The Federal Government’s coronavirus tracing app has raised some privacy concerns amongst the Australian public. Even some of our government Ministers have ruled out downloading the app due to such concerns! However, the independent cyber security body tasked with reviewing the app has said that it has found no major concerns with it.
It has been reported that the Cyber Security Cooperative Research Centre (Centre) was allowed to examine the app’s source code and architecture documents. The Centre’s CEO Rachael Falk noted that there was “not much” that was concerning about the app, and that the data obtained by the app is “not a big data set that’s particularly personal”. This includes a user’s phone number, name, postcode and an age range.
In another statement, Ms Falk emphasised that the data collected by the app will be stored on a user’s handset, unless they tested positive for COVID-19. In such cases, the user will be asked to download the log and send it to a central server where their local health authority could access it and “de-encrypt it”. According to Ms Falk, only health officials will be accessing the data for the purposes of calling users who have come into contact with a confirmed case. Prime Minister Scott Morrison recently confirmed this in a statement, in which he aimed to reassure the Australian public that no Commonwealth agency – including Centrelink and Home Affairs – would have access to user data.
The government needs to take this thinking further to consider whether there are other situations in which the information might be compelled to be released eg by court order in the investigation of a crime? In civil proceedings as part of the discovery process? To prove that individuals have been flouting lock-down orders? Absent any additional statutory prohibitions and protections, once data exists there are a range of processes by which it might be compelled to be produced. There is an opportunity to restrict this to only the most serious of circumstances if we are to quickly cut through the natural scepticism of security of data.