This appeared a few days ago.
There are some mistruths about the COVIDSafe app that need clearing up
Dr Kemp (PhD) is a senior lecturer at the Faculty of Law, UNSW, Sydney.
7th May 2020
The Australian Federal Government will need to correct earlier misstatements and improve privacy protections to gain the trust of the millions of Australians being called on to download the COVIDSafe contact tracing app.
The draft Privacy Amendment (Public Health Contact Information) Bill 2020, or the COVIDSafe bill, released on Tuesday, is the first step towards parliamentary legislation providing privacy protections for users of the app.
The COVIDSafe bill includes some significant improvements on the protections offered by Federal Minister for Health Greg Hunt’s current determination under the Biosecurity Act, which put rules in place to encourage uptake of the app.
However, the bill falls short on other substantial concerns.
Improvements incorporated in the bill
The COVIDSafe bill includes several amendments to the privacy protections originally set out in the determination, which the legislation is intended to replace.
The bill, like the determination, would make it illegal to gather or use data collected by the app for purposes other than those specified.
Such an offence would be punishable by up to five years in prison.
Importantly, the bill also permits individuals to take some enforcement action on their own behalf if the privacy protections are breached, rather than relying on the government to bring criminal proceedings.
It does this by making a breach of those protections an “interference with privacy” under the Privacy Act. This means users can make a complaint to the federal privacy commissioner.
The bill also improves the kind of consent needed to upload a user’s list of contacts to the central data store, if the user tests positive for COVID-19.
Instead of allowing anyone with control of a mobile phone to consent, the bill requires consent from the actual registered COVIDSafe user.
The legislation will also apply to state and territory health officials to cover data accessed for contact tracing purposes, in case they misuse it.
Not 1.5 metres, not 15 minutes
A crucial problem with the bill is it allows the government to collect much more personal data than is necessary for contact tracing.
Just before the app’s release, Federal Services Minister Stuart Roberts said the app would only collect data of other app users within 1.5 metres, for at least 15 minutes.
He also said when a user tests positive, the app would allow the user to consent to the upload of only those contacts.
Neither of these statements is true.
According to the Privacy Impact Assessment of COVIDSafe, the app collects and — with consent of a user who tests positive — uploads to the central data store, data about all other users who came within Bluetooth signal range even for a minute within the preceding 21 days.
While the Department of Health more recently said it would prevent state and territory health authorities from accessing contacts other than those that meet the “risk parameters”, the bill includes no data collection or use restrictions based on the distance or duration of contact.
The government should correct its misstatements and minimise the data collected and decrypted to that which is necessary, to the extent that is technically possible.
An overly narrow definition of protected data
The privacy protections in the bill only apply to certain data.
And the definition of that data does not capture critical personal data created and used in the process of COVIDSafe contact tracing.
The bill defines “COVID app data” as data collected or generated through the operation of the app which has been stored on a mobile phone or device. This would include the encrypted contacts stored on a user’s phone.
But if the user tests positive and uploads those encrypted contacts to the national data store, the decrypted records of their contacts over the last 21 days do not clearly fall within that definition.
Data transformed or derived from that data by state and territory health officers would also fall outside the definition.
“COVID app data” should be re-defined to expressly include these types of data.
No source code
Ministers have said COVIDSafe’s source code, or at least the parts of it which do not pose “security issues”, would be made available within a fortnight after the app’s release. Yet, there is no sign of this.
The full source code should be made public at least a week prior to the COVIDSafe Act being enacted so experts can identify weaknesses in privacy protections.
The bill also fails to provide any guarantee of independent scientific advice on whether the app is continuing to be of practical benefit, or should be terminated.
Read more from the Conversation:
- The COVIDSafe app was just one contact tracing option. These alternatives guarantee more privacy
- Coronavirus contact-tracing apps: most of us won’t cooperate unless everyone does
Loopholes in the rules against coercion
The bill contains some good protections against coercing people to download or use the COVIDSafe app, but these need to be strengthened, by preventing requirements to disclose installation of the app, and discriminatory conditions.
This is especially necessary given various groups, including chambers of commerce, have already proposed (illegal) plans to make participation or entry conditional on app usage.
Some behavioural economists have proposed making government payments, tax break or other financial rewards dependent on individuals using the app.
The bill should make clear that no discount, payment or other financial incentive may be conditional on a person downloading or using the app.
The government must abide by its promise that use of the COVIDSafe app is voluntary. Coercion or 'pseudo-voluntary' agreement should not be used to circumvent this.
‘Google knows everything about you’ doesn’t cut it
Many have argued Australians who do not yet trust the COVIDSafe app should download it anyway since Google, Facebook, Uber or Amazon already “know far more about you”.
But the fact that some entities are being investigated for data practices which disadvantage consumers is not a reason to diminish the need for privacy protections.
The harms from government invasions of privacy have even more dramatic and immediate impacts on our liberty.
Parliament will debate the COVIDSafe Bill in the sitting expected to start 12 May, and a Senate Committee will continue to investigate it.
Many are likely to wait for improved protections in the final legislation before making the choice to opt in.
- This article was coauthored by Professor Graham Greenleaf, Professor of Law and Information Systems, UNSW, who was made a Member for the Order of Australia for his work as "a leader in the protection of privacy". He is a Board member of the Australian Privacy Foundation, a non-profit privacy advocacy organisation.
- Dr Kemp (PhD) receives funding from The Allens Hub for Technology, Law and Innovation. She is a Member of the Advisory Board of the Future of Finance Initiative in India, the Centre for Law, Markets & Regulation and the Australian Privacy Foundation.
- This article is republished from The Conversation under a Creative Commons license. Read the original article.
Here is a link – or use the link to the original just above:
As you can see with this review there are still a number of important areas which are not clear and other areas in which the Government is bordering on being deceptive / obfuscatory.
It is my view that if the privacy aspects of the app are not clear and apparently trustworthy then there will be real resistance to adoption and use of the app.
I note the Government has now released the source code which is a good thing.
DTA publicly releases COVIDSafe application source code
8 May 2020
Today the Digital Transformation Agency released to the public the source code for the COVIDSafe application. Any member of the public can view the source code, which is hosted on a GitHub repository.
Protecting the privacy of Australians downloading and using COVIDSafe is paramount. Prior to launching the application, the source code was reviewed by government security agencies, academics and industry specialists. We are releasing the app code, but to ensure the privacy of individuals and integrity of the overall system, the code that relates to the COVIDSafe National Information Storage System will not be released.
DTA welcomes feedback from the community
Now researchers, developers, academics and members of the public can also review the source code in detail.
You can provide feedback about the application’s source code by emailing support@covidsafe.gov.au. We welcome the feedback that has already been provided following the app’s launch.
While we may be unable to reply to every individual who provides feedback, please know that your feedback will be reviewed and triaged depending on its impact to security and usability.
In some instances, the DTA may contact you to gain a deeper understanding about the issues raised.
More here:
One disturbing feature of what has been announced regarding the app is that it is self updating as new versions as they are placed in the release channel.
It is clearly vital that all updates are reflected in the available source code and that nothing concerning is added.
It is hoped that new versions of the app can address the issues that seem to be plaguing the iOS version of the app and that overall we get a fully functional tracing and tracking system.
Read all about the iOS issues here:
https://www.smh.com.au/technology/the-covidsafe-app-is-not-fit-for-purpose-on-iphones-20200506-p54qjk.html
Half-baked: The COVIDSafe app is not fit for purpose on iPhones
Ben Grubb - 7 May, 2020
It is a good and valuable read.
David.
Read all about the iOS issues here:
https://www.smh.com.au/technology/the-covidsafe-app-is-not-fit-for-purpose-on-iphones-20200506-p54qjk.html
Half-baked: The COVIDSafe app is not fit for purpose on iPhones
Ben Grubb - 7 May, 2020
It is a good and valuable read.
David.
2 comments:
I do not think they (Ministers and Agency heads) grasp the impact of what they do and what they say on the Australian public. This should have been a communication dream and a rebuilding of public trust and bridging that great divide we have in social contracts.
And so it begins, a little chip here a little nudge there, minor structural erosion never hurt. They just cannot help themselves. As if they have any interest beyound a column in a spreadsheet.
https://www.digitalhealth.net/2020/05/data-from-nhs-contact-tracing-app-to-be-kept-for-research-purposes/
Post a Comment