It is time for a “rigorous and independent” analysis of the effectiveness of the federal government’s COVIDSafe contact tracing app to ensure it is working and worth the seven million Australians who have downloaded the app trading away some of their privacy, Human Rights Commissioner Edward Santow says.
Speaking on a panel discussion with Cyber Security CRC chief executive Rachael Falk, hosted by the Australian Society for Computers & Law, Mr Santow said the contact tracing app – which collects the users name, phone number and postcode, along with the unique identifier of other users they come into close contact with – does infringe on privacy in some way, and this should only be done if it is actually performing the job it is supposed to.
“Of course, the COVIDSafe app uses personal information, and it does limit the privacy of anyone who is caught up in it,” Mr Santow said.
“The justification for limiting people’s privacy is essentially that it will enable people to stay safe in the pandemic, it will give people critical information that will enable people who might have tested positive to stop themselves from infecting others.”
“The point then is it must do what it sets out to do – the app has to work. What we are starting to see is some relatively early analysis that suggests perhaps it doesn’t work as effectively as it might have.
“Let’s imagine if it was completely ineffective but it only limits privacy a little bit. That would still be unacceptable. It has to work for any limitation on privacy to be justified.”
The effectiveness of COVIDSafe has been widely questioned, with a focus on its performance issues on Apple devices.
The app is yet to pick up a new close contact in Victoria, the state worst hit by the coronavirus. Its use was halted entirely by Victorian contact tracers for a number of weeks at the outbreak of the second wave after they didn’t see a use in it.
Victorian health authorities are using the app as part of their contact tracing efforts now, and it has picked up a handful of new cases in New South Wales.
The federal government placed COVIDSafe at the forefront of its effort to ease restrictions around the country earlier this year, with Prime Minister Scott Morrison comparing it to putting on sunblock when going outside.
Mr Santow said there needs to be significant and independent review of whether COVIDSafe is working.
“It’s completely acceptable for government to improve the app as it goes, but what we want to see is a really rigorous and independent analysis of the app over time to ensure that any limitation on privacy is justified by the fact that it’s actually helping people keep safe in a material way,” he said.
Under the legislation passed to enshrine privacy laws around COVIDSafe, the Attorney-General and the Office of the Australian Information Commissioner will have to report every six months on the operation and effectiveness of COVIDSafe. The first due date for this reporting is in November.
Ms Falk, who runs the industry development-focused Cyber CRC defended the app and used the widespread argument that Australians hand over much more significant data to multinationals like Facebook.
“You give up far more data to Apple every day of your life than you ever give up to the COVIDSafe app. It is, to be blunt, not of use to agencies. If they wanted to they could get metadata which is far more precision-targeted. It’s a very unhelpful dataset in the scheme of things,” Ms Falk said.
“We don’t give a second’s thought to the apps we accept and the data we pump out and give to unregulated large multinationals who slice, dice and sell it. You should be more concerned with what you’re giving up when you accept updates and engage in different activities online.”
But Mr Santow argued that it’s possible to be concerned about both the collection of user data by global tech companies and handing over some amounts of personal data to the government.
Ms Falk said that past issues around big government tech initiatives, such as My Health Record, have impacted public trust in further efforts such as COVIDSafe.
“It was a litmus test of mistrust in government, absolutely. Governments don’t always have the best track record when it comes to securing data, and I was pleased on one level to see people taking an interest in their privacy,” she said.
Mr Santow agreed and said the government did accept some of his own recommendations and those of the broader civil and digital rights community.
“You’re absolutely right in saying that the government was working off a base of limited trust in terms of the community’s perceptions of how safely it would keep people’s personal data, and so I do think it was quite responsive to the input from a lot of stakeholders, including us,” he said.