If you have been watching the news of late and let’s be honest, who hasn’t given we are a part of an unprecedented global pandemic? Then you would have heard of the announcement of a contact tracing application you install on your phone which notifies you and others if you’ve been in contact with anyone who tests positive for COVID-19.
On the surface, every day Australians will hear the government say, “If everyone installs this, we can ease restrictions faster and flatten the curve by being able to control the spread” – but for those in tech like myself who are critical of the government’s ability to produce an app that won’t be a privacy nightmare, things are a little more convoluted.
While I agree that unprecedented times call for unprecedented measures, an application that involves any level of tracing and data collection needs to be handled in a delicate manner. The app is based off of the Singaporean application TraceTogether which uses proximity (distance) to other phones and Bluetooth.
When you get close to someone else, the apps swap anonymised encryption keys which are stored on the phone and deleted after 21 days. After some initial confusion as to whether or not the app would be mandatory (not helped in part by authoritarian sounding remarks from Chief Deputy Medical Officer Paul Kelly), Scott Morrison cleared things up in a Tweet.
Allegedly, Morrison and others are pushing for an application which would have greater privacy protections than the Singapore application. However, we should be wary until we see the final application. Even some federal government MP’s have come out and said they won’t install it.
Installing government-sanctioned surveillance software on my phone would require some serious guarantees from the government before I would consider doing such a thing.
- A hard sunset date that cannot be extended. The government needs to provide a date in which the servers are wiped and the apps are rendered non-functional that they cannot freely extend.
- Guarantees that the scope of the tracking will not be expanded beyond its initial purpose. We all saw what happened with the site-blocking list legislation initially intended to block child pornography and other illegal sites, then amended to make it easier for the entertainment industry to block torrent sites.
- The code made completely open-source and freely accessible to not only security researchers but to the general public like myself who will want to dig into the code and see for myself what it is doing. Furthermore, the source code for the server as well to ensure that data isn’t being sent to an insecure honeypot.
- Protections put in place preventing who has access to the data sent to government servers. We all saw what happened with the mandatory data retention laws and reports of violations of people obtaining access to information which they shouldn’t have been able to.
We will see what happens when the app is released, but I implore others to be sceptical of a government created tracking application, even if on the surface the intentions seem to be good. We have seen time and time again the government passing legislation and reducing freedoms under false pretenses and then subsequently amending legislations to expand the scope.