What is the COVIDSafe App?
The latest weapon in the fight against COVID-19 is the government’s recently launched COVIDSafe App. The app is used to track the spread of the novel coronavirus known as COVID19 in Australia and works by keeping a digital record of who you’ve been in contact with. As this is a voluntary program, around 40% of the population will need to download the COVIDSafe app in order for it to be effective. The idea is that by signing up to use the app, health departments will be able to more quickly identify those who have been in close contact with confirmed cases of COVID-19 and limit further exposure. However, does this attempt to better track the virus come with an insidious risk to our privacy?
How does the app work?
Once you download the app, it will ask you to provide details such as your name, phone number, post code and age range. It will then generate an encrypted reference code to identify you. The app works by using Bluetooth to send out a signal which recognises other phones with the app installed on it. It will then record their reference code and make note as to how far apart you were, and for how long. To successfully collect this information, you will need to have the COVIDSafe app running throughout the day.
What happens if I get diagnosed with COVID-19?
In the event that you are diagnosed with COVID-19, you will need to notify the government (as is required regardless of whether you have the app or not). If you have been using the app, you will then need to provide further consent to release the information on your phone. If you consent, the information will be uploaded to a secure storage information system that health officials will have access to. They will then notify anyone who has been within 1.5 metres of you for 15 minutes or more, as recorded by the app.
What information will the app store?
The app will store information locally on the phone, including:
- name, mobile number, age range, post code
- contact information includes the encrypted reference code, date and time, proximity and duration of contact
- app logs include performance and troubleshooting data
The COVIDSafe app does not collect any other information and does not track movement or collect location information.
Who has access to the information?
Only health officials from the relevant state or territory will have access to the data. This means that the Federal Government will not be able to access the information, nor will bodies such as Centrelink, the Police, or anyone else. The Health Minister issued a declaration pursuant to the Biosecurity Act in order to protect the privacy of those who use the COVIDSafe app by restricting access to the data to state and territory health authorities only. It will be a criminal offence to use the data in any other way.
How will the information be used?
If somebody tests positive and provides consent for the data to be uploaded, then health officials can only use this information in limited circumstances, such as:
- to retrieve the contact information to perform contact tracing
- to notify people who may have been exposed
- to provide advice as to what to do next and how to get tested
The identity of the infected person will not be released.
Can COVIDSafe app data be used to enforce laws?
Technically, the app is actively collecting information about the number of times you breach social distancing laws, so then can that information be used as proof of a breach? The government states that the app cannot be used to enforce quarantine or isolation restrictions or any other law. Commonwealth and state/territory law enforcement agencies will not be allowed to access any information from the app unless it relates to the misuse of that information itself.
Is my information protected?
One of the biggest concerns associated with the COVIDSafe app is whether privacy will be protected, and data kept safe. In response to these concerns, the Federal Government has stated that the information will be stored within Australia, encrypted, and that the identification linked to the encryption will be stored securely on your phone’s handset. Health officials will only be able to access the data once you give consent to upload it, and no one should be able to access the information on the phone. Additionally, data on the phone will be deleted every 21 days.
An independent and publicly available privacy impact assessment report is also available on the Government’s website, as is a privacy policy.
Once the COVID-19 pandemic is over, you’ll be prompted to delete the COVIDSafe app which will also delete its information. Any information downloaded to the storage system will also be deleted. If you wish to have the information deleted from the storage system at any time, there is a Request Data Deletion form that can be completed.
Is the COVIDSafe app reliable?
Bluetooth is not necessarily a reliable way of determining who we have come into contact with. There is the possibility that there will be false negative readings or that it may pick up on contact between the walls of an apartment, for example. Another issue is that the app needs to be running constantly. For most devices, the app that you’re currently using will use most of the ‘power’ from your phone and will shutdown or suspend any background apps, which means the COVIDSafe app may not even work throughout the day.
Is Bluetooth safe?
In a recent article, Dr Merkel from Monash University explains the use of Bluetooth in transmitting messages to other phones was found to raise a separate privacy issue where it communicated the make and model of your phone. As that information is unencrypted, anyone could potentially access it. Bluetooth is essentially a channel for communication between two devices, and leaving your Bluetooth on all day could leave you vulnerable to potential attack. While the chance of being the subject of a Bluetooth attack is slim, Dr Merkel advises to undertake software updates before using the app as this can fix any issues which may create vulnerabilities.
Can we trust it?
As previously mentioned, the Health Minister made a determination under the Biosecurity Act to restrict access to the information contained in the app. This is a crucial point, as our privacy protection hinges on this determination, which is a ‘disallowable’ instrument. A determination can be modified or repealed at any time.
Without legislation, there is no real security as to who is allowed to access this data into the future. Pauline Wright, the president of the Law Council of Australia also cautioned that there is the potential for some law enforcement or intelligence warrants to “override” the determination. We will need to wait until legislation emerges in May when Parliament resumes to better understand the risks of this app.
Should you download the COVIDSafe app?
This is up to you. It’s best to undertake your own research and satisfy yourself that you can trust the Government in its protection of your data and privacy, and that it will do what it says it will do.
Some tech experts have been critical of the government’s reluctance to reveal the ‘source code’ of the app. This would have allowed people to verify if the app is the kind that preserves privacy or not. Something that we should all consider is the scope of the app. The initial aim is to curb the spread of the virus – but what happens if the Government decides they need to start using the app or its information for other purposes, or allow other Government bodies to have access to the information?
For us, it’s a balancing act between providing information to assist in a public health crisis and risking our privacy being violated or personal data being accessed by others in the future.