COVIDSafe legislation enters Parliament with a few added privacy safeguards

The Bill has bipartisan support, but Labor still wants more from the government to ensure the privacy of individuals is front and centre.

Legislation surrounding the federal government's coronavirus trace tracking mobile app, COVIDSafe, has been introduced to Parliament.

The purpose of the Privacy Amendment (Public Health Contact Information) Bill 2020 is to assist in "preventing and controlling the entry, emergence, establishment, or spread of COVID-19 into Australia", by amending the Privacy Act 1988 to provide stronger privacy protections for users of the app.

The draft legislation was published last week. It introduces serious offences relating to the COVIDSafe app data, covering the non-permitted collection, use, or disclosure of the data; the uploading of app data without consent; retaining or disclosing uploaded data outside Australia; decrypting the encrypted app data; and requiring COVIDSafe participation.

Each offence can result in imprisonment for five years or 300 penalty units -- at AU$210 per unit -- or both.

Taking issue with the contents of the draft Bill, the federal opposition provided a number of suggestions to the government, including providing greater clarity about what data is protected by the privacy safeguards contained in the Bill; greater oversight of the COVIDSafe app and the handling of COVIDSafe data by the Office of the Australian Information Commissioner (OAIC); assurance that no intelligence agency or law enforcement agency can be given a role in administering the COVIDSafe data store; and introducing public reporting requirements.

With the federal government accepting the suggestions, the Bill now also contains a provision for the OAIC to continue an investigation even where the investigation overlaps with an investigation by law enforcement.

Labor called on the government to be as transparent as possible about everything to do with the COVIDSafe app, whether it be providing additional technical information in relation to the app or being upfront about how the app is working in practice.
 
It also asked government to explain why it awarded the COVIDSafe data storage to Amazon Web Services (AWS) instead of an Australian cloud service provider and provide concrete assurances that the data collected cannot be accessed by anyone outside Australia.

Previously, a spokesperson for Minister for Government Services Stuart Robert told ZDNet the minister has "the utmost confidence in how the information is being managed".

"Uploaded contact information will be stored in Australia in a highly secure information storage system and protected by additional laws to restrict access to health professionals only," the spokesperson said.

Labor wants more than lip service, however.
 
"Australians will have no reason to download or keep using the app if the technology does not work or if the technology is not secure," Labor said in a statement. "For that reason, the government must urgently address the technical and security concerns that have been raised about the app by technology experts and members of the public."

Shadow Assistant Minister for Cyber Security Tim Watts said on the whole, the Bill before the house "is a good one".

"In many ways the privacy protections included in this bill are -- to use the word of our times -- unprecedented in Australian law," he wrote in an opinion piece.

"These protections are important not only for delivering important privacy outcomes, but also to boost public confidence and help increase its take up."

While Watts said it is a genuinely impressive response from the Australian community, with millions having already downloaded COVIDSafe, he said it's important to understand that the app's objective is to protect the community, not the individual.

"But the public must understand that installing this app will not provide any form of individual protection to you. It's not a preventative," he said. "It is misleading to describe this app as being like sunscreen."

See also: Australians urged to take up mental health telehealth and put on 'digital sunscreen'

"The COVIDSafe App is not a silver bullet for contact tracing," he added. "The government, health officials, and the general public need to be aware of its technological limitations to guide their behaviour."

Watts touched on the unclear nature of the app's functionality on iOS devices.

"Troublingly, the statements from the government about the way the app works on iOS devices have varied over time," Watts said.

"It certainly isn't catching all potential contacts between locked iPhones or between iPhones where the app is operating in the background. These performance issues have real consequences."

In a bid to build trust from Australians, it is also considered an offence in the legislation to require an individual to download COVIDSafe, have the app in operation, or force someone to consent to uploading COVID app data.

The legislation also blocks the ability for businesses to force employees or visitors to use COVIDSafe.

A person commits an offence if they upload, or cause to be uploaded, data from a mobile device to the National COVIDSafe Data Store if consent to the upload has not been given by the user or their parent, guardian, or carer.

A person also commits an offence if they retain COVIDSafe data on a database outside Australia. It is also considered an offence if a person discloses data to another person outside Australia.

Decrypting data is also prohibited.

"The provisions of this Bill, and the government's overall approach to this app highlight an ongoing philosophical problem in the government's approach to security. For this government, security seems to be founded on secrecy and obscurity," Watts said.

"Transparency doesn't create security threats, it reveals them. Security vulnerabilities continue to exist whether you talk about them or not. Accountability doesn't undermine security, it strengthens it by identifying problems and creating incentives to fix them."

MORE ON COVIDSafe