What you need to know about the COVIDsafe Tracking App

COVIDSafe Update 18 May 2020

UPDATE: the Federal Government has just introduced legislation that makes it a criminal offence and an interference with privacy for the purposes of the Privacy Act  to mishandle COVIDSafe Data. 

The Privacy Commissioner's office issued a statement that  'COVIDSafe app data can only be used for purposes related to contact tracing and must be stored in Australia and destroyed when the app is no longer required'. 

In addition to investigating any complaints or breaches relating to the App, the Commission in mandated to 'proactively assess the system to identify any privacy risks and has [been given] expanded powers to compel information and documents' in order to do this. 

Any complaints about COVIDSafe can be directed to the Commission. 

If you have any questions about this app or privacy law in general, please get in touch with our specialist Sam Hartridge here.

On Sunday 26 April 2020 the Federal government released the COVIDsafe app to trace the spread of the coronavirus in Australia. The app which will act as a proximity detector to assist with contact tracing. It is voluntary to join, but concerns have been raised on possible impacts on privacy. This is what you need to know. 

How the Tracking App works 

When you download the app and its either kept open or left running in the background, the proximity detector is triggered via Bluetooth. The trigger will only occur if you spend more than 15 minutes within 1.5 meters of another user who also has the app.  Each user's mobile device will swap an encrypted package which includes information that the users entered when they downloaded the app. This information includes name, age, postcode, mobile number and unique identifier. However, your geolocation data is not stored.  

If users stay healthy, the information will be deleted at the end of the pandemic However, if someone gets diagnosed with the coronavirus, information of people they have come into contact with including their phone numbers will be given to state health authorities. 

The Australian government said the app would need 40% of the population to use the app to be effective in speeding up contact tracing to help public health officials. Opting in would be a ‘matter of national service’ according to the Prime Minister and a crucial step towards rolling back on Australia’s coronavirus restrictions.  

Protection of your personal data 

The data collected by the app includes people you have been in close contact with and the time period of that contact. As the app does not track your location it will not show where you came into contact with the person.  

The government has noted that at all times the data will be encrypted except when given to state health authorities. The data is stored and encrypted on your phone where it will be deleted on a rolling 21-day basis. If you are diagnosed with coronavirus then you will be asked for consent to upload the encrypted logs to a central database which is able to decrypt the data. The storage of this data is contracted to the Amazon cloud subsidiary called Amazon Web Services (AWS). The government has assured that the central database information will be deleted once the pandemic is over.  

Your privacy and data concerns 

The current privacy laws require the deletion and de-identification of personal information when it's not required for the purposes for it was collected. Even though this safeguard is in place, privacy experts have raised issues concerning the ill-defined nature of state health officials access to the information. This include the breadth of what the access is, the security arrangements in place, where the data is stored and if the data can still be used once the pandemic is over? 

Another concern is that AWS is a US-incorporated business and therefore subject to the US CLOUD Act. This enables US entities including government agencies to subpoena American cloud providers - requiring them to produce data they hold regardless of where in the world that data is stored. So, your personal data could possibly be accessed by the US Government under US Law.   

The Government Services Minister Stuart Robert has so far made the following assurances: 

  • No law enforcement agency except for state health officials and COVIDSafe Administrator will have access to your information. 
  • The app cannot be used to enforce quarantine or isolation restrictions, or any other laws. 
  • Source code of the app will be made available to the public, however the Minister for Health Greg Hunt since clarified that not all source code will be made available. 
  • A privacy impact assessment on the app conducted by the Privacy Commissioner is available to the public. 

Interestingly there is presently no direct legislative basis for the app with the rules for its operation being promulgated via a Ministerial determination under the Biosecurity Act.   

However, despite these reassurances the concerns remain about the following: 

  • Governments poor track record when it comes to protecting personal information, and cybersecurity. 
  • There may be ineffective protection of your privacy from the central database.  
  • Data which can be detailed into "social graph" which will include information about the people you spend time, with access to phone numbers and identities of everyone on the graph. 
  • While the CLOUD Act does allow AWS to challenge subpoenas, this would not be available for Australian data because the Australian Government is not recognized as a “qualifying foreign government” under the act. 
  • Post COVID-19 if someone doesn’t uninstall the app after the pandemic it is possible that the government might continue to gather data. In this respect, Professor Dali Kaafar the chief scientist of the Optus Macquarie Cyber Security Hub noted “This is a problem known as "mission creep" -- the idea that a technology originally developed for a specific purpose, like halting a pandemic, might end up being used for all kinds of other things it was never intended for”. 
  • David Vaile, who works in data protection and surveillance at the Allen's Hub for Technology, Law and Innovation at UNSW also noted “identification may be made possible, and it might interfere with the operation of the device”.

If you have further concerns relating to Privacy and Data Security, please get in touch with our specialist Sam Hartridge here.