15 Apr A deep(er) dive into digital contact tracing
Editor’s note. This article was originally written on April 15 2020, but as with much of life at the moment, things are rapidly changing. So as new information comes to hand on this highly interesting and timely digital discussion, we will continue to add updates to the article.
- The ABC is running a piece around the hosting of the data from the contact tracing app. There are concerns about the procurement process that led to AWS being selected as the preferred data storage provider.
- The main element is that Amazon is a US company even though the Australian Government already uses AWS for many of its agencies.
- The other key point mentioned is around plans to store the decryption keys in the same cloud as the data itself.
- The government will release the source code for the tracing app so it’s up for independent review by all coders: https://www.abc.net.au/news/2020-04-20/how-will-australia-coronavirus-tracking-app-work/12163736
- On the subject of review, the Cyber Security Cooperative Research Centre found ‘nothing particular disturbing’ in the architecture (I am personally keen for a review by the Privacy Commissioner – not sure if we missed that yet): https://www.brisbanetimes.com.au/politics/federal/nothing-particularly-disturbing-coronavirus-app-safe-review-finds-20200420-p54lea.html
- Barnaby Joyce doesn’t want to download the app – something about China being potentially able to download his data?!?!? One would question why China would be interested in Barnaby’s movements but anyway. There are rumours about a third family but that is of course, unfounded.
- And again, no location data will be tracked. The gov doesn’t care where you are and who you are with, only who is standing behind you in the queue at Woolies: https://www.abc.net.au/news/2020-04-20/government-insists-coronavirus-tracing-app-wont-track-locations/12163756
As more details are released about Australia’s tracking app, here are a few more facts to work with (though always read up on your own end to confirm information):
- The process of using the app will be entirely voluntary. The government has confirmed that it will not force anyone to use the app though for effectiveness at least 40% of the population will need to use it.
- A lot of this tracking is already done manually in that data is only released if you are tested positive. If not, no one will ever know who you’ve come in contact with.
- ‘There is no relocation, there is no surveillance and there is no tracking. The app simply connects with another app. If these two phones are within 1.5m for 15 minutes. It simply swaps phone numbers and names. That information is held encrypted and securely on the individual’s mobile phone.’
- If you are tested positive, you need to click enter (assuming to some sort of check box) to say that you are positive. It will then release data from the last 21 days onto a national health data store managed by your state (not federal gov). ‘At no point does the Commonwealth get the data at all’
- When the pandemic is done (assuming it is ever over), you can delete the app and its associated data. Also the minister will ‘blow away’ the national data store (there seems to be a conflict here – if the data is stored by the state, then why is there a national data store and why is the minister blowing the data away?)
- Also currently, there have been 2.7m downloads of the coronavirus information app (gov app); 7 million visits to website (assuming Australia.gov.au) and 10m messages downloaded through WhatsApp.
Yesterday we asked our ecosystem how they felt about giving up their privacy in the name of public health and/or social good i.e. to allow The Australian Government to use aggressive forms of contact tracing to limit the community transmission of Covid-19.
- All these solutions rely on Bluetooth as it tends to be more accurate in terms of proximity and timing (vs let’s say, GPS). Also all smart phones have Bluetooth and its a relatively simple technology. Take Apple’s ‘Find My’ feature – when you turn that on, your phone essentially chirps to find a lost iPhone.
- What might happen (generally speaking) is that your phone would have an ID number and throughout the course of your day it would take note of all the other IDs it comes into contact with (for example in a 2m radius and for a prolonged period of time e.g. 15 mins).
- According to a review of Trace Together by the University of Melbourne, when a user tests positive to Covid-19, they would be asked to upload their data logs to a server, the data is decrypted and users who have been in close contact will be informed and ideally tested too.
- The logic is that the quicker we can identify community transmission, the less the rate of infection and the quicker we can treat which should reduce the number of cases as well as the severity.
- For this to work you would also need wider testing as you criteria would effectively change. You wouldn’t need to have symptoms to get tested so it would also potentially catch more of the asymptomatic cases.
- Also critical is mass adoption. According to ABC news you would need at least 40% of The Australian public to voluntarily opt in.
- Bluetooth signals are random so the technology itself automatically offers some protections that other technology might not (e.g. it should not track your location or pass on any other information from your phone)
- How anonymised is the data? And will GPS location tracking not be used at all. (It’s one thing for the gov to know who you came in contact with, another for them to track your movements).
- Does it collect any other data which might be useful in the fight against Covid? Technically the app could open the doors for other studies.
- Where will the data be stored? They mention a server, assuming it’s in Australia, but who has control and accessibility to this.
- How secure is the encrypted data? No one wants a hack. What are the security elements put in place to ensure that no data comes in the hands of bad actors.
- On that note, how does the encryption bill feature into this? Does it?
- Can other levels of government use the data e.g. for law enforcement?
- Whilst generally interoperability of data isn’t a strong suit of government initiatives, it’s worth confirming.
- What happens to the data if the app is deleted or uninstalled?