The Australian: Contact tracing app is not Big Brother

23 April 2020

This article was first published in The Australian on 22 April 2020.

The Federal government’s plans to introduce an app based on the Singapore government-developed app TraceTogether to help prevent the spread of COVID-19 has stirred controversy, pitting public health practitioners on one side and privacy advocates, security specialists and conspiracy theorists on the other.

It is important to examine closely the risks of an app like TraceTogether but first we need to understand how it works in Singapore.

Once installed from the Google or Apple App Store, TraceTogether generates and stores a unique User ID on the user’s phone. This ID and the mobile phone number are uploaded to the Ministry of Health in Singapore. The app runs in the background, using the phone’s Bluetooth connection to “listen” out for other devices within Bluetooth range that also have TraceTogether installed and running.

If two devices stay close enough for long enough – around 15 seconds – the apps will connect over Bluetooth and exchange User IDs. TraceTogether saves this User ID, along with the time and duration that it was within Bluetooth range, in an encrypted form on the phone.

No data is transmitted to or stored anywhere other than on the user’s phone, unless they test positive for COVID-19. In that case, and with their consent, the User IDs stored on the affected person’s phone are shared with the government, which then matches these with phone numbers to identify other people who have been close to the affected person for the required period of time. These people are notified by text message that they should be tested.

Any app worth using on a mobile device needs access to certain device data and functionality. For TraceTogether this access extends to location data and Bluetooth settings (naturally), photos and media, network connections and internet data, and the ability to run at start-up and in sleep mode. Without this the app will not generate the data necessary to be useful in tracing COVID-19 contact risk.

In Australia, many critics of the app have lined up around privacy concerns; some contend that TraceTogether is a Trojan Horse that takes us one step closer to a surveillance state. Whether that concern is valid depends on whether we believe TraceTogether does what it says it does and only that.

To be clear: TraceTogether doesn’t allow the government to track a user’s location any more than a mobile phone already does. All data is stored on the phone and only shared with government if users choose, and after they have tested positive to the virus. If Telstra and Optus, or Google, Facebook and Apple, can track us at all times, is it a concern if we allow the government to do the same in a pandemic? If we understand that any proposed app is doing far less than what we already allow our phones to do, why the uproar?

It is true that if someone tests positive and uploads their data to the government, anyone who has been near that person will unknowingly find the time, date, duration and possibly location of their contact also shared with the government via their own User ID. But presumably if they have downloaded the app they’re OK with that, and keen to know if they have come into close contact with the COVID-19 virus?

The Australian government has been clear that once the pandemic has passed users are free to uninstall the app and any data stored on the app at that point is scrubbed. It is worth noting that in Singapore all of the data that has been shared with the government by COVID-19 positive users of the app is ultimately stored by the Singaporean government. How securely this data is stored, for how long, and who has access to it is not disclosed in either the app store or on the GovTech Singapore website. That may account for the relatively lukewarm take-up rate – 20 per cent – for the app by Singaporeans to date and is an issue Australian authorities need to resolve. The Australian government has said its app will only retain three weeks’ data on phones. Older data is deleted when it is 21 days old.

Beyond privacy, some critics have pointed to the risk of the TraceTogether app being hacked. This is a real concern given that it is running in the background at all time and enjoys considerable access to device data and network connections. From a data security standpoint, any app that is constantly seeking out and automatically pairing with other devices to share data presents risks. It was only last year that a critical vulnerability was found (and repaired) in Bluetooth that allowed attackers to circumvent the platform’s encryption. To ensure the target of at least 40 per cent uptake in the government needs to explain what safeguards have been placed around TraceTogether to protect malicious third parties piggybacking on the app to gain access to personal data.

Australia has done exceptionally well in managing the impact of coronavirus on population health, with only 71 deaths as at the time of writing compared to tens of thousands in comparable countries overseas. Notwithstanding some grumbling, we have been prepared to trade off personal convenience and liberties for the public health good. TraceTogether would seem a natural extension of that willingness to trade.

Most of us share, unwittingly or otherwise, far more detailed and valuable information each day with Google, Apple and Facebook than would be shared from TraceTogether. On our assessment, while TraceTogether does present certain security risks around Bluetooth, privacy concerns are overcooked and stem from a poor understanding of how the app works. It is not Big Brother, or the beginning of a slippery slope to privacy violation.

Debate around TraceTogether is a mirror of the wider debate on how best to respond to COVID-19 and “flatten the curve”. To get the 40 per cent uptake needed to make TraceTogether effective, the government will need to carry the same argument that it has to date, that we need to trade off some freedoms for the public health good.