be connected to the internet in ways that would make an app like this effective.

The people most at risk are probably the people most likely to fall into the connectivity gap.

We should be looking at making a suit of proposals from a public policy perspective that manage the risk of spread and ability to contain it.

Relying too much and too heavily on technology is treating it like a magic bullet. That can cause a lot of problems around the violation of rights, as well as social problems.

And lastly, Ms O’Shea, you’ve mentioned social licence a number of times during the interview, and the fact that the government doesn’t seem to have much of it at present.

Is this app proposal something that has less chance of working, because the government hasn’t worked on earning a necessary level of trust before the pandemic happened?

Yes. My Health Record was a health and technology project that saw 2 million opt-out, because they didn’t trust that the government had done a good job in designing it.

This app comes in that context. It’s one of many tech projects that people have been quite critical of. And the government hasn’t always listened in the way that they ought to have.

There is mistrust here that the government has earned. And it needs to do work to reverse that at this critical moment when many people’s lives depend on them getting it right.

It’s disappointing to many who advocate in this space that we’ve had two decades of policies that have prioritised the interests of law enforcement and intelligence agencies over the rights of users.

It’s been cybersecurity as a public good, over privacy and respect for rights – that has consequences.

That long history of disregard for privacy has consequences and unless the government works really hard to redress that then we are not going to be able to make use of technology in a way that will help us contain and control the spread of this deadly virus.