COVID-19 | Contact tracing? There’s an app for that!

Effective and widespread contact tracing is considered to be a critical step in managing and containing the spread of COVID-19.

The Commonwealth has released COVIDSafe, a mobile app to assist in determining who may have been exposed to the virus.

Additionally, a contact tracing protocol is being developed by Apple and Google which will be released worldwide.

This update will focus on the recently-released COVIDSafe app, and consider the privacy implications and commentary surrounding it.

How does it work?

COVIDSafe uses Bluetooth to determine when two mobile phones that have the app activated have spent 15 minutes in close proximity.  When this occurs, an encrypted record is made on each mobile phone.  If someone tests positive to the virus, they are requested to upload the data held on their phone from the previous 14 days to the National COVIDSafe Data Store, a central database which is accessed by their local State or Territory government, who are able to decrypt the records and contact those who have potentially been exposed.

The National COVIDSafe Data Store will automatically generate new Unique IDs for each User every two hours, and will send these new Unique IDs to the User’s App.  The Unique ID Reports will be sent to the Commonwealth Department of Health, to assist determining the extent to which the App is being properly used, as Unique IDs will not be received by users who have downloaded the app but do not have it active.

The app requires users to have their phone’s Bluetooth activated for the app to function. Users therefore have the ability to ‘turn off’ tracing by disabling Bluetooth or deleting the app.

If a user tests positive for the virus, a health official will contact them and ask for their consent to enter the user’s mobile phone number into the National COVIDSafe Data Store.  A pin number will then be sent to the user’s phone, which if entered on the app, will provide the user’s consent for the data on his or her device to be uploaded to the National COVIDSafe Data Store to enable contact tracing.

In that case, the data being uploaded from the user’s device may include details of the user’s contact with other users.  Note that those other users would only have provided their consent when they signed up to the app, and not a second time when their data is uploaded to the National COVIDSafe Data Store.

Notably, however, GPS data is not to be used and exact records of a person’s movement are not to be collected.

What information is collected?

After downloading the app, users are required to provide their name (though a pseudonym can be given), mobile phone number (which is then verified during the app setup process as this is important for contacting the user if required), age range, and postcode.  A record containing that information in encrypted form is then exchanged with other users’ phones that come within a close proximity for 15 or more minutes.  After a user tests positive and uploads their data to the National COVIDSafe Data Store, the encrypted data will be accessed by the relevant State or Territory government body.  That government body will then be able to decrypt the data to contact and advise people that they may have been exposed to the virus.

How will the information be used?

The Health Minister has issued a Determination under the Biosecurity Act 2015 (Biosecurity Act) which governs how data is collected, used and disclosed.[1]

The Determination provides that the data collected will be accessible by State and Territory governments for the purpose of COVID-19 contact tracing.

Under the Determination, the Commonwealth may access the data for the purpose of enabling contact tracing by State or Territory health authorities or ensuring the proper functioning, integrity and security of COVIDSafe or of the National COVIDSafe Data Store, but will not otherwise have access to the data.

As foreshadowed prior to the app’s release, the Determination ensures law enforcement agencies will not be able to access the data, other than to investigate whether a breach of the Determination has occurred or to prosecute a person for an offence against section 479 of the Biosecurity Act.

The Determination makes it an offence to decrypt data stored on a mobile phone, and provides that data stored in the national data store must be retained within Australia, and must not be disclosed to a person outside Australia.

It should be noted that the Determination is not an Act that has been made by the Commonwealth Parliament, rather it is subordinate legislation. The Commonwealth has indicated that the protections in relation to how data is used will be bolstered by legislation.  Notably, the Commonwealth’s own Privacy Impact Assessment recommended that the legislation be finalised before the release of the app, which did not occur.  At this stage it appears that draft legislation has not been circulated.

Records created on a user’s phone will only be stored on that phone for 21 days and will then be deleted, and all data collected by government bodies from users who test positive to the virus will be deleted after the pandemic is over.  The Explanatory Statement to the Determination states that the conclusion of the pandemic would be determined based on advice from the Australian Health Protection Principal Committee.  However, there are no details as to whether the pandemic will be considered to be over when the situation has improved within Australia, or within the Asia-Pacific region, or around the world.

In our view it would be prudent for guidelines to be published concerning when information will be deleted, and the engagement of an independent auditor to verify when this occurs, as this may assuage concerns about improper data retention.

What if a person doesn’t comply with a requirement under the Determination?

A person commits an offence if they engage in conduct which contravenes a requirement under the Determination, the penalty for which may be a fine up to $63,000 or 5 years imprisonment or both (section 479 of the Biosecurity Act).

Shortcomings of the Determination

The Determination is only in effect while the human biosecurity emergency continues.  A human biosecurity emergency was declared by the Governor General under subsection 475(3) of the Biosecurity Act on 18 March 2020. This will cease after three months (i.e. on 17 June 2020, unless this time frame is extended).

Under section 476 of the Biosecurity Act, the Governor-General has the power to extend a human biosecurity emergency by further three month period if the Health Minister is satisfied the disease is continuing to pose a severe and immediate threat, or is continuing to cause harm, to human health on a nationally significant scale, and the extension is necessary to prevent or control the entry of the disease into Australian territory or the emergence, establishment or spread of the disease in Australian territory.

The obvious question is what happens to the data in the national data store and on users’ phones if the Determination is revoked or if the human biosecurity emergency period ceases and causes the Determination to cease. It is likely that all of the protections around how the app and the data are to be used would also cease.

The fact that the protections around how data is used are provided in subordinate legislation, which at some point will cease, may concern some users.  For certainty and to ensure that the data is used in a proper manner we think that the protections should be made by way of primary legislation at the earliest opportunity.

Will it work?

The Commonwealth indicates that the app will require at least a 40% uptake in order to be effective.

A similar app, TraceTogether, has been rolled out in Singapore and reportedly has struggled to achieve an uptake of over 20%.  That app has also been constrained by technical constraints in relation to the use of Bluetooth.  Users have complained that the app’s use of Bluetooth drains battery life, and that the app does not function when it is running in the background.

COVIDSafe operates while the app is in the background, meaning that as long as the app is open and Bluetooth is switched on users can have their phones locked or be performing other functions and the app will continue to operate.  However, there have been initial concerns about the effectiveness of the app for iPhone users when the app is running in the background.

For the app to be effective, the Commonwealth will have to convince a sufficient number of Australians to get on board.  This should be aided by the fact that Australians are generally fast adopters of technology, and smartphone ownership is widespread.  The main obstacles to achieving the required uptake will likely centre around issues of privacy and trust in the Government.

Privacy concerns

We have already seen and heard a great deal of commentary in relation to privacy concerns associated with the use of the app.

Concerns have been expressed regarding whether the data collected could be used for other purposes, whether the app will be susceptible to hacking or contain security flaws, whether use of the app could become mandatory, and whether once the pandemic passes, will data cease to be collected or will data that has already been collected in fact be deleted.  As discussed, the government has attempted to mitigate some of these concerns though the Determination, however the temporary nature of the Determination will likely not allay these concerns entirely.

Australians are, in some ways, reluctant to share their data with government. Widespread criticism of, and large numbers of people opting out of, the Commonwealth’s My Health Record is a recent example of this.  On the other hand, Australians frequently interact with the Commonwealth and often exchange large amounts of personal information with them, particularly in relation to health, welfare and taxation.

The Commonwealth has already begun to attempt to allay people’s privacy concerns as follows:

• committing to releasing the source code to the app; and
• releasing a Privacy Impact Assessment in relation to the app.

Privacy Act

In relation to interaction with the Privacy Act 1988 (Cth) and the Australian Privacy Principles, the app will collect personal information (name, phone number, age range and post code) and will collect sensitive information if a person confirms on the app that they have contracted COVID-19.  The latter information will be identifiable alongside their name and other personal information that has already been provided.

The Commonwealth is keen to ensure it receives the required consent of users to collect and share data for the specified purpose.  The app requires users to consent at two stages.  First, upon the user activating the app after download. Second, if the user has been identified as having been infected, before their data is uploaded to the central database.  While users can withdraw their consent by deleting the app, they can’t delete their encrypted information that has been stored on another user’s phone with whom they have been in close contact.  However, a user can request that their data be deleted from the national database before the pandemic is over.

Can I mandate that my employees or visitors to my premises have the app?

No.

The Determination provides that a person must not refuse to enter into or continue a contract of employment, or refuse access to a premises on the basis that a person does not have the app installed or active, or has not consented to upload their data to the National COVIDSafe Data Store.

Conclusion

Australians have shown a willingness to embrace, and have broadly supported, wide ranging restrictions on their lives arising from COVID-19.  For many, those restrictions have drastically impacted their livelihood.

It is necessary to consider the restrictions we are currently living under, which just a couple months ago would have been unimaginable.  Workplaces have shut down, international travel is banned, Australians returning from overseas and in some cases travelling within Australia must quarantine for 14 days, places of worship are closed, and sporting events have been cancelled.

Will Australians get behind a contact tracing app produced by the government?  Initial reports are that 1.1 million Australians downloaded the app within the first 12 hours after it was released. Ultimately, whether or not widespread uptake occurs may depend on whether the incentive of having other restrictions lifted sooner will outweigh concerns in relation to privacy and the intrusion of government.

The Commonwealth will need to go to great lengths to allay those concerns and encourage Australians to sign up.

The CEO of the Cyber Security Cooperative Research Centre, Rachael Falk, after testing the app has indicated that she would download it.  Indeed according to her tweet on Twitter, she downloaded it almost immediately after it became available. Various other tech and health professionals have also come out in support of the app.  However, some members of the tech community and privacy and civil liberties advocates have been vocal in their opposition, and notably, some members of the government have themselves stated they will not download the app, citing privacy concerns.

The government will certainly need, as a minimum, to address dissent within its own ranks, and provide a cogent and reasoned response to privacy and civil liberties concerns, which should involve a combination of a comprehensive framework and a meaningful public information campaign, showing members of public what (i.e. how little) personal information is being captured, and the limited circumstances and purposes for which it can be disclosed and used, in order to give the app the best chance of wide adoption.

Australians are also generally comfortable sharing their personal information and data with tech companies – many already allow Apple and Google access to their location data.  As such, it will also be fascinating to see whether Apple and Google’s solution enjoys a greater uptake than the Commonwealth’s app.  In an environment where members of the public share far more personal information with private enterprise in the hope of a few “likes” or in return for a discount or other small incentive, it is hoped that the Australian public considers the payback from contact tracing to outweigh the sharing of minimal information about their movements and contacts with health authorities.

The writers of this update have also downloaded and activated the app on their own mobile phones, in the hope that this will assist in the eventual eradication or control of COVID-19 in Australia.

Stay tuned…

For details of all our COVID-19 tips and updates, visit the Gadens COVID-19 Hub.

Authored by:

Antoine Pace, Partner
Gabe Abfalter, Associate

[1] Biosecurity (Human Biosecurity Emergency) (Human Coronavirus with Pandemic Potential) (Emergency Requirements—Public Health Contact Information) Determination 2020