Parliament Updates

Over the last several weeks, Australia has made significant progress flattening the COVID-19 curve.

While this success is not a cause to relax our vigilance, we have now been presented with a choice by the Federal Government. If we download the recently released ‘COVIDSafe’ app (the App) for our mobile phones in large numbers, we may be able to return to normal faster than if we just stick to our current restrictions alone.

What is it?

The App will make contact tracing by Health Officials more efficient through supporting virtual Bluetooth handshakes between our devices. This approach and technology have been deployed by several governments, including those of Singapore and South Korea. Medical professionals and associations like the Australian Medical Association have also endorsed this approach.

It is important to note that the App does not replace the manual process for contact tracing, it supplements the process. In the event that the App does identify you as a contact of a confirmed case, you will be contacted by the NSW Department of Health to discuss your whereabouts and the circumstances under which you may have come in contact with a confirmed case.

For more information on the App works as well as how it collects, stores, discloses and deletes data go to the privacy statement on the Department of Health website.

Key considerations

The App has presented a moral quandary for many individuals. Since the terrorist attacks on the World Trade Centres on September 11, 2001, data incursion has been pushed by Government in the name of national security, and with the advent of social media and smartphones, tech companies are using data in the name of profiteering. As a result, Australians have seen a gradual erosion of their privacy and a rise in their scepticism.

These developments have been against the backdrop of a steady decline of trust in Government caused in part by regular scandals, the rushing through of the metadata retention laws in 2015 and subsequent expansion of access under those laws, and the controversial ‘My Health Record’ service. Hence, many individuals are conflicted about downloading the App.

I strongly believe that it is important to make an informed decision. This is something we must all consider, balancing privacy concerns with the tracing benefit the App will bring if a sufficient number of Australians download it. In the absence of a vaccine, tracing capabilities are essential to ensure any possible infection outbreaks are quickly managed when restrictions start to be lifted.  

My team and I have gathered some of the advice and evidence. It is not exhaustive but I hope will assist many in making their choice. Regardless of your choice to download it or not, it is important to remember that this is not a silver bullet. This is simply another tool that will assist the health professionals in tracking possible contacts. It does not replace the need to be vigilant, to observe social distancing and hygiene measures.

Legal protections

In response to privacy concerns, the Government has enacted regulation under the biosecurity laws (the Determination). The Determination introduces controls on the retention of the data and several criminal offences for individuals - outside of the relevant State and Territory health officials - who attempt to access the data collected, attempt to decrypt the data, and coerce the use of the App. These could provide enough constraints on outside actors and those within other Government agencies from abusing the App.

The Government has obtained an independent Privacy Impact Assessment (PIA) which comprehensively assesses the Apps privacy risks and advises on how to address these. With fellow cross-benchers, I have received a briefing from Government and assurances that legislation implementing the recommendations of the Privacy Impact Assessment and Law Council of Australia concerns will be introduced at the next sitting of Parliament in May. In summary, the Government has committed to:

• Releasing the source code for the App
• Addressing all aspects of the PIA
• Introducing legislation that deals with the flaws identified by the Law Council of Australia on 12 May – the exposure draft was released on 5 May
• Data will be deleted after 21 days
• The servers will be hosted in Australia with the secure Amazon Web Services

On 5 May, the Government released an exposure draft of the Bill for amendments to the Privacy Act 1988 that would replace the Determination and provide for legislated protection to users of the App. The Bill addresses many of the concerns raised by the Privacy Impact Assessment and stakeholders including the Law Council of Australia. The Bill:

• Clarifies the role of the Privacy Commissioner and confer powers to the Commissioner in interactions with the states and territories
• Imposes specific obligations on the data administrator regarding deletion of data
• Prohibits secondary use and disclosure of data collected by the app and coercion of other persons to use the App.
• Prohibits creating and using ‘derivative data’ from data that has been collected by the app; and reverse engineering or re-identifying data that has been ‘de-identified

The Law Council of Australia continue to have concerns with the legislation, including:

• The legislation should prescribe minimum design specifications for the App and data store themselves
• That the App must operate on a strictly voluntary basis at all times with mechanisms for users to opt out
• Provisions requiring the Privacy Commissioner to inspect and certify that the data deletion obligations at the end of the App’s period of operation have been complied with;
• Periodic reporting obligations while the App is operational, with these reports tabled in Parliament; and
• Streamlined arrangements to manage the interaction of investigations by the Privacy Commissioner with law enforcement investigations of offences for breaching the prohibitions on the use of data, under which the Commissioner is not obliged to discontinue investigations.

Technical aspects

The App works by detecting other phones in the area with the App installed. It conducts a “handshake” with the other Apps around every minute. If there are 15 handshakes the contact is saved on the phone. If you are confirmed as a COVID-19 case, you will be asked for permission to access the contact list on your device. If you grant permission the Health official will use this data to assist contact tracing.

There are issues with the functionality of the App on Apple iPhones. The security settings built into the iPhone operating system prevent Bluetooth from conducting the handshake effectively when running in the background.

For the App to work effectively the iPhone needs to be unlocked and the App needs to be running in the foreground without too many other Bluetooth enabled apps running at the same time.

This is a common problem that all governments have faced in the development of similar tracing apps. The Government has said it is continuing to work with Apple to refine the solution to this problem.

I support the recent comments by Mike Cannon Brookes and other tech industry professionals in that we should understand that the App and supporting regulation has been commissioned as a matter of urgency, and therefore it will be imperfect at an early stage of release and consequently to give to Government time to rectify any issues.

On 8 May the Government released the source code for the App, this is an important step in building transparency of Government actions and enhancing the security and performance of the App.

What am I doing?

On balance, having assurances that the Government is making attempts to further bolster protections, I have downloaded the App. If the Government’s legislation does not adequately deliver on its assurances, I can reconsider my position.

Regardless of what you choose to do, remember that this is an aid, not a solution to the virus. The most important thing we can all do is maintain hygiene and social distancing measures, get tested if we have any health concern, and stay informed.

Summary of Pros and Cons of the App at this stage

Pros	Cons
The App may provide Government with greater confidence that it can open the economy sooner	The App will not prevent a new outbreak, it may speed up contact tracing reducing severity
Assists government with contact tracing efforts	May lead to complacency with social distancing measures
Reduces burden on you as an individual to remember all contacts you have had if you contract COVID-19	Questions about effectiveness of the App’s operation on iPhones
Government has issued the Biosecurity Determination which outlines and limits the ways the App can be used	Privacy may be violated in future if Government changes clauses of the Determination
Government has released an exposure draft of the legislation specifically addressing privacy concerns around use of the App	Law Council of Australia still have concerns regarding the privacy provisions of the legislation
The Government has released the source code for the App
Ultimately, the App can be deleted and your data erased if you develop concerns at a later date