The federal government launched its controversial COVIDSafe contact tracing app on Sunday, and published a Privacy Impact Assessment as it seeks to boost public confidence and trust in the system to increase take-up rates.
But the government has not yet released the sourcecode for the COVIDSafe app for public scrutiny, although the Department of Health has accepted a recommendation on this in the Privacy Impact Assessment and said that it will do so.
Recommendation One of the Privacy Impact Assessment, which was prepared by Maddocks lawyers, called for government to consider publishing both the PIA and the COVIDSafe sourcecode to allow for independent analysis – which would increase public trust and confidence in the app.
Health agreed and said the “PIA and source code will be released subject to consultation with the Australian Signals Directorate’s (ASD’s) Australian Cyber Security Centre (ACSC).
The Prime Minister Scott Morrison said COVIDSafe was an important public health initiative that would help keep the public safe from a further spread of coronavirus through early notification of possible exposure.
“The Chief Medical Officer’s advice is we need the COVIDSafe app as part of the plan to save lives and save livelihoods,” Mr Morrison said.
“The more people who download this important public health app, the safer they and their family will be, the safer their community will be and the sooner we can safely lift restrictions and get back to business and do the things we love,” he said.
The government also agreed with Recommendation Two of the PIA to regularly review the operation of the COVIDSafe App, including reviews of the effectiveness of the privacy controls. It has also committed to introducing specific legislation at the next sitting of Parliament in May to protect the information collected in the app and the purposes for which it can be used.
“The Government understands there are public concerns that information collected by the App will be used or disclosed for purposes other than contact tracing, such as law enforcement,” Health department said in its response to the Maddocks PIA.
“The Government takes these concerns seriously and is taking urgent action to protect information in the App so that it must be used or disclosed for contact tracing purposes only and to give these protections the force of law,” it said.
“The Minister for Health has made a Determination under the Biosecurity Act 2015 to protect data collected by the App for an interim period until legislation can be enacted.
“The Attorney-General will introduce legislation in the next Parliamentary sitting week to establish a strict legal framework for information handling in the App. Any changes to the App will need to comply with these additional legal protections . This will minimise the risk of ‘function creep’,” the response said.
Government Services Minister Stuart Robert, who committed government to releasing the COVIDSafe sourcecode a week ago, said that to be effective the app needed to be running in the background on the users’ phone. He said it had been designed with privacy and data protection in mind.
“To be effective, users should have the app running in the background when they are coming into contact with others. Your phone does not need to be unlocked for the app to work,” Mr Robert said.
“It then securely makes a ‘digital handshake’, which notes the date and time, distance and duration of the contact. All information collected by the app is securely encrypted and stored in the app on the user’s phone. No one, not even the user, can access it,” he said.
“Unless and until a person is diagnosed with COVID-19, no contact information collected in the app is disclosed or able to be accessed. Then, once the person agrees and uploads the data, only the relevant state or territory public health officials will have access to information.
“The only information they are allowed to access is that of close contacts – when a person has come within approximately 1.5 metres of another app user for 15 minutes or more – in their jurisdiction,” Mr Robert said.
The government has also agreed to a Maddocks Privacy Impact Assessment recommendation that the Health department review the contract with Amazon Web Services – which was controversially awarded the contract to store the data – to tighten access to the data and to ensure that that management of the National COVIDSafe Data Store is under the control of the Commonwealth and not AWS.
The PIA recommended that Health ensure that there are specific contractual requirements to limit which authorised AWS personnel were allowed access to the Data Store for the purposes of contracted support, and to ensure that AWS will allow the Commonwealth to be able to remove data held in the Data Store at the end of the contract, after which time it will be deleted if not removed.
“Health will work with the DTA to immediately review the contract with AWS to ensure relevant provisions are included, assess adherence with the Protective Security Policy Framework and audit access management arrangements,” the government said in its response.
Shadow health spokesman Chris Bowen said Labor supported the creation of a contact tracing app and supported the view that it should be a voluntary system, and that privacy and security concerns were paramount to its successful implementation
“We’ve consistently said this app could play a constructive role in helping to defeat COVID-19,” Mr Bowen said. “So this is a step forward.”
“We’ve also consistently said that the Government needs to work hard to address the very valid privacy and other concerns of the Australian people. And of course, we look forward to more information from the Government on that,” he said.
Do you know more? Contact James Riley via Email.
This is a smokescreen to prevent discussion of the side-effects of this app. Enabling BLE beacons means EVERYTHING ELSE else can track you (ad signs, buses, trains, cctv cameras, shops, everyone else, and billions upon billions of other devices).
It is utterly irrelevant what the app does or collects – the fact it enabled everything else to “go to town” on you is the main problem.
This app opens the front door to allowing everyone else to track everything you do.
It it passed an PIA – whoever did that needs to be removed from being allowed to do PIA’s.
well – tried to download CovidSAFE for my Oppo R7 with latest update Color-OS v2.1.0i OS BUT – app says “Incompatible device.” and will not install So much for testing.
While Gov Covid19 app intentions are very good. However, it is important to address data management and governance concerns along with data security, privacy, ethics and trust in a systematic way.
The following intent needs to be clarified:
“AWS will allow the Commonwealth to be able to remove data held in the Data Store at the end of the contract, after which time it will be deleted if not removed”.
– What does it mean by delete and/or remove in this context?
– How would it trace and ensure data removal from periodic automatic data backups, mirrors, archives other than the main app data store?
– How would it handle false alarms based on false data?
– How would it ensure the quality of the collected data?
– Can an AI baess algorithm use this app on my phone to trigger millions of false alarms?
– What is faile safe mechanisim built into the app to ensure resiliency?
….