The source code of the federal government’s contact tracing app will be made public within two weeks after more than 2 million Australians downloaded the service in just one day.
COVIDSafe was launched on Sunday by Health Minister Greg Hunt. It uses a smartphone’s Bluetooth technology to record close contacts – defined as being within 1.5 metres for at least 15 minutes – between users. The app has been downloaded by nearly two million Australians.
This data is stored in an encrypted format on the user’s device. If a user is diagnosed with COVID-19, they can give permission for their list of contacts to be sent to a national storage and then passed over to the relevant state authority, which will then conduct contact tracing.
Privacy protections, including ensuring this data is kept within Australia and law enforcement and intelligence do not have access to it, have been initially included in a determination under the Biosecurity Act, and will soon be legislated.
The app has been given a cautious tick of approval from some digital rights and civil liberties organisations, including the Law Council of Australia, while some concerns still surround the lack of publicly available source code or design specifications and the need for independent oversight and scrutiny.
Government ministers had earlier promised that the app’s source code would be made public before its release. This was a recommendation of the privacy impact assessment, completed by Maddocks lawyer, and was accepted by the department “subject to consultation” with the Australian Cyber Security Centre.
But the app was launched over the weekend before the code was released. Mr Hunt on Tuesday said it would be made public within the fortnight.
“The reason for that is there is constant review of the safety and security. Our first task is to ensure the security assessment is done and there is absolute protection of privacy above all else,” Mr Hunt told Radio National.
“But working on the same basis of other countries, such as Singapore, we will be releasing the source code so there is full assessment,” he said.
More than 80 academics and industry experts signed an open letter to government over the weekend calling for the code to be released before the app could be downloaded.
“There is no need for secrecy here: this is not a commercial app. Secrecy only helps the virus. Secrecy in the time of COVID-19 is not a recipe for public trust. Trust requires transparency,” the letter said
Deakin University senior lecturer Dr Monique Mann, who signed the letter, said the government should have made the code and design specifications available and open to scrutiny well before the app was released.
“They should’ve made full disclosures before the app was released or downloaded on any phone – what do they have to hide?” Dr Mann told InnovationAus.
“We have concerns about the non-independent privacy impact assessment, and there’s been no consultation with experts and civil society,” she said.
“The horse has already bolted – already in the first few hours we have one million people with the app on their phone who don’t know how it works exactly.”
More transparency is required to garner the level of trust needed to ensure widespread takeup of the app, University of Melbourne digital privacy academic Dr Suelette Dreyfus, who also signed the letter, said.
“That’s why it’s surprising the government didn’t make the source code available, nor allow the broader tech community to comment on it ahead of release. The government suddenly dropped it on Sunday,” Dr Dreyfus told InnovationAus.
“This is a social good app, not a commercial product – there’s really no reason for a lot of secrecy,” she said.
“The open source argument is that opening up the source code and all relevant documents, then fixing what the critics find, will ultimately make software safer in privacy and security terms.”
Privacy protections included in the government determination include making it illegal for the data to be used for any other reasons or sent offshore, a ban on forcing anyone to download it, encryption of the data on the device and in the national store and the release of the privacy impact assessment.
These protections have been welcomed by the Law Council of Australia, but there are still some concerns surrounding the app, its president Pauline Wright said.
“The Law Council is quite comfortable with the measures the government has brought in to address the privacy concerns we had identified. We issued a set of governing principles that we think should’ve been introduced to give comfort to Australian people that this app will be safe in terms of privacy, and the government’s determination has addressed those concerns,” Ms Wright told InnovationAus.
“Overall it’s a pretty good attempt to protect people’s privacy. There are a few concerns that we still have, and those include the lack of oversight and reporting on the use and lack of a robust complaints mechanism. And we’d like to see the declaration become law as soon as possible.”
The privacy protections and restrictions on access to the contact data is currently governed by a declaration under the COVID-19, put will be included in legislation to be introduced in the upcoming May sitting of Parliament.
Shadow health minister Chris Bowen confirmed that the Labor-led Senate committee investigating the government’s response to COVID-19 would scrutinise the app and the legislation underpinning it.
Ms Wright said there’s also a role for the state and territory privacy commissioners to play in scrutinising the app.
“That’ll make sure they’ve got independent scrutiny of it to make sure it is being properly stored, used and isn’t being released to parties who are not meant to have it, and that it’s not being used for any other purpose,” she said.
“We think that kind of external arms-length scrutiny would add a layer of protection and comfort for Australians who are wanting to have privacy protections. We would hope the government would introduce that with the legislation, and we’ll certainly be calling on them to do that.”
The Law Council also wants a commitment that the promised legislation enshrining the app’s data protection policies in law will be introduced on the first sitting day of May, with concerns over the use of unilateral determinations.
“It is being unilaterally put in place so it can be unilaterally taken away. The very good privacy protections that have been built in and are referred to in the determination can also be removed by the executive or amended. We’d like to see them in concrete legislation,” Ms Wright said.