COVID-19 Contact Tracing App – Are the Risks Worth It for Recovery?
The COVIDSafe app was launched in Australia on 26 April 2020 with one million downloads in the first 24 hours. By the end of the first week, over four million people had downloaded the app, about 16 percent of the population, but a long way to go to achieve the 40 percent take-up target. The COVIDSafe app is considered by Australia’s Chief Medical Officer and the Government as a key tool to expedite contact tracing to enable Australia to return to a level of normalcy more quickly. Privacy has been a central consideration in the development of the app and the COVIDSafe Bill, to be introduced in Parliament next week, enshrines that it is voluntary and no one will be forced to download the app.
While Australia and New Zealand have both successfully flattened the COVID-19 curve, the approaches of each country have somewhat differed, both in relation to the level of restrictions, as well as the role of contact tracing technology. Australia and New Zealand stand alongside Germany, South Korea and Singapore as examples of countries that followed the advice of their scientists and moved into lockdown in a timely way to limit the spread of the virus. Australia, similar to other countries, experienced a doubling of COVID-19 positive people every two days. However, the prompt lockdowns, social distancing measures, high rate of testing and manual contact tracing have together enabled the containment of the coronavirus in Australia and New Zealand.
COVID-19 Safe App
The COVIDSafe app follows the approach of Singapore’s TraceTogether software, which records the Bluetooth® connections a phone makes with others. Australians are asked to provide a name (which can be a pseudonym), a contact phone number, a postcode and an age range. The app logs every user who has been within 1.5 metres of each other by using Bluetooth technology to record digital handshakes with other phones. If any users test positive for COVID-19, they have the option of uploading the encrypted data on their device to the National COVIDSafe data store.
The Health Minister issued a Determination under the Biosecurity Act to protect people’s privacy and restrict access to information obtained from the app. The Determination enables State and Territory health authorities to access the information solely for contact tracing, but only with the explicit consent of the user. The only other access is by the COVIDSafe Administrator, including deletion of registration information at the user’s request.
On 5 May 2020, the Australian Government released the draft Privacy Amendment (Public Health Contact Information) Bill 2020, referred to as the COVIDSafe Bill, which is expected to be introduced in Parliament during the week of 11 May 2020.
The COVIDSafe Bill enshrines privacy protections contained in the Health Minister’s Determination under the Biosecurity Act 2015. Breaching the requirements of the legislation will be a criminal offence, a breach of the Privacy Act 1988, or both. The COVIDSafe Bill protects the app as being voluntary and that no one can be forced to download or use COVIDSafe or upload its data to the National COVIDSafe data store. The Bill makes it a criminal offence, punishable by up to five years in prison, to misuse the data or pass it on without the explicit permission of the user after contracting COVID-19. Data will be deleted every 21 days and the administrator of the National COVIDSafe data store will delete users’ registration data upon request. The legislation provides there will be a process put in place for COVIDSafe data to be deleted at the end of the COVID-19 pandemic and users to be notified accordingly.
Over Collection of Data
Privacy academics Professor Graham Greenleaf and Dr. Katharine Kemp have stated that ‘[a] crucial problem with the bill is it allows the government to collect much more personal data than is necessary for contact tracing.’ They refer to the PIA of COVIDSafe and point out that the app collects data about ‘all other users who came within Bluetooth signal range even for a minute within the preceding 21 days.’ As Greenleaf and Kemp point out, the data collected should be minimised to that which is necessary and technically possible.
The data collected by the COVIDSafe app is to be stored in Canberra in the National COVIDSafe data store. After it emerged that the government contract for storage of the COVIDSafe data was awarded to U.S. tech giant Amazon Web Services (AWS), concerns about access to the data by the U.S. government were raised, given the extraterritorial reach of the U.S. CLOUD Act 2018. In response to the concerns, Health Minister Greg Hunt stated that he has received advice from Attorney-General Christian Porter’s office that protections under Australia’s Biosecurity Act 2015 would prevail over the CLOUD Act.
Cybersecurity concerns have focused on the risks around a National COVIDSafe data store, as well as cybercrimes. The Australian Cyber Security Centre reports that since 10 March 2020, there have been more than 1,000 related COVID-19 scams reported to the Australian Competition and Consumer Commission (ACCC), 95 cybercrime reports related to COVID-19 themed scams and online frauds, 20 cybersecurity incidents affecting COVID-19 response services and/or major national suppliers, and over 150 malicious COVID-19 theme websites.
Prior to the release of the COVIDSafe app, it was independently reviewed by the Cyber Security Cooperative Research Centre and Data 61 with a team of cyber experts. The Government also said it will release the app’s source code, and while it has yet to do so, it will be a further demonstration of transparency and enable further scrutiny.
Differences in Australian and New Zealand Approaches
While Australia embarked on a suppression strategy of COVID-19, New Zealand implemented a higher level of lockdown restrictions pursuant to the COVID-19 Response (Urgent Management Measures) Legislation Act 2020, with the objective of eliminating COVID-19. Australia has one of the highest levels of testing per capita globally and has experienced a 1.4 percent mortality rate, which is the same New Zealand’s mortality rate. (Singapore’s mortality rate is .1 percent, which is in contrast to the United Kingdom’s 14.9 percent rate and the 6 percent rate in the United States, according to John Hopkins University & Medicine Coronavirus Resource Center – Cases and mortality by country chart as at 7 May 2020.)
New Zealand’s government, led by Prime Minister Jacinda Ardern, implemented COVID-19 Alert System Level 4 – Lockdown restrictions to eliminate the virus. New Zealand had 1,121 confirmed cases and 18 deaths by 26 April 2020 and only four new cases were reported on the preceding day. New Zealand’s approach required all nonessential services to be shut down, so basically only supermarkets and pharmacies remained open. This was significantly more restrictive than Australia’s lockdown, which enabled cafes and restaurants to continue to provide take-away services and other retail outlets to remain open.
While Australia’s strategy was suppression, the extent of containing the pandemic before the COVID-19 Safe app launched was impressive. There were 6,710 reported cases and 83 COVID-19 deaths in Australia. In the preceding six days leading up to the app’s launch on 26 April 2020, there were only between eight and 22 people testing positive across the entire country.
While the focus on technology to assist in contact tracing is a key plank for the Australian Government to enable the continuing containment of the virus, the New Zealand approach places less importance on the role of technology in contact tracing. On 19 April 2020, Prime Minister Ardern said in a COVID-19 media update:
“An app will only ever supplement the work that we have to do for contact tracing. And, again, most countries who have an app like this will highlight that you have to have the foundation of people and a people-centred network of contact tracers.”
The Prime Minister also asked New Zealanders to keep a diary of their daily movements to help with contact tracing, explaining:
“If you imagine, even asking someone six days later to account every movement over a period of time, it’s an incredibly hard task. So, I would ask New Zealanders to have new practices, new things that they do at the end of the day.
“The better that we are able to do … the sooner we can move through and down the alert levels and the sooner life feels more normal.”
While the shutdown was very effective in New Zealand for containing the spread of COVID-19, Level 4 restrictions were reduced to Level 3 restrictions on 27 April 2020. This coincided with increasing concerns about the very serious economic challenges that were mounting, including a group of academics who launched a campaign called ‘Plan B’, arguing the Level 4 measures were too strict and would create more serious problems. On 7 May 2020, Prime Minister Ardern set out Level 2 rules, with the Cabinet to make a decision on reducing the level of restrictions on 11 May 2020.
The Singapore experience shows that while the virus can be suppressed, there can be cluster outbreaks, such as those that have occurred in Singapore’s migrant worker dormitories. Cluster outbreaks in New South Wales in aged care homes, a regional hospital in Tasmania and a meat abattoir in regional Victoria similarly highlight the significant challenges that are continually being reported and could last for up to two years. However, the Australian suppression strategy – with social distancing, allowing cafes and restaurants to do take-away, and allowing retail shops and hairdressers to remain open – has enabled Australia to still achieve suppression and possibly elimination all before the COVIDSafe app was available.
At the launch of the COVIDSafe app, Health Minister Greg Hunt explained that the contact tracing app was one of three keys for Australia’s recovery from the pandemic. The other two were to expand testing capacity to people who are asymptomatic and to increase rapid response capability as occurred for the outbreak in a regional Tasmanian hospital to contain outbreaks.
The continuing concerns around privacy and cybersecurity safeguards will need to be addressed by the Australian Government. Transparency and continuing public discussion highlighting risks and privacy safeguards are more likely to enable voluntary take up of the COVIDSafe app to achieve the 40 percent of population target, which is around the 15 million user mark. The release of the source code and further tightening of the COVIDSafe Bill to restrict the data being collected and decrypted to only what is necessary will provide further protections to Australian citizens.
It is clear that contact tracing is key to containing the expected continuing outbreaks and will assist in returning to a post COVID-19 ‘new normal’ world. There is no doubt that technology will provide a faster and more efficient way of finding and containing fast spreading COVID-19 cluster outbreaks than asking people to keep a record of all their movements. The role of contact tracing technology, particularly given that the pandemic is being predicted to be with us in one form or another for up to two years, will be crucial in managing the pandemic.
The key is for governments to ensure that all identified privacy and cyber risks are mitigated and minimised. It would be significantly good outcome for citizens where the use of technology for the collection of personal data resulted in a return to relative normalcy and where rights to privacy are preserved and where we do not end up a step closer to living in a surveillance state. While we as citizens have demonstrated we can live with restrictions on our movements and can continue to social distance without technology surveillance, we need government to demonstrate it can be trusted with our personal information.
Susan Bennett (LLM(Hons), MBA, FGIA, CIPP/E) is the Founder and Executive Director, Information Governance ANZ and Principal, Sibenco Legal & Advisory