This week, the Australian government launched the COVIDSafe app. The app’s purpose is to automate the COVID-19 contact tracing process in Australia. It will store encrypted data about every person running the app via Bluetooth who has been in contact with another app user who tests positive for COVID-19 in the previous few weeks.
Based on Singapore’s TraceTogether software, the app enables health officials to quickly contact people who may have been exposed to COVID-19 by noting the date, time, distance and duration of the contact and the other user’s reference code.
The COVIDSafe app apparently does not collect data on your location. The Australian government Department of Health stated that “[c]ontact tracing is a fundamental element of a public health response to disease outbreak… to help stop the further spread of COVID-19 (such as getting tested or self-isolating).”
The government has stated that the app, which is completely voluntary to download, will only ever be used by public health officials for the purposes of contact tracing. The Government has previously said 40 per cent of Australians need to download COVIDSafe for it to be successful. Within 48 hours of its launch this week, two million people had already downloaded the app.
Despite the app’s non-mandatory nature, it was unsurprising that privacy concerns came quick and fast. While some Australians’ minds flashed back to George Orwell, I was reminded of Marc Goodman’s 2015 book Future Crimes. Goodman compels readers to critically reflect on the ever-expanding and interconnected technologies we voluntarily (and sometimes unknowingly) incorporate into our daily lives.
Drawing on his extensive experience in international and domestic law enforcement, Goodman presents technological advancements as a double-edged sword. Technology, he asserts, is both a tremendous driving force for good (ending a global pandemic, for instance), as well as a malleable, corruptible, easily manipulated weapon in the hands of criminals, capable of undermining our fundamental societal infrastructure. We rely on technology for our water, our electricity, security, medical records, communication, banking, news, elevators, maps … yet hackers can easily buy software over the counter and purchase their gateway to the dark web—and into our pockets, screens and minds.
The COVIDSafe app is one such technology that has the potential for tremendous good, but also the potential to be abused. The Cyber Security Cooperative Research Centre (CSCRC), which reviewed the COVIDSafe app after concerns that the data collected could be pervasive or mishandled, said it found “nothing particular disturbing” in the app’s architecture. However, Digital Rights Watch stated that the CSCRC was not given access to the entire system, noting that the whole data custody chain needs to be auditable if the system is only for this one purpose of contact tracing.
The Law Council of Australia expressed concern over the absence of a sturdy legislative framework surrounding the app, as well as the lack of oversight and reporting on the app’s use. The Law Council further highlighted the ambiguities surrounding the period the National COVIDSafe Data Store will be operational and when obligations to delete information will commence. While Health Minister Greg Hunt published a ‘Determination’ to protect people’s privacy and restrict access to data, the Law Council emphasised the need for the ‘introduction of legislation in the Parliament to put the regulatory framework on a comprehensive statutory footing’, as opposed to a mere Determination.
The growing value of data, particularly big data, to criminals and non-criminals alike, led the World Economic Forum to dub data “the new oil”. Goodman highlights the striking lack of regulation around the collection and distribution of personal data by companies. He alerts readers to the need to hold those who fail to protect us accountable—whether private companies or government officials.
The Australian government awarded the COVIDSafe app’s data-storage contract to Amazon’s cloud subsidiary, Amazon Web Services (AWS), a US-incorporated business subject to the Clarifying Lawful Overseas Use of Data Act or CLOUD Act. It is unclear whether the data held by Amazon is protected from US subpoena.
Digital Rights Watch has suggested that the Australian Government should:
“… publish the source code not only of the app, but for the entire system at the Government’s end (both State and Federal); … provide for independent oversight and mandatory public reporting of all uses of the data;…eliminate [by legislation] the possibility of police and intelligence agencies using their anti-encryption powers, to use the app to access any information on a person’s phone.”
Goodman warns that we still fundamentally do not have the trustworthy computing required to keep us safe. The interconnectedness of technologies combined with the high value placed on personal data makes users, including governments, particularly vulnerable. According to UN estimates back in 2015, the underground cybercrime scene accounts for 15-20% of the global GDP, amassing more than $2 trillion USD annually.
Notably, cybercriminals are typically ahead of the game in terms of innovation, research and development of technology, including ingenious methods of obfuscation. While cyber criminals are inventing ever-more creative methods to undertake their attacks, law enforcement is merely reactionary, often intervening too late after the damage is done to bring criminals to justice.
A striking aspect of Future Crimes is how frequently cybercrime is executed without legal ramifications for the perpetrators, owing primarily to the difficulty of detection and deceptiveness of the tools used (for example, the manipulation of the screen, a combination of multilayered covert obfuscation techniques such as onion routers and encryption). Goodman’s examples of high-scale cybercrime seem to suggest that the success of cyber security depends on regulatory and corporate level change.
Future Crimes demonstrates how greater connectedness creates greater vulnerability and risks which far outpace current law enforcement capabilities, since criminals are early adaptors of new technologies. COVIDSafe may already be on the radar of those hoping to wield such data to their own purposes.
It is laudable that the government has introduced an app that could save lives, and that the government has not mandated COVIDSafe, but some loose ends remain about how safe COVIDSafe is.