The Australian Government has announced its intention to roll out an app which alerts you to possible contact with anyone who has (a) installed the same app and (b) been diagnosed COVID-19.
The app is to be based on a new framework being developed by tech titans Google and Apple, some technical documentation for which has just been made available.
This is intended to be a discussion of the human rights implications of the app rather than the technicalities, but briefly speaking it will use Bluetooth Low Energy Beacon technology built into most recent smartphones to exchange code between phones which come into proximity. The data will be encrypted and stored only on people’s phones temporarily, unless they are diagnosed with COVID-19 and have their data uploaded to a central database.
Australians are likely to have several questions about such an app, which potentially poses a number of human rights concerns, including with respect to privacy and misuse of information. Apple and Google’s documentation describes their solution as ‘privacy preserving’, and indeed for most users it promises to be just that, but the devil will be in the detail of implementation by the Government.
Where did the idea for the app come from?
The Singapore Government rolled out an app called TraceTogether (based on a home-grown version of the Apple/Google framework) last month which is the inspiration behind the current proposal. Although it has been considered successful from both technical and public response viewpoints, its penetration has been estimated at around 20%. In addition, the TraceTogether website is somewhat equivocal on whether citizens will be compelled to upload their data to a central government database once diagnosed with COVID-19.
On a more positive note, the Singapore Government is making the code behind its app open source, which should be considered best practice from an accountability perspective. Israel has also gone down this path. It remains to be seen whether the Australian Government will do likewise.
Is it likely to put my rights at risk?
One of the initial questions Australians are likely to have about an app such as this is whether it enables the Government to track your location. The way it operates in Singapore, it does not. However, Android (as opposed to iOS) users need to be aware that it will ask for permission to access the location of your phone anyway, due to a Google policy decision to bundle Bluetooth and Location permissions.
One of the greatest concerns with an app like this is that it may enable tracking beyond the scope of the current crisis, for commercial and/or security purposes. As with other tools of interest to police and security agencies – the federal metadata retention regime comes to mind – there could me ‘mission creep’ to enable enforcement agencies to use uploaded data to examine your (real-world) social network. Updates to an app which many may keep installed after the current crisis could enable all kinds of extra capabilities.
De-anonymising data uploaded by those diagnosed with COVID-19 is also a possibility, although for technical reasons that is likely to be a difficult endeavour with the particular framework Apple and Google have in mind. Be that as it may, it is worth considering what those with the technical capabilities and ill intent may stand to gain from such an endeavour. If there is a potential commercial or political payoff, someone is sure to attempt it. Note that the Singapore version of the app also collects anonymised analytics data, which presents another risk factor.
Does the Government have a duty to protect my rights in developing this app? What about Google and Apple?
In terms of human rights law, the Australian Government should be considering two human rights foremost: the right to privacy and the right to health. Freedoms of movement and association may also come into play. To be clear, limitations on such rights may legally be limited, including for public health reasons. However, such limitations must be reasonable and proportionate to the public health aim to be achieved.
In South Korea the government is harvesting a range of location data (including phone broadcasts and logs, credit card records and CCTV) to map and publish the movements of COVID-19 carriers. There has been a lively debate in the region as to whether this strikes the right balance between the protection of health and privacy rights, given the potentially life-altering effects of involuntary publication of a person’s whereabouts.
The biggest threat is of such a monitoring regime is to the right to privacy, which is protected under article 17 of the International Covenant on Civil and Political Rights. Australia has been party this this treaty since 1980. International jurisprudence on the right to privacy has been evolving rapidly – particularly in Europe with the advent of the General Data Protection Regulation (like the federal Privacy Act 1988 on steroids). Broadly speaking, the current state of the law both in Europe and in Australia is that data protection rules still apply, but that information critical to preventing public health can be shared on a ‘need-to-know’ basis. More specifically, governments are still required to be transparent about what they are collecting and why, and they must make every effort to maintain confidentiality of sensitive information.
Do Apple and Google have human rights obligations as well?
Businesses such as Apple and Google have a responsibility under international law to respect human rights in developing products and services. Governments, on the other hand, have concrete legal obligations, including a supervisory obligation to ensure that corporations live up to their human rights responsibilities. As such, it will ultimately be up to the Australian Government to check that the human rights implications of this tracing mechanism have been adequately considered and mitigated.
The Parliamentary Joint Committee on Human Rights would normally consider the legislation passed to support the tracing mechanism and provide a report on its compatibility with Australia’s human rights obligations. For the moment, the PJCHR is continuing its work remotely, but given the Prime Minister’s preferred timeframe of 2 weeks to roll out an app, there is likely to be insufficient time for such formal processes.
Rather, it will likely be up to public servants such as the Human Rights Unit in the Attorney-General’s Department to perform the relevant compatibility/proportionality analysis before the rollout.
So should I opt in?
Unlike the metadata regimes and other surveillance tools, this regime is envisaged to be introduced on an opt-in basis. However, we should be mindful that other comparable Government tools such as My Health Record were also opt-in initially, before moving to an opt-out approach (and we all remember how well that went). The Government has very little time to build public trust so that the rollout of this tracing app does not suffer a similar fate.
Usually, my advice is to be cautious of rights-restrictive measures taken by the Australian Government (or technology companies, for that matter). There has been a consistent pattern in recent years of regimes introduced to manage or surveil various populations without adequate safeguards. However, given the life-saving potential of this tool, and the need for at least 40% us to opt in for it to be effective (some say closer to 75%), I think it might be worth giving the Government the benefit of the doubt on this one. Contact tracing will become an increasingly important preventive measure when restrictions ease and physical interactions increase.f
In addition, privacy has clearly been prominent in Apple and Google’s considerations in designing the framework. If these bitter rivals can come together in a crisis, we should at least give their efforts due consideration.
Only you can decide whether to opt in, but hopefully the information presented here, and further details available via the links throughout, will help you to make that decision.