CovidSafe?
The first iteration of Australia's contact tracing app seems to stack up, but privacy concerns relating to future changes to the app, as well as limitations on government data-use remain, with good reasons. I hope this summary of what we know so far and some analysis from different sources assists in making a free and informed choice. A free, informed, and evidence-based choice is obviously of paramount importance in deciding whether or not to grant serious powers of surveillance to our government. Trade-offs of personal privacy for the greater good can only be exchanged in good faith if we know exactly what, and how much, we're giving up.
People are
right not to automatically trust governments. Refusing to adopt in-principle
faith in the powers that be is central to healthy democracy, and the integrity
of those in authority should never be
taken for granted. As Noam Chomsky said "Any form of authority &
domination has a burden of proof to bear to demonstrate it's legitimate."
This is especially true in Australia, of a government who are infamously
duplicitous and dangerous, and who's liberal use and misuse of data is well
documented. In this case, though, at least in its initial form, Australia's
CovidSafe contact tracing app seems to meet this burden of proof. That is, at
least this first version of the app does. But it remains to be seen if
government use of our volunteered data will be adequately constrained to meet
similar standards of integrity.
Context and the government's claims.
On the
26th of April, Health Minister Greg Hunt launched Australia's contact tracing
app, CovidSafe. The app is based off source code from a similar app used by the
Singapore government. Whether or not we agree such an app should be launched before attempting sharper lockdown measures, the app is here now, so let's look at it on its merits. Let's look at what the Coalition has alleged the contact tracing app can and will
do. This includes in their public statements and in the determination (a
placeholder for legislation) published by Greg Hunt under the Biosecurity Act,
the evocation of which is has allowed such drastic social distancing measures
to come into force without the passage of laws. The government claims the
following:
- The app will work by bluetooth and won't track your location
- At registration, the user provides their name, phone number and postcode, and selects their age range, this generates an encrypted code, an anonymised bluetooth ID. Greg Hunt has stated that you may provide a pseudonym or other inaccurate information if you wish, but that it would assist more if it was accurate.
- If you come within range of someone else who also has the app installed, your two devices will 'ping' off one and other, exchanging their information contained in their encrypted IDs by bluetooth.
- This data will be secured locally only, on your phone's internal storage, for 21 days, after which it will be erased.
- If you are found to have contracted Coronavirus, you may then consent to upload your data to a government server provided by Amazon Web Services.
- The government can then decode the anonymised IDs and call all those you had close contact with to advise them to self-isolate and get tested.
So does
CovidSafe live up to this?
CovidSafe Mark I : Decoded.
Despite
earlier assurances, the source code for Australia's app is yet to be released,
but Australian app developers and privacy experts have already decompiled and
analysed the code making up this first version. The general mood from those
privacy-savvy coders was that the app, at least as it currently stands,
effectively does what it sets out to and nothing more. But they still see some
minor issues with it. Let's compare their findings with the above summary of
the government's claims, they found that:
- The app does work by bluetooth and cannot track your location. The app will ask for permission to access your location, it's understood that this is a quirk of Android, to grant bluetooth permissions one must grant location permissions. But the app is not capable of tracking your spatial location data. Worryingly though, software engineer, Geoffrey Huntley, writes that it would be "Potentially possible for GPS functionality to be shipped in a software update later down the track as users have already consented to fine grain location access (a requirement for bluetooth LE scanning)"
- The app creates an anonymised bluetooth ID for each user. These encryptions are recycled and replaced every 2 hours for added security. Vanessa Teague of Thinking Cybersecurity points out that this is a downgrade from recycling IDs every 15 minutes in the case of Singapore's app.
- Despite poor reporting claiming otherwise, the app will exchange its "bluetooth handshakes" with anyone using the app who is within bluetooth range, not just those who come within 1.5 metres for 15 minutes. This 1.5 metre, 15 minute classification is referred to as "close contact" by the Department of Health. This is an important distinction. The government may have hoped we mistakenly assumed that only our "close contact" encounters would be recorded, this doesn't seem to be true, this greatly expands the volume of data being documented. The distance involved in each bluetooth handshake is gauged by the recorded bluetooth signal strength once decrypted and may vary with environmental factors (impeding objects, bluetooth quality, etc), making it approximate. Another piece of information recorded to assist with this is the exact model details of each phone, these are exchanged in each bluetooth handshake too. It's understood this will be used to account for differing signal strengths between phones when calculating distance. This information is not encrypted.
- This data is held locally on your phone's internal storage. The app design ensures this. Other apps cannot access this database unless your phone is jailbroken or "rooted".
- The app requires additional consent, once you are confirmed to have contracted Coronavirus, to upload your data to the government server. Only then can it be accessed by anyone else.
- Contact tracing would then be carried out as the government outlined.
Matthew
Robbins, a mobile app development expert, summed up his own analysis of the
app's code and design in a tweet, in
which he said "From what I can see, everything in the #covidsafe app is
above board, very transparent and follows industry standard." Paul
Haskell-Dowland, from Edith Cowan University's Computing and Security
department concluded "that the data that is being captured is suitably
anonymised, suitably protected and access to it is reasonably restricted...the
opportunity for misuse is incredibly small." Mahmoud Elkhodr from QC University Queensland
drew similar conclusions.
But this
is all based on the current version of the app. Some have suggested the
government could shoehorn in changes as it pleases in future updates. Could it
even coerce the creators of
the app to sneak in changes? So far tech-heads are satisfied
with the integrity of the software, but what happens to our data when we do
consent to uploading it to government servers? We need legislation to entrench
strict limitations on government data use.
The legality of government data use.
The
current determination relating to CovidSafe, pending legislation in May,
asserts that data can only be used for contact tracing purposes and that alone.
Well, let's wait and see if this constraint survives in the same form in the
government's bill next month. Even if it does, though, Australia's Digital
Rights Watch have made clear they're concerned that Australia's recent
encryption laws could allow intelligence agencies or law enforcement access to
the data. In a recent
statement they said: "They [the government] can also issue a directive
to create or modify features [of a software]. It is an offence for anyone
receiving such an order to even reveal its existence, or to fail to comply with
it. The developers of the contact tracing app may have already received such a
directive, and implemented a mechanism to give data to law enforcement or other
agencies. They would risk imprisonment if they answered any questions about a
directive, or alluded to its existence." Perhaps the government could
legislate an exemption in its encryption laws for CovidSafe, which would bar
access to the data for anyone except contact tracing personnel. We don't want
to see this surveillance architecture being used for Orwellian law enforcement.
Digital
Rights Watch also raises concerns about Australia's mandatory data retention
laws. In this case though, according to the current determination under the
Biosecurity Act, and assuming it translates into law this May: "The
Commonwealth must cause COVID app data in the National CovidSafe Data Store to
be deleted after the COVID‑19 pandemic has concluded...Note: The requirements
in this section will override any obligation under an Australian law to retain
data for a longer period." It seems that this, if enshrined in
legislation, would legally guarantee the deletion of CovidSafe data
post-pandemic.
More
broadly, Amazon Web Services will be providing the secure server on which the
government will store and access this CovidSafe data. Besides the obvious issue
that we have outsourced this service to an American company of questionable
conduct, it'll be interesting to see what the upcoming senate inquiry reveals
about the robustness of this data storage system. We should seek assurances that this
server is protected from third-party hackers as well as private use by Amazon
itself. The governments determination that the data remain in Australia must make its way into law and be strictly enforced. In general a body overseeing the implementation and use of this app
could ensure the CovidSafe infrastructure is not abused. So far, though, the
Law Council of Australia say
they've seen "no provision for oversight and reporting on its use".
There's also speculation that Australia needs to become recognised as a 'qualifying foreign government' under America's CLOUD Act, to exclude our data from US access. Under current arrangements it's unclear if the US could access our data under these laws because Amazon is an American company. Despite assurances from the Coalition that the US laws couldn't be enacted to access our data due to it belonging to the Australian commonwealth and not Amazon, this is still contested.
There's also speculation that Australia needs to become recognised as a 'qualifying foreign government' under America's CLOUD Act, to exclude our data from US access. Under current arrangements it's unclear if the US could access our data under these laws because Amazon is an American company. Despite assurances from the Coalition that the US laws couldn't be enacted to access our data due to it belonging to the Australian commonwealth and not Amazon, this is still contested.
Final thoughts: government scrutiny vs tech-giant free
pass
Its
critical that we scrutinise any attempt by our government to expand its already
invasive and authoritarian surveillance. But why aren't we applying this same
level of scrutiny to the private tech sector, whose data-mining,
behaviour-programming, and behaviour-predicting industry constitutes one of the
biggest markets in the world? It's appropriate that CovidSafe has received so
much analysis and attention in Australia, but how often do we sign away and
monetise our information and activity to tech giants who consistently evade
paying any tax in this country with zero hesitation? What our government may do
with additional data is a concern, yes, but what tech companies already do with
far richer stores of our data is sickening, and we should care.
As
Shoshana Zuboff, author of Surveillance Capitalism, explains, Facebook and
Google send the data we provide through a network chain of businesses. In the
case of the photos we upload, Zuboff says buyers and users of our data
"use information from our faces...to train models for facial recognition,
those models are then sold to military operations, some of them in China, and
those Chinese operations do many things, including imprisoning the Uighurs, a
subset of the Muslim population in China, in what is rightly regarded as an
open-air prison." We need to apply scrutiny and checks to constrain both
public and private tyrannies.
Anyway, I
hope all of this has helped provided the information and context needed to make
an independent choice.
Comments
Post a Comment