Living with COVID-19 creates a privacy dilemma for us all

Can a balance be struck between the privacy of citizens and allowing health officials to access any piece of information for helping to track down a cluster of coronavirus cases?
Written by Chris Duckett, Contributor
Contactless smartphone payment
Image: Getty Images/iStockphoto

This piece comes to you from the mostly coronavirus-free shores of Australia. But the virus is still not eliminated; various places can have an extended run of virus-free days, which can then turn into weeks and months, before the virus suddenly comes back.

There is no better example of this than the reemergence of COVID-19 in New Zealand back in August, after the nation went 100 days without the virus and was widely considered to have eliminated it. 

At the time of writing, South Australia just left lockdown after a surge in cases, despite the state shutting its borders to places such as New South Wales and Victoria, and only having handfuls of cases reported each day, if any were reported at all, since April.

According to the recent National Contact Tracing Review [PDF], the takeaway lesson from 2020 is to throw the kitchen sink at outbreaks when they appear.

"In the event of an outbreak, every effort should be made to go hard and go early," the review said.

The way to suppress a surge in cases is to make sure those with the virus can have their recent close contacts traced, thereby getting those identified into quarantine and tested. This is in the hopes that the virus can be prevented from spreading further into the community. Key to all of this is having quick access to data.

For contact tracers, the first stop is asking people where they have been, but as we all know, the human mind is far from perfect. And this is before even considering the task of identifying random people who happened to be in a venue with a positive case.

Enter initiatives such as Australia's COVIDSafe app, which has been far from successful and only identified a small number of unique cases. The app that was touted at its introduction as being akin to sunscreen has since been relegated to double-checking duties.

"There is scarce evidence on the effectiveness of digital or automated contact tracing," the report said.

Along with the app, Australia has also pushed venues to install check-in processes in response to various parts of the country reopening. This usually takes the form of a QR code and requires filling in an online form with details such as name and phone number, with pen and paper used a backup.

If state governments from the get-go had the check-in systems in place that they have now, it could have been possible to have a centralised data store for check-in data, but that was not to be. As it stands, a bunch of private organisations have rushed in to fill the void.

"In addition to the disadvantage of not having a centralised database for contact tracers to interrogate the data, many of these apps are requesting unnecessary information from customers that adds significantly to the time taken to register, and is sometimes used for marketing purposes," the report said.

"Further, because of the multiplicity of applications, customers find themselves entering the same information repeatedly if they visit different venues. These repetitive and in some cases unnecessary burdens on customers are likely to result in lower overall compliance with attendance recording."

See: Coronavirus: Business and technology in a pandemic  

It needs little repeating but 2020 is a weird year. Last year, if the prospect of a centralised attendance database run by a government was put before me, I'd have yelled the words "Big Brother", "surveillance state", and probably a few other choice phrases. And yet, as the year ends, I have more faith that my state government will not flog my data to the highest bidder and has created some form of requirement to actually delete the data when it is not needed anymore.

Getting more specific than throwing the kitchen sink, the review also recommended for states to have a single app for check-ins, or failing that, that all such apps adhere to a common standard.

At this stage, it needs pointing out that in Australia the data retention regime ensures the nation's law enforcement agencies have easy access to which phones are on what mobile tower, so I am not doing a something compared to nothing comparison when I talk about attendance databases. It's a more granular form of data than what the government had access to last year, and at any rate, Google knows where I am.

If I wanted to opt out of needing to check in at places like cafes and restaurants, there is a simple solution, of course. Don't go. Get take away instead.

In trying to solve that problem, since even getting takeaway might expose you to the virus, the contact tracing review proposed something that would make check-in databases look like small fry.

"The Commonwealth should lead the development of arrangements between states and territories and payment card providers so that contact tracers from the states and territories will be able to request contact details of persons who have made a transaction at a hotspot venue, noting that privacy rules will apply and in some jurisdictions legislative change may be required," the report said.

Thanks to Australia having a modern payment backbone, access to which cards were used at which venues is a quick API call or two away -- and the payments would be based on cards since the use of cash has plummeted in the days of COVID and there are little signs of its use bouncing back.

Bad idea: An Australian bank wants to spray disinfectant from drones in schools and aged care

Not yet done with raising privacy questions, the review also recommended looking into a way to download information from smartphones that could help contact tracers. As is standard, the review said it should be based on citizen consent, and as any privacy-minded person would tell you, authorities have absolutely, positively never bluffed or misinformed their way to get into a person's home, nor have they convinced someone to hand over a phone when they didn't want to.

Is it outrageous that payment data and smartphones would be taken to get information into the contact tracing systems that the review proposes? Yes. But we are also talking about a virus that, despite what some may choose to believe, is fatal.

If a knife-wielding assailant had been running around town since March, randomly stabbing a couple of people a day, and part of the solution to stopping them was to examine payment data, it would be brave privacy absolutist that stood in the way of that action. But that is the sort of vexed question of balance that now faces nations as they battle with the virus until a vaccine is hopefully rolled out.

Magical thinking that some sort of automated dream system could be used was dismissed in the report. In a system where the stakes are this high, the option for humans to eyeball the data is essential, it said.

"Importantly, whilst a fully digital contact tracing system can dramatically improve the efficiency of contact tracing, it will never replace the need for well-trained contact tracers and expert public health oversight," the report stated.

Similarly, even if the sort of data exchange desired by the report's authors was created -- one where data is not stored in the exchange and quickly pulls from disparate sources spread across all levels of government from airline passenger manifests to vaccination statuses, all the while simultaneously preserving as much privacy as possible -- there are no guarantees it would work. In fact, the opposite is more likely.

"Even with the best systems in place, outbreaks are likely to be unavoidable," the report said.

Trying to find the balance between wanting to clamp down on outbreaks as quickly as possible and preserving individual freedoms is and has been a job that looks different for every society: China and its door-welding approach has sat on one extreme while the individual-centric United States has been on the other.

It's tempting to think the measures taken would be temporary, and therefore unquestionably necessary, in the current situation of fighting the fight in front of us. But with parts of the Australian government apparatus stating last week that they are expecting other zoonotic pandemics to follow in the wake of COVID-19, the balances that are struck will be with us for some time.

Adding to that, Australia is without any sort of human rights charter, a lone title among western democracies. Instead, it seems to operate on the famous Denuto vibe argument.

"Australians do have a lack of understanding of the rights framework within Australia. They do think we have rights protected that we don't have protected," Law Council of Australia president Pauline Wright told the National Press Club said on Wednesday.

"Australians also, the data shows, are quite compliant to regulation. Australians like being regulated. They like rules and [when] something goes wrong, they say 'there ought to be a law against that' -- and that is the way Australians behave."

Wright added that so far in the pandemic, it's no surprise that Australians have been "fairly compliant".

"I think that we, in some ways, we can be proud of that because people who have been behaving as a collective and saying we want to protect other Australians and ourselves against this disease, so we will do this," she added.

"But that social compact will break down if the government takes it too far -- it will break down. At the moment, it hasn't, -- apart from certain pockets."

Wright used the opportunity to argue for human rights legislation at the national level.

As a first step, it would simply be nice if governments will tear down the apparatuses built since the start of the year when they are no longer needed. But if past form is any indicator, the omens are not good.


The Monday Morning Opener is our opening salvo for the week in tech. Since we run a global site, this editorial publishes on Monday at 8:00am AEST in Sydney, Australia, which is 6:00pm Eastern Time on Sunday in the US. It is written by a member of ZDNet's global editorial board, which is comprised of our lead editors across Asia, Australia, Europe, and North America.


Editorial standards