Transparency key to uptake of coronavirus tracing app

Transparency key to uptake of coronavirus tracing app

Australians are being asked to trade their privacy to help protect us all in an unprecedented health crisis, but transparency will be crucial to adoption rates of the new COVIDSafe app RMIT experts say.

1220355357

The Australian Government’s new coronavirus tracing app COVIDSafe allows users to be notified of possible contact with anyone who has downloaded the app and been diagnosed with coronavirus.

Using Bluetooth ‘beacon’ technology to exchange code between phones which come into proximity, the data is encrypted and stored on people’s phones temporarily, unless they are diagnosed with the virus.

In this case, they would need to agree and upload the data before it could be accessed by the relevant health authorities.

Privacy and cyber security

Director of the Centre for Cyber Security Research Professor Matthew Warren said transparency about privacy and cyber security was key to the app’s successful adoption.

“The forthcoming challenge for the Australian government is to be open and transparent about the app’s privacy implications,” he said.

The government has released the privacy impact analysis statement but have stated that the source code behind the app will be released within two weeks for independent analysis.

“The government should also be clear on what the process will be when new versions of the app are released.”

He said the public deserved to be fully informed about the cyber security implications.

“It’s essential to see transparency around encryption methods used by the app, the potential blue tooth vulnerabilities related to the collection of data, and how access to the data by state and territory health officers will be audited," Warren said.

 

Simmel pen Alternatives such as the Simmel pen-like tracing token preserve user privacy

Data collection and storage

Research assistant at the Block Chain Innovation Hub Kelsie Nabben warned that the significant uptick in digital tools as a policy response to address the public health crisis was not being matched by suitable policy clauses or technology design to serve the interests of Australian citizens.

"The concern is how data is collected, stored and deleted," she said.

“While public-health and safety amidst the health crisis is imperative, the data rights and privacy policy responses are critical, now, and after the crisis."

She said there were a number of privacy concerns with the Australian Government's COVIDSafe application. 

"The code is not publicly available and open-source data is stored on private, cloud-based web servers, which provides a honey-pot for cyber-attacks on this highly sensitive information about the population.

“The design, implementation and adoption of complex socio-technical systems must be driven by the interests of users, in this case, the Australian community.”

She said there were better options that were decentralised, open-source, privacy-preserving digital contact tracing solutions.

"There are alternative hardware options that preserve user privacy such as watch-based or pen-like tracing tokens that you hand in if diagnosed.

"We want to unlink tracing data from other personal identifiers.”

Human rights implications

Human rights law expert in the Graduate School of Business and Law Dr Adam Fletcher said some Australians were likely to have questions about the implications for privacy and other human rights of the tracking mechanism.

The app is based on Singapore’s TraceTogether software, with that app and the Bluetooth-based framework behind it appearing to have been developed with privacy considerations in mind, according to Fletcher.

“Even though the Government has not yet released the source code as promised, early assessments of the code by developers who have decompiled the Android version of the app bear out the privacy promises made by the Government,” he said.

“However, the safe handling of any data eventually uploaded cannot yet be assessed."

He noted the government had a mixed track record on data privacy when it came to previous examples such as Centrelink, medical records and census data.  

“It also has a history of 'mission creep' regarding tracking mechanisms such as the metadata retention regime, where it allowed citizen’s data to be accessed by all sorts of law enforcement mechanisms, contrary to initial intentions.

 

Story by: Diana Robertson

Share

  • Society
  • Legal & justice

Related News

Subscribe to RMIT NewsSubscribe
aboriginal flag
torres strait flag

Acknowledgement of Country

RMIT University acknowledges the people of the Woi wurrung and Boon wurrung language groups of the eastern Kulin Nation on whose unceded lands we conduct the business of the University. RMIT University respectfully acknowledges their Ancestors and Elders, past and present. RMIT also acknowledges the Traditional Custodians and their Ancestors of the lands and waters across Australia where we conduct our business.