COVIDSafe App

This blog post addresses the legal structure that underpins the COVIDSafe app (colloquially the COVID tracking app) released for Apple App Store and Google Play Store by the Australian Government Department of Health on Sunday 26 April 2020. The official website for the COVIDSafe App is: https://www.covidsafe.gov.au/

I stress this blog post is not focused on the technical (IT) aspects of the App, nor the public health benefits/detriments.  They are matters outside my expertise.

Biosecurity Act Determination

The App is supported by a Determination ((Biosecurity (Human Biosecurity Emergency) (Human Coronavirus with Pandemic Potential) (Emergency Requirements—Public Health Contact Information) Determination 2020.)) made by Federal Health Minister, the Hon Greg Hunt on 25 April 2020. The Determination was made under s477 of the Biosecurity Act 2015 (Cth). The Determination itself can be downloaded here.

Paragraph 6 of the Determination expressly prohibits use of COVIDSafe App data except as permitted under the Determination and then goes on to explain the use that can be made. Essentially the use is for contact tracing (a term defined in the Determination) by State health authorities. There is one additional use buried in paragraph 6(2)(e); namely producing statistical information that is de‑identified.

Use of Amazon Web Services

The Government say that if, and only if, you are diagnosed with Covid-19 you will be asked (voluntarily) to upload your COVIDSafe app data to a cloud server. It has previously been announced that server will be run by Amazon Web Services.

There has been no suggestion that real time data will be constantly uploaded to Amazon by the App running in its normal state.

Access to App data

Before the Determination was available I was concerned by the Australian Government’s choice of Amazon Web Services to provide the cloud support. My primary concern was that, even if the data was kept (by Amazon) solely on an Australian server, Amazon could be required under United States law to hand the data over to US authorities (eg the FBI).  Thereafter I was concerned that the FBI could share the data with a  wide range of Australian authorities.

I still think that remains a concern (at least at a theoretical level). The Government have tried to address it by providing in paragraph 7(3)(b) of the Determination that COVIDSafe app data cannot be disclosed outside Australia. That may still create a conflict of laws problem. If a parent company of the Amazon group is served with a subpoena that is valid under US law, I would not be certain that it would resist the subpoena on the basis that to do so would contravene Australian law. The US Government may still be able to obtain Australian COVIDSafe app data.

In a press conference on 26.04.2020 at 3.30pm (AEST) “Not even a court order in the investigation of an alleged crime” can penetrate the data. I think that statement is a little simplistic.  It would have been preferable if the data was not only kept in Australia, but controlled either directly by the Government, or by a wholly Australian owned company contracted by the Australian government. 

However, for reasons I will explain below, I don’t think that creates a major domestic risk to Australians.

Offences for misuse of COVIDSafe App data

Importantly, s479(3) of the Biosecurity Act 2015 (Cth) provides:

A person commits an offence if:

(a)  a requirement determined under subsection 477(1) applies to the person; and
(b)  the person engages in conduct; and
(c)  the conduct contravenes the requirement.

Penalty:  Imprisonment for 5 years or 300 penalty units, or both.

That is an indictable offence (the most serious type of Federal offence). ((Section 4G Crimes Act 1914 (Cth).)) 300 penalty units is $63,000 for an individual. The maximum fine for a company could be 5 times that: $315,000.

The protection goes further than simply saying “Police and intelligence agencies etc cannot access this data”. Such a protection would not have been a sufficient legal protection in my view. In Australia evidence that is illegally obtained by Police is often still admissible evidence in a criminal prosecution.  ((Bunning v Cross [1978] HCA 22; 141 CLR 54))

The actual protection offered by the Determination will make it an offence for the DPP to make use of the data.  It is for this reason that I suspect the use of Amazon Web Services is not a major practical problem.

Even if an Australian law enforcement body (such as the AFP, Australian Criminal Intelligence Commission, State Police or similar) obtained COVID safe app data via the United States, they could not use it. To do so would be a criminal offence. If an Australian Police force illegally obtained data, it would be a further offence for the DPP to produce the evidence in Court. I am reasonably confident that a Court would not allow the DPP to commit an offence in the Court by doing so.

Consequences if you are identified as a contact of a COVIDSafe app user who tests positive

Take a hypothetical scenario:

• X and Y both have the app.
• X and Y are in contact with each other for 15 minutes, and each person’s phone records the details of the other person
• X test positive to COVID-19
• X voluntarily uploads their data to the Government

In this scenario it seems to me the relevant State health authority will know that Y was in contact with X.  It would be easy for State health authority to impose a legally binding isolation / quarantine obligation on Y.  I suspect the State health authorities could also force Y to be tested for COVID-19.

My theory on this scenario appears to be supported by the App’s privacy policy, which states: Contact users may be advised to take such measures as are required by their State or Territory (such as self-isolating). Failure to comply with these measures may be in breach of State or Territory law.

The merits of this approach could reasonably be debated. It might have be preferable if the system were designed so that nobody’s name or phone number was recorded by the COVID Safe app, and that when X uploaded their data, the server simply sent an automated notification to Y’s phone saying “On {date} you were {for …. minutes / hours} in contact with a person who has since been diagnosed with COVID-19.  Please seek urgent medical advice”.

Since I first wrote this blog a similar approach has been advocated (and articulated in more detail) by Proton Mail. See their blog post: https://protonmail.com/blog/privacy-contact-tracing-apps/.  It also links to a comic that explains how a privacy focused tracing app should work.

Coercion to use the COVIDSafe App

Shops and the like cannot require you to download the app if you want to enter their premises.

Employers cannot require you to download the app.

These protections are found in paragraph 9 of the Determination. Prohibited coercion appears to be an offence under s479(3), quoted above.

Legislation

It seems to me the Determination is a valid way of enabling the COVIDSafe App from the outset. I note the Government’s website says:

These provisions will be enshrined in legislation when Parliament returns in May.

That may be a ‘belt and braces’ approach to ensure validity.

Health aspects

I note the Australian Medical Association appears to support the app.

Technical aspects

It has been suggested the Government would make the code for the App available on an open source basis, so that it can be independently reviewed.  It does not appear that has occurred as yet.  Many people (including me) would feel more comfortable if the source code had been independently reviewed. That is particularly so given the Australian Government does not have a great track record with data security.

A number of people have carried out their own investigation into the technical aspects of this App. One such analysis can be found here. I do not vouch for anything said in the review but found it interesting.

Conclusion

Everyone has to make their own mind up about downloading the App. It does seem to me the legal protections are adequate. Whilst I would have preferred some slightly different implementations (as discussed above); subject to technical reviews of the source code I will download the app.