Australian governments need to demonstrate that any proposed contact tracing app is necessary, proportionate and voluntary with appropriate legal guarantees, says UNSW professor of law and information systems.
On 17 April Prime Minister Morrison said he would prefer a COVID-19 contact tracing app to be voluntary "to give Australians the go of getting it right". However, Deputy Chief Medical Officer Paul Kelly, asked what would happen if the government’s target of 40% take-up was not reached, admitted that "I think we start with voluntary and see how that goes".
By the next day, discontent from Coalition MPs caused the PM to state that use of the app would remain voluntary.
That is not the end of the story. Even if it is not made mandatory by law, it may be that government strategies will make its use compulsory in effect. ‘Use it or stay home’ is not the same as ‘voluntary’. Use of the proposed contact tracing app cannot be safely regarded as ‘voluntary’ until ‘pseudo-voluntary’ compliance is made illegal.
The Morrison Government is proposing to introduce a COVID-19 contact tracing (or ‘proximity tracking’) app for mobile phones, based to some extent on the Singapore Government’s TraceTogether app. Details are as yet unknown, as is whether the proposal will be put to the National Cabinet, the role of States and Territories, the views of Privacy Commissioners, and what legislation (if any) will guarantee privacy protections.
Shadow Attorney-General Mark Dreyfus has said the tracking app requires complete public confidence and trust concerning privacy, so Labor has not as yet committed to support the proposal. Nor should it, until we know much more.
The initial version of the contact tracing app is intended to be available from local health authorities (probably State and Territory) by mid-May. It is easy enough to understand, although some details are still guesswork.
Individuals can opt in to using it by sending their mobile number to the health authority. Once installed, a person’s phone sends out Bluetooth ‘beacons’ (which do not directly identify the phone), and receives them from other phones which are within the specified proximity (possibly within two metres, for at least 15 minutes).
Each phone records the IDs of other beacons within the specified proximity, and retains them for a period (probably 14 days). If a person with the app on their phone is tested positive for COVID-19, the health authority (which will usually be aware of such notifiable health events) will request to download this record of contacts from their phone. The health authority, on this centralised model, has the ability to match this beacon information with the phone numbers associated with the beacons.
The owners of these mobiles are then contacted by the health authority, probably by the health authority periodically broadcasting all tested-positive beacon IDs. Individual’s phones will check for a match, and if there is a match, then alert the owner that they need to be tested (or contact the health authority). Manual virus testing and further contact tracing then takes place.
Singapore’s TraceTogether app has been available for almost a month (since March 20) but as yet has only achieved about 17% take-up, and the Singapore Government is now aggressively pursuing other containment measures. Prime Minister Morrison says Australia will aim for 40% adoption of the app, whereas Apple and Google have said about 50% is needed.
If there is inadequate voluntary take-up to create effectiveness, or if government desires to ease up the restrictions on most of the population, this might lead to a situation which (Josh Taylor speculates) ‘requires people to have the app installed on their phone and switched on in order to go out’ or conduct normal activities.
This could be achieved by minor changes to those State and Territory regulations that require people to have ‘a reasonable excuse’ or ‘acceptable reason’ to leave their homes (as in NSW, Qld, Vic). Being required to take self-surveillance with you would give new meaning to the old Amex slogan ‘don’t leave home without it’.
Another example would be if employers were to insist that any employees coming back to work have the app installed on their phone, in order to protect co-workers or customers. Universities and schools might do likewise as a condition of attendance. Public events, and even restaurants, might make it a condition of entry. Those who don’t like it would be told they can stay home.
These are all examples of what is called ‘pseudo-voluntary’ compliance (initially in relation to the Australia Card). By such means, a supposedly voluntary form of surveillance becomes de facto compulsory.
The US Electronic Frontier Foundation (EFF) warns against such dangers. A draft Coronavirus (Safeguards) Bill 2020 by UK academics has as its first provision ‘No sanctions for failing to carry personal device, install or run application’.
Australia has previously rejected the pseudo-voluntary Australia Card (1987) and the Access Card (2007). It would be better to avoid a third round by making any contact tracing app genuinely voluntary and guaranteed by enforceable laws to be so. Labor should insist on this.
The dangers to privacy of proximity tracking apps are accelerated if they morph from voluntary to de facto compulsory. These dangers may include, depending on implementations: security risks of disclosure of sensitive data (COVID-19 status); whether they can be turned off in particularly sensitive situations; excessive data collection (location, other sensitive data); data about associations may be misused; false positives may be generated (including malicious denial of service attacks); marginalised groups may be disadvantaged; and both the app, and the data, may be kept when it should have expired.
Implementation dangers also depend on choices between decentralised and centralised elements in system design, over which there is European, Australian and global controversy on privacy risks and other grounds (e. g. effect on battery life). A joint development by Google and Apple is expected within a few months, and is reported to prevent creation of centralised databases by health authority apps. Updates to operating systems for both Apple and Android phones will include amended Bluetooth functionality. Individuals may not need to download an app, and may be able to opt out by turning off this function in the operating system. Whether these OS changes will support a version of Australia’s proposed app is not known, but questionable.
In light of all these potential dangers to privacy and other liberties, the initial response should be to first ask ‘given Australia’s relative success to date in suppressing coronavirus, is the proposed contact tracing app (with its attendant dangers) now part of a necessary and proportionate response to the pandemic?’ Advice from Australia’s various Privacy Commissioners should be a key part of that decision, but they are reported to be yet to discuss the issue. If, as seems likely, the app goes ahead, necessary protections must be considered.
To address these dangers, Australia needs legislation, enacted as necessary by all its jurisdictions (Federal, States and Territories). It should guarantee that the app is voluntary: no one can be required to install it, turn it on (in an OS), or keep it on; anyone can delete both app and data at any time; and no one can require a person to demonstrate that they are running it on their phone.
Laws should guarantee that these are emergency measures, not permanent ones: both the functioning of the app, and any centrally collected data, should be terminated when the state of emergency ends, or earlier if the jurisdiction’s chief medical officer decides that it is no longer a necessary and proportionate response to the pandemic. Breaches of any of these privacy protections should involve significant criminal penalties and statutory damages.
Depending on implementations, other legal protections will be needed (such as transparency in operation, including open source code), but guarantees of voluntariness will be needed whatever model is chosen. Liberty Victoria argues for some of these protections, but does not go far enough.
The success of Australia’s coronavirus responses has been substantially because of public trust that very difficult restrictions and sacrifices called for by governments have been necessary. Governments now need to trust the continuation of public goodwill by demonstrating that its proposed contact tracing app is necessary and proportionate to Australia’s current situation, and if it is, by enacting comprehensive legal guarantees that its use is voluntary as promised.
Graham Greenleaf is a Professor of Law & Information Systems at UNSW Law. His research concerns the inter-relationships between information technology and law: legal information systems, cyberspace law, and the global development of data privacy laws and agreements.
He also is the Founding Co-Director and Senior Researcher of the Australasian Legal Information Institute (AustLII) and its associated international projects and a Board Member of the Australian Privacy Foundation.