The Australian Government recently launched COVIDSafe, a contact tracing app which continues to raise concerns about privacy issues and cyber security.
The lead up to its highly anticipated launch filled with intense public debate about the impact of the app on the privacy of its users. Information and undertakings provided by the Federal Government upon launching the app provided reassurance to many, but still leaves a significant number of sceptics in its wake, including parliamentarians.
This article outlines the issues and considers whether there are in fact grounds for ongoing concern.
What is contact tracing?
Contact tracing, as defined by the World Health Organisation in 2017, is the process whereby health authorities can track down people who have come into contact with a person found to be suffering from an infectious illness. The evolving technology and its use in Australia are novel, not the process of contact tracing as such.
At the outset of the current coronavirus pandemic, contact tracing was being carried out manually in Australia, by the likes of the Australian Police Force and state and territory health departments. But in the context of the highly contagious novel coronavirus, it is easy to see the allure of modern tracking technology as a substitute.
Before Australia went down this surveillance route, Taiwan, South Korea and China reported successes with contact tracing apps to fight the spread of COVID-19. The benefits of enhancing contact tracing with technology are obvious to anyone. Nevertheless, privacy concerns remain. The privacy issue is whether the process constitutes an unwarranted intrusion on a person’s private life, or at least whether it is a disproportionate intrusion when weighed up against the potential benefits.
‘Privacy’ has sustained a limited meaning under Australian law, as there is no statutory definition nor statutory right to privacy.
Furthermore, there is no Australian Bill of Rights – most recently a private Member’s Australian Bill of Rights Bill 2019 (Cth) was tabled in September 2019 and removed from the Notice Paper on 24 March 2020 – to negate legislative intrusions on privacy.
Our superior courts have meanwhile consistently rejected the notion that a right of privacy exists at common law. There was some perceived support for the proposition in Australian Broadcasting Corp v Lenah Game Meats Pty Ltd (2001) 208 CLR 199; 76 ALJR 1;  HCA 63, but enthusiasm was subsequently dampened by interpretations of that decision in Giller v Procopets (No 2) (2009) 24 VR 1;  VSCA 72; Kalaba v Commonwealth  FCA 763; Sands v South Australia  SASC 44 and Wilson v Ferguson  WASC 15.
“Privacy is a fundamental right enshrined in Art 17 of the International Covenant on Civil and Political Rights (ICCPR), but this is only meaningful to the extent that it is reflected in Australian domestic law”– Dr Gordon Hughes AM, Principal lawyer, Davies Collison Cave Law
The ICCPR has not been adopted into Australian domestic law as such, but it did provide a mechanism whereby the Federal Government could rely upon the external affairs power in s 51(xxix) of the Constitution to enact the Privacy Act 1988 (Cth).
The end result is that the extent to which ‘privacy’ is recognised under Australian law at national level is as set out in the Privacy Act.
Putting the COVIDSafe app under a microscope
Before considering how the Privacy Act may serve to constrain the government’s rollout of a contact tracing app, it is necessary to identify what concerns have been raised by the public. Essentially, these concerns fall into one or more of four categories:
- Where will the information be stored? Is a central database vulnerable to malicious attacks and information theft, particularly if held outside Australia?
- How will the information be used? Sceptics have expressed concern over the prospect of ”scope creep”, meaning that the government or law enforcement agencies might utilise the information gathered from the app for purposes other than the fight against COVID-19.
- How long will the information be retained? The longer that the information is retained, the more susceptible it is to unauthorised access or to use out of context.
- How long will the scheme run? Should there be a sunset date, limiting the lifespan of the program so as to minimise the likelihood of the data being used for other purposes?
Relevant Australian Privacy Principles
Privacy rights recognised by the Privacy Act are essentially enshrined in the 13 Australian Privacy Principles (APPs) as contained in Sch 1 of the Act. Not all of the APPs are of direct or significant relevance to the COVIDSafe debate, but provisions of particular relevance are as follows:
- APP 3 – personal information must be collected only by lawful and fair means;
- APP 5 – at or before the time of collection of their personal data, individuals must be advised, inter alia, as to the legal basis of collection and the purpose of collection;
- APP 6 – personal information may only be used in connection with the primary purpose of collection or a reasonably related secondary purpose;
- APP 8 – restrictions are imposed on the ability to disclose personal information to an overseas recipient;
- APP 11.1 – personal information must be protected from misuse, interference and loss, and from unauthorised access, modification and disclosure;
- APP 11.2 – personal information must not be kept longer than required in connection with the original purpose of collection, unless otherwise provide by law.
Key features of COVIDSafe
The Determination was made on 25 April 2020, pursuant to the earlier Biosecurity (Human Biosecurity Emergency) (Human Coronavirus with Pandemic Potential) Declaration 2020 of 18 March, under s 475 of the Biosecurity Act 2015 (Cth). A determination of this nature overrides inconsistent provisions in other Commonwealth legislation.
Legal features of the scheme include:
- s 9 of the Determination states that the use of the app is “completely voluntary”, with coercion to download the app expressly prohibited;
- all registration information will be stored in a cloud-based data storage facility, using infrastructure located in Australia with appropriate security (Determination, s 7(3));
- contact data will be deleted on a rolling 21-day basis (Determination, s 7(2));
- personal information will be used to enable contact tracing by health officials; this will include using a person’s mobile number to send an SMS, using encrypted IDs (decryption is prohibited by s 8 of the Determination), to alert other COVIDSafe users that a positive COVIDSafe user had contact with them in the past 21 days and providing health officials with access to registration information to enable contact tracing, but not for any other purpose;
Privacy strengths and weaknesses of the surveillance app
From a privacy perspective, the contact tracing app has its strengths and weaknesses.
However, this may not be sufficient to convince a sceptical public. In this regard, there are four issues of ongoing concern:
1. Biosecurity concerns
Under the law as it presently stands, the ability remains for Australian law enforcement agencies to access data stored under the Telecommunications (Interception and Access) Act 1979 (Cth) (see Sch 5 – Australian Security Intelligence Organisation of the Telecommunications and Other Legislation Amendment (Assistance and Access) Act 2018 (Cth). It is stated in the Explanatory Memorandum to the Determination that the Determination “only allows” for data to be used by law enforcement agencies for the purpose of prosecuting breaches of s 479 of the Biosecurity Act and, whilst this is correct, the Determination does not otherwise expressly prohibit use by law enforcement agencies in other circumstances.
2. Unease about data hosting
There is also an ability of US law enforcement agencies to access information stored on US servers (see the USA Patriot Act of 2001, and more recently the US CLOUD Act of 2018). In this regard, there is concern over the fact that Amazon Web Services will host the data. The fact that the data will be hosted in Australia provides insufficient comfort to some, although the threat is probably more illusory than real. APP 6.2(b) permits the disclosure of personal information under an “Australian law” but does not expressly authorise disclosure pursuant to a foreign law in circumstances where the data storage is otherwise subject to Australian law.
3. No end-game in sight
There is no sunset clause. In one sense, this would be superfluous, given that the scheme is said to be of finite duration, terminating “when the COVID-19 pandemic has concluded”. Sceptics are, however, concerned about potential imprecision over what will constitute the “conclusion” of the pandemic.
4. Secrecy over the source code
The source code of the app had not been released when the app was launched. A number of privacy experts have expressed the view that without access to the source code, they are unable to satisfy themselves that the app is as secure as claimed.
Underpinning all these concerns is the question of consent. At present the scheme is voluntary. The government has a target of a 40% take-up in order to ensure the data is meaningful. Within 24 hours of launch, 2 million people had downloaded the app. Some are haunted by the Prime Minister’s words on 17 April 2020 that he would “not entirely rule out” making the app mandatory if take-up was insufficient. The following day, the Prime Minister nevertheless did rule out making use of the app mandatory.
The Victorian Information Commissioner, Sven Bluemmel, believes that the app will be successful if enough Australians will choose to download it, which simply comes down to trust. Certainly, if the government’s use of the app – and information collected using the app – is restricted in the manner stated at the launch, then privacy concerns have on balance been adequately addressed.
For what it’s worth: the author of this article has downloaded the app.