INSIGHT

Trace but don't track – Australia's approach to digital contact tracing

By Gavin Smith, Phil O'Sullivan, Claudia Hall
COVID-19 Cybersecurity & Privacy Data

In brief 15 min read

The Federal Government has flagged that Australia's baseline 'social distancing' restrictions may be eased more quickly if, among other things, at least 40% of Australians download and use a new voluntary digital contact tracing app, 'COVIDSafe'. The announcement has sparked significant debate over a perceived tension between achieving swift health and positive economic outcomes on the one hand, and allaying concerns about longer-term privacy impacts on the other. The independent Cyber Security Cooperative Research Centre has reported there is 'nothing particularly disturbing' about the app. But full details of how COVIDSafe will work have not yet been released and the Government has a substantial task to encourage sufficient uptake.

The Government is being careful to position COVIDSafe as an extension to the manual contact tracing processes currently being undertaken by public health authorities, not a digital replacement of them. It has presented a transparent quid pro quo: widespread use of the app and the provision of your personal information and details of your contacts is one of three critical steps to a faster easing of current lockdown measures.

Following our Using tech and data in a crisis – contact tracing, this Insight provides an overview of the centralised approach that underpins COVIDSafe, including key considerations regarding consent from individuals and the Government's right to use (and continue to use) data obtained through COVIDSafe.

Key takeaways

  • COVIDSafe is expected to ask for users' names, a date range for age, a postcode and a mobile phone number. It is not currently proposed that location data (beyond postcode data) will be collected, used or disclosed by the COVIDSafe app.
  • COVIDSafe is based on the source code of Singapore's 'TraceTogether' application. It remains to be seen precisely which approach the Government adopts, but if COVIDSafe follows the same model as TraceTogether, it will likely involve a hybrid-centralised model. This means that devices which have installed COVIDSafe will share unique temporary IDs with one another (which will be encrypted and stored on the individual's phone). If an individual is confirmed to have COVID-19, they will be asked to disclose the app's encrypted data logs to state and territory health officials, at which point the logs will be decrypted to provide names and phone numbers of other users with whom the individual has come into close contact.
  • This centralised approach differs from the more decentralised and privacy-centric approach being pursued in other jurisdictions such as the UK and EU, and separately by Apple and Google. These approaches are not predicated on the disclosure of Bluetooth interaction information to government (including public health) agencies.
  • With COVIDSafe being positioned as a voluntary, opt-in model, the parameters of the consent sought from individuals needs to be carefully managed and clearly delineated. However, if the ~40% of population uptake target is not met, it is possible that the Government may consider alternative approaches.
  • The immediate task for the Australian Government is to provide a clear and compelling case to the public to encourage individuals to download and use COVIDSafe and, in doing so, to allay concerns that the privacy of individuals might be compromised in doing so. To do that, it will need to clearly state the manner in which the data will be used, by whom, for how long and what will then happen to the data as the country emerges from the current crisis. Equally as important, the Australian Government will also need to clearly explain how the data will not be permitted to be used and be clear about those agencies which will not be able to gain access to the data.

How will the COVIDSafe app work?

TraceTogether origins

The Australian Government has indicated that it will utilise a new digital contact tracing application based on the source code for Singapore's TraceTogether application. As flagged in our Using tech and data in a crisis – contact tracing,  the TraceTogether application is a voluntary (opt-in) app, which, using Bluetooth, automatically logs (in an encrypted manner on the user's phone) a user's proximity to other users (and the duration of such proximity) where certain parameters are met, through the use of randomly generated temporary IDs. If a user tests positive for COVID-19, the Singaporean Government receives an encrypted list of the temporary IDs the individual has had contact with, which can be decrypted, enabling the Singaporean Government to directly contact relevant individuals.

It is unclear exactly how similar the Australian COVIDSafe application will be. In Australia, the Government Services Minister has stated that the app will connect the name and phone number of people who have, for more than 15 minutes, been within 1.5 metres of a person who has tested positive, and will make that information available to state and territory health officials. We are likely to have answers to this soon, as it has been reported that the Government will release both the source code of COVIDSafe and a Privacy Impact Assessment. At this stage, it is unclear why the Government considers that it may be necessary to release source code (as opposed to a detailed description of the data flows), as this step appears on face value to create unnecessary security risk.

Centralised vs decentralised models

The fact that the TraceTogether app ultimately centralises contact data to a government repository has been criticised by a number of parties on privacy grounds. Critics argue that the potentially detrimental privacy impacts of the centralised model are not sufficiently justified by claims that the model provides a more immediate and direct public health benefit.

This centralised approach contrasts with approaches taken in other jurisdictions such as the UK and the EU, and the proposed capabilities being independently developed by Apple and Google, each of which relies on a decentralised model where each individual's version of the app (if an app is to be used) itself generates and stores encrypted temporary IDs of devices it has come into contact with. Where an individual tests positive for COVID-19 and logs that information in their app, the individual's record of temporary IDs is disclosed to relevant users, and can be locally matched by other users' apps, without disclosure of any contact information to a centralised source such as the Government and without individuals being aware of the identity of the COVID-19 infected individual they have come into close contact with.

Importantly, a key difference between a centralised and decentralised approach to digital contact tracing is the direct involvement of public health authorities in the centralised contact tracing process. This means that the centralised approach to digital contact tracing could replace and/or supplement elements of manual contact tracing currently being undertaken by public health authorities today, rather than just operating in parallel. This is likely to have been a key factor in why the Australian Government has favoured a centralised approach.

Importantly, API and software updates which are to be released by Apple and Google from mid-May, in exchange for permitting applications to run Bluetooth in the background of the device (as opposed to only when the relevant application is open), will seek to strictly limit information which public health authorities can gather through apps to minimise the risk of surveillance, requiring that data be stored on users' devices rather than on a central server. Apple and Google have also clarified that they will sunset the relevant technology at the end of the pandemic, although what will constitute this 'end' is not yet clear. Similarly, the European Commission's 'common EU toolbox' for contact tracing apps states essential requirements are that any contact tracing app should not enable tracking of people's locations and should be based on anonymised data.

Key privacy considerations

Consent

The Australian Government has stated that download and use of COVIDSafe will be strictly voluntary – this means that individual consent and participation will be key to the process achieving critical mass. With the Government indicating a minimum uptake measure of at least 40% of the Australian population, it is targeting a considerably higher take-up rate than the reported 20% rate of the TraceTogether app in Singapore.

Key components of 'consent' under the Privacy Act 1988 (Cth) are that individuals are adequately informed before giving consent, and that such consent is voluntary. A lack of detailed information provided by the Government as to exactly how COVIDSafe will work and how information will be handled by the Government and other parties and for how long, combined with public mistrust and a potential fear of data breaches, may adversely impact individual uptake.

If the Government introduces new laws to limit broader use by it of information collected through the COVIDSafe app, this may assist with individual uptake. However, success in such approaches is not automatic and cannot be assumed. A decade (and around $2 billion) spent on the My Health Record system, including introducing specific laws on use of My Health Record data and moving it to an opt-out model in 2018, has only resulted in claims of millions of 'empty records' and significant underuse across the healthcare system.

Further, while individuals will need to provide their consent to:

  • initially download COVIDSafe; and
  • upload the logs from COVIDSafe where they have tested positive to COVID-19,

it will be important that individuals understand that no additional consent will be required from a non-infected app user who has come into contact with an infected app user before they are contacted by public health authorities and information about their risk of infection is generated by the public health authority.

It is unclear whether individual users will be able to black-out or remove certain interactions which may be particularly sensitive (ie to choose a particular area, or a particular period of time, for which their device should not broadcast temporary IDs). Doing so would be a more 'consumer controlled' model, but there are clear and obvious public health drawbacks in allowing this. By contrast, a manual contact tracing process largely relies on individual memory, so at present it is entirely possible that individuals elect to withhold certain interactions or information which they consider sensitive or otherwise do not want to disclose to public health authorities.

The exchange for a faster lifting of restrictions if there is sufficient uptake of the app will be that individual app users may come to the attention of public health authorities where manual contact processes may not have found them. There is a  public benefit to this, but there is reliance in this process on enough individuals in the population accepting the bargain.

Sensitive information collection

If the COVIDSafe app follows a similar model to TraceTogether, then the Government's ability to link an individual user's name and phone number to a potential exposure to COVID-19 will constitute sensitive and health information about that individual for the purposes of the Privacy Act, as information or an opinion about the health, including an illness, of that individual. Where such information is disclosed to public health authorities, it is even more likely that this information will constitute health information, as it may be linked to other personal or health information held by or available to authorities.

Under the Privacy Act (and corresponding legislation in states and territories that applies to public health authorities), many of the restrictions on collection, use and disclosure of personal information (including sensitive information) can be navigated by obtaining a relevant individual's consent to such collection, use or disclosure. If, as the Government has indicated, the scope of consent being sought is simply what is necessary to enable a digital extension of the current manual contact tracing efforts, a sufficient volume of individuals may be willing to provide this consent. However, the further the scope of the consent moves from immediate public health action required to directly respond to COVID-19, the more likely it is there will be a corresponding reduction in uptake levels for COVIDSafe.

Key issues impacting the scope of consent include:

  • the initial download and installation of the app, including:
    • the scope of data which the app is entitled to collect and store about users;
    • details of what information may be disclosed to the Government if another user you come into contact with is confirmed to have COVID-19;
    • details of what information the Government is entitled to collect and store about users, including the time period for which such information will be retained and which government entities will be entitled to gain access, and whether data will be deleted or de-identified when no longer required; and
  • when an individual is confirmed to have COVID-19, the scope of data which will be disclosed to public health authorities as part of the app's log, the entities to which such data may be further disclosed (ie law enforcement, or other health authorities or entities), and whether the app will continue to log (and disclose) contact data after the initial transfer.

The answers to these questions are not yet clear and will need to be considered carefully when the Privacy Impact Assessment, and the terms of use, for the COVIDSafe application are released. The Government has indicated that it will introduce legislation to prevent both public safety and intelligence agencies using legislative powers to access data obtained through the COVIDSafe app and use of such data for research or other policy purposes. If and when enacted, this legislation would address some of these questions and provide assurance to the public on the handling of their information.

Key considerations if consent is not front and centre

While the Government has clarified that it intends to rely on a wholly voluntary model, if the scope of intended use cases or potential disclosure broadens, or there is not sufficient uptake of the COVIDSafe application, it remains possible that the Government may turn to alternative approaches to pursue digital contact tracing. We have outlined some potential alternative approaches below.

Serious threat to health or safety

One approach the Government could take is to rely on a permitted general situation under the Privacy Act, if it reasonably believes that the collection, use and disclosure of personal and health information of individuals for contact tracing is necessary to lessen or prevent a serious threat to the life, health or safety of an individual or public health and safety (and it is unreasonable or impracticable to obtain the relevant individual's consent to such collection, use or disclosure).

COVID-19, as a pandemic, clearly currently constitutes a serious threat to the health of individuals and to public health. However, as the Government currently intends to rely on an application to conduct the digital contact tracing, it is not clearly unreasonable or impracticable to obtain individuals' consent (as any such consent could be obtained at the time, and as part of, the individual downloading the relevant app). The Government could, however, seek to argue that obtaining consent is impracticable given the urgency of the situation, and the large number of individuals whose consent is required before contact tracing will be effective (if the ~40% uptake threshold was not met).

Further, the scope of information which the Government collects would need to be necessary to lessen or prevent the threat of COVID-19. As described above, where other jurisdictions are seeking to rely on a decentralised application, which would not involve public health authorities' collection or use of personal information, it may be difficult to demonstrate that the collection of individuals' personal information by the Australian Government in such circumstances is necessary to address this threat.

Enforcement

Further, if the Government intended to use information obtained through the COVIDSafe app for law enforcement purposes (public health orders, social distancing measures or otherwise), it would be open to the Government to argue that it:

  • has reason to suspect that unlawful activity or serious misconduct has or may be engaged in; and
  • reasonably believes that collection of such health information is necessary to take appropriate action in relation to the matter.

Surveillance law considerations

While the proposed scope of the COVIDSafe app does not currently contemplate location data, to the extent that any future iterations of the app, or any data generated through the app, does involve location data, state and territory surveillance legislation in NSW, WA and the NT will also need to be carefully considered, and the Government may need to ensure that the consent obtained from individuals covers the determination of their location (and the location of the device on which COVIDSafe is installed).

Access to telecommunications data

A further alternative would be for government agencies to seek access to telecommunications data of users from carriers and carriage service providers under the existing authorisation regime in Division 4 of the Telecommunications (Interception and Access) Act 1979 (Cth). This avenue has not yet been publicly canvassed, and it is likely that the Government would not make public pronouncements about such action.

What happens next

While there is a clear public health justification in trying to expand and improve the digital contact tracing capabilities of public health authorities to address the COVID-19 pandemic, it is not necessarily the case that this can only occur at significant detriment to the privacy of individuals. Appropriate privacy protections can be implemented, even during a pandemic.

In making the case for download and use of COVIDSafe, the Government will need to outline in a transparent manner:

  • the precise scope of personal information it is seeking to collect and use;
  • the extent to which this information may be used for purposes other than digital contact tracing (if any);
  • how such information will be held and secured;
  • which government bodies will, and will not, have access to the data;
  • any third party (public or private sector) access that will occur;
  • the criteria which must be satisfied for the end of the threat of COVID-19, and how the COVIDSafe app, and all data collected in connection with it, will then be deleted or appropriately de-identified at such point; and
  • an assurance that the limits set out above will not be relaxed or changed in the future.

Given the history of the high-profile My Health Record rollout and the Robodebt incidents, it will be important for the Government to adopt a careful, transparent and privacy-protective approach if it is to reach its targeted ~40% uptake of COVIDSafe.

In our next Insight, we will have more to say about the deletion or de-identification of data that should occur when the pandemic is over.