COVID-19 tracing app plagued by privacy, efficacy concerns
COVID-19 TRACING APP PLAGUED BY PRIVACY, EFFICACY CONCERNS
By Daniel Bishton, Spacial Source
Cybersecurity and privacy experts have lined up to voice concerns about the federal government’s proposed coronavirus tracing app.
Slated to be released in a few weeks, an Australian contact-tracing smartphone app based on Singapore’s TraceTogether app has been the subject of heated debate over its mode of operations and conditions surrounding its launch.
The government’s messaging has been uncertain and shaped by backlash. An initial suggestion that the new app’s use would be mandatory was walked back after refusal of Coalition MPs to download the app, and government services minister Stuart Robert’s suggestion that new laws may coincide with its release.
On Monday, the government confirmed that using the app would not be mandatory, and that the app would not track people’s locations, nor would the data be made available to law enforcement.
—-
Professor Richard Buckland, Professor of Cybersecurity at UNSW Sydney, and Director of the SECedu Australian Cybersecurity Education Network said that what is known about the app’s operation and the extent of its data collection presented a range of circumstances that may facilitate significant breaches of privacy:
The exposure of other people’s IDs reveals much data about their movements that would otherwise be private, such as non-compliance with social distancing of passers-by, other movement restrictions, or any other activities that would otherwise be unknown to authorities
Data breaches or sharing of the central database with other state actors would allow those to easily identify people from their app’s beacon signal by adding Bluetooth sensors to other means of surveillance, such as allowing tracking by drones, or a new means of personal identification within existing camera surveillance systems
If data were shared with enforcement agencies, or if such agencies had the power to compel users to hand over logs, they could be used to force reporters to identify sources, identify whistleblowers, identify people attending a protest or politicians leaking to media, people in witness protection or in hiding from abusive partners, etc.
Professor Buckland recommended that safeguards around its operation should be enacted. Firstly, an explicit legal prohibition that all data can only be used for Covid-19 contact tracing and not subsequently rolled back by ministerial regulation — Australia’s track record on privacy has shown many agencies will seek to access such data for their own purposes.
Secondly, a ‘genuine opt-in’ should be put in place — meaning people can not be discriminated against for opting out, data cannot be demanded by enforcement agencies, and a guarantee that people opting out will have their data securely destroyed.
Finally, a time limit and guarantee of secure deletion should accompany the app’s roll-out to ensure the app and all associated data will be securely deleted within a specified timeframe or upon satisfaction of Covid-related epidemiological goals.
