Labor in the dark on contact tracing

Denham Sadler
National Affairs Editor

The Opposition has not been consulted at all on the federal government’s plans for developing a COVID-19 contact tracing app, amid concerns it will “fail” unless privacy and protections are guaranteed.

Late on Tuesday multiple media organisations reported that the federal government would launch its own COVID-19 contact tracing app, based on the Singapore open source model, within weeks.

The Digital Transformation Agency has been working on the project for several weeks, with plans to launch it this month.

But despite receiving weekly COVID-19 response briefings from the Coalition, Labor were not aware of these plans at all until they appeared in the media.

Contact tracing
Labor has not been consulted on government plans on contact tracing

“This tracing app has not been raised by the government in any discussions with the Opposition. The details of this app are scant and it is incumbent on the government to tell the Australian people what they have in mind,” a spokesperson for shadow health minister Chris Bowen told InnovationAus.

Chief medical officer Brendan Murphy was informed of the government’s plans, and even told the New Zealand parliament’s epidemic response committee earlier this week, saying Australia could use the technology “even more extensively” than Singapore.

Despite its apparent imminent launch, the government has provided few details on how the app will work and how it is being developed, except for saying it is to be based on the Singapore government’s TraceTogether app.

A spokesperson for government services minister Stuart Robert confirmed the government is “finalising” the development of the app, which would “digitise” the contact tracing process that is currently conducted manually. It records contact with other users of 15 minutes or more.

“Crucially this app will ensure health authorities can get the full picture and not rely solely on the memory of an infected person,” the spokesperson told InnovationAus.

“This will help identify people who might not even know they are carrying the virus – protecting them, their family and the community more broadly.”

“The new app will enable health authorities to rapidly trace these close contacts by seeing who a diagnosed user had come in close contact with to provide advice, services and testing as required. It will save lives and help the entire community.”

The app, which has been “modelled closely” on the Singapore government’s contact tracing app, is subject to a Privacy Impact Statement and the “highest level of cybersecurity assurances”, the spokesperson said, and will only be available to health professionals for tracing purposes.

Data about who the user has come into contact with will be stored “securely and anonymously” on their device and will only be shared with health authorities if they are diagnosed with COVID-19 and consent to their information being shared.

A number of Australian privacy and civil liberties advocates have flagged significant concerns with adopting the Singapore model, which is centralised and places the government as the intermediary, receiving information on contacts after someone is diagnosed with the virus.

It was important that the contact tracing technology was not viewed as a silver bullet that would allow the government to lift social restrictions currently in place, according to Australian Privacy Foundation chair David Vaile.

“A proximity tracing app is not a panacea and I have concerns that we have this aspirational hope that the app might allow us to resume life as normal, but we have in Singapore an example of following the steps we’re contemplating and that has come with a quite significant price of losing the benefits of a strict lockdown,” Mr Vaile told InnovationAus.

“I don’t think we can point to Singapore as a validation of the effectiveness of this sort of model.”

Government must be more transparent and properly test the technology before it is launched widely, Mr Vaile said.

“You can’t have security by obscurity – they can’t be hiding behind the code and telling us to trust them because they got it from people offshore,” he said.

“They need to open source the code, the methodology and the encryption model so that before we commit to this we can have sophisticated outside eyes looking at it.

“It’s doubtful that you could actually justify doing this on a proportionality basis. The actual benefits may be much lower once you look at the code and architecture, and the risks of the specific tools may be much higher than not using it.”

While it is still unclear whether Australia will be simply copy and pasting the Singapore app using the open sourced code, cryptography expert Dr Vanessa Teague said this version can be tweaked so it doesn’t provide so much power to the government.

“There is no reason that the identification and notification of contacts should be done through government – we could be doing that ourselves, through our own apps, without revealing our contacts to a third party,” Dr Teague told InnovationAus.

“Putting a centralised authority at a critical point in the path increases the risk of both failure and abuse. If the government server goes down, we won’t get the notification we need. If a person’s phone is seized, their recent close contacts will be easily decrypted by the authorities. It doesn’t have to be this way – we have plenty of time to redesign the structure around the Google-Apple privacy-preserving API instead.”

The government has not yet given enough information on the app or justification for its need, Digital Rights Watch chair Lizzie O’Shea said.

“Getting buy in with a voluntary app seems to be very difficult in other countries, and it would be pretty logical here given the government has generally shown disrespect for privacy, a lack of interest in protecting digital security, and an unwillingness to design health technology projects in a way that is rights-respecting,” Ms O’Shea told InnovationAus.

“There are a lot of design decisions that will have to be made well, and it seems unlikely that’s what we’ll get in a fortnight’s time,” she said.

“Technology may have a role to play in limiting the spread of the virus, but if human rights are ignored it will not be effective and could ultimately be disastrous for our democracy.

“By far the most successful contact tracing and effective containment has been led by people, not apps.”

Do you know more? Contact James Riley via Email.

1 Comment
  1. RF 4 years ago

    The description of the app indicates, or at least implies that the central database carries personally identifiable information (which could then be used for other purposes).
    All that is required of an app is that the two parties to the ‘contact’ record on their phone (locally) via the app the unique ID of the contact event [assigned by a central server on request] together with a time stamp – two (only) phones record identical contact records but have no way of tracing each other.
    When one party tests positive the health authority supplies the app (with the consent of its owner) with a code to allow it to upload records in the appropriate date range to a public database – this database shows just a long list of contact IDs – nothing more; try using that for nefarious purposes! If the government wants to record anything more then i’d say they’re up to something. The only person for whom this ID has any meaning or use is the one whose phone records this event ID as a contact – and all he/she knows is that at some time recently he/she was in contact with an unknown infectious person and so should immediately self-isolate and possibly go and get tested for the sake of their own health. In the current Australian context a person who can show a testing clinic an infectious contact alert on their phone would, I think, be a good candidate for a positive test and should be given it.

Leave a Comment

Related stories