“Function creep could occur and the system might never be dismantled. That’s always the danger with emergency measures, that the emergency never actually ends.”
NSW may be newly liberated from COVID-19 lockdowns, but we have never been under such pervasive surveillance. Privacy experts are sounding the alarm on mandatory check-ins.
The Federal Government’s COVIDSafe app was the first iteration of new track-and-trace technologies introduced in the past 18 months to help reduce the spread of COVID-19. Launched in April 2020, right at the beginning of the pandemic, it was designed to use Bluetooth “handshakes” between devices to help record close contacts between people to reduce the risk of transmission.
By most measures, it was a failure. The technology cost more than $9 million but, according to a recent investigation by ABC’s 7:30 program, the app only identified 17 close contacts that state contact tracers had missed since the outbreak began. It faded from public consciousness almost as quickly as it arrived, and state alternatives took its place.
Mandatory check-ins using QR codes became the new normal. Each state rolled out its own version – in NSW, it was a bolt-on to the pre-existing Service NSW app – while governments hastily enacted new public health orders to ensure compliance. Businesses in NSW now risk a $5000 fine if they fail to take “reasonable measures” to ensure patrons check-in; members of the public face a liability of $1000.
Australia is in the midst of an extraordinary period of public scrutiny. But how is the data being used? Who can access it? How is it being protected? Will the information collected ever be deleted? Can the government use it against us? Do we have rights? When will we stop having to check in everywhere?
These important questions are causing privacy experts to voice serious concerns.
There are at least six occasions so far in which state police officers have accessed check-in data.
A Queensland police officer used a lawfully obtained search warrant to access check-in data in June after his service pistol and taser were stolen from a regional pub during the first State of Origin match. Police saw it as a logical step in solving a crime, but the incident shook public confidence in the technology, prompting the state’s privacy and human rights commissioners to call for the data to only be used for contact tracing. (As it happened, the gun was later found at the pub, though the taser was still missing.)
“The data was accessed in relation to a group of people reported to be acting suspiciously in the area around the time of this incident,” a police spokesperson said, explaining that the incident had prompted the Queensland Police Service to review the rules around accessing this type of information.
“The new policy directs officers not to apply for a search warrant in relation to data gathered for public health-related purposes collected by COVID-19 tracing apps except in extraordinary circumstances.”
Western Australia Premier Mark McGowan promised the public that check-ins logged in the SafeWA app would be: “Encrypted at the point of capture, stored securely, and only be accessible by authorised Department of Health contact tracing personnel, should COVID-19 contact tracing be necessary.”
Even so, WA Police issued warrants for check-in data while searching for witnesses in two criminal cases. One was authorised in a murder investigation regarding the death of Rebels bikie Nick Martin, and one was a stabbing. Though the data was ostensibly accessed in good faith for the criminal investigation, it caused an outcry, and the government decided that confidence in the pandemic response had to take priority. The simplest solution was that nobody should have access, so the state parliament rushed through legislation closing the loopholes.
Victoria Police has also made at least three attempts to access check-in data, however, reports suggest they have been unsuccessful. Meanwhile, NSW, South Australia, and the Northern Territory, have clearly stated that police will not be allowed to view contact tracing information.
This is not just a concern for those caught doing the wrong thing. Data from the Office of the Australian Information Commissioner (OAIC) shows that 70 per cent of Australians see privacy as a major concern. Further, while 60 per cent of us support some kind of tracing to keep us safe, we don’t want it to be permanent.
Angelene Falk has been the Australian Information Commissioner and Privacy Commissioner since 2018 and has seen tremendous change during her tenure. She expressed her concerns over the concessions Australians have made to privacy since the pandemic began in an op-ed published in The Australian in September – indicating a slippery slope.
Use of personal information has undoubtedly been a pillar of Australia’s public health response, to great success. Border closures, lockdowns, and quarantines have been very controversial, but there’s no doubt they have prevented deaths – at the time of writing, only 1448 Australians have succumbed to the virus. But as infections spread, new public health measures were implemented at increasing speed.
“With the development of the COVIDSafe app, community concerns were addressed through a thorough and public privacy impact assessment, and strong privacy safeguards were legislated,” Falk wrote.
It was one thing the federal government got right – the app was a failure in almost every way, but not on the privacy front. When the state equivalents came into play, however, it took a back seat. The fact that citizens have been operating for so many months without clear privacy standards also leads to serious concerns about prospective vaccine passports, which are expected to be rolled out nationwide in coming months.
Being tracked at every moment of every day is icky, but it’s part of a much bigger issue.
This technology has become an essential component of our freedom. It tells authorities where we’ve been, what we’re doing, who we’re doing it with. The government uses this to assess whether we are allowed to cross borders, leave our homes, see our loved ones, or go to work. It reaches into all aspects of our lives, yet we don’t know how safe our data actually is. Could it be faked? Could it be sabotaged?
“We’ve seen these deeply held privacy concerns play out in the public response to QR code check-in apps, an area where most state and territory governments have now stepped in to mandate use of a secure and privacy-protective system,” Falk stated. “As part of any debate on the use of vaccine certificates for travel, work, or access to premises, privacy needs to be considered upfront.”
The OAIC has released five national COVID-19 privacy principles to guide a national approach to the measures being used to keep the public safe. This includes limiting the purpose of data collection, collecting the minimum required to achieve the purpose, taking all reasonable steps to protect data, destroying it once it’s not needed, and ensuring the public has rights under enforceable laws.
However, experts say this isn’t enough. Graham Greenleaf, a professor of law and information systems at UNSW, says the virus “has necessitated the most pervasive surveillance” we’ve ever experienced.
Greenleaf’s view is that these principles are too vague and still fail to address many questions. For example, police access is never specifically excluded. Data security measures are not defined. There is nothing to prevent the risk of unjustifiable discrimination (such as for those who are unable to be vaccinated), no clear rules to prevent “function creep”, and no provisions for a sunset clause.
“The worst-case scenario is that police and other law enforcement bodies may find if they’re allowed to access this QR code data is that they have all sorts of uses for it that have nothing to do with combatting COVID,” he tells LSJ. “Function creep could occur and the system might never be dismantled. That’s always the danger with emergency measures, that the emergency never actually ends.”
The consequences are potentially serious. We put a lot of trust in the government every time we comply with these practices – such as checking in every time we enter a religious institution. Under normal circumstances, Greenleaf says, that could be considered as a step towards an authoritarian state.
As such, he says it’s critical that measures of this nature have a clearly defined sunset clause.
Greenleaf says it’s for epidemiologists to decide, not lawyers, but there should be objective criteria and a clear mechanism for this system to shut down. Under COVIDSafe provisions, when the Health Minister was satisfied the app was no longer necessary to fight the virus, he was to make a declaration. At that point, the system should be dismantled, all data destroyed, and all apps uninstalled from phones. This is lacking from state provisions, meaning QR code check-ins won’t be riding into the sunset any time soon.
“These will need even more … protections than a vaccine passport because once the facial recognition genie is out of the bottle, it will be impossible to put back in”
OAIC Privacy Principles
Data minimisation: The collection of personal information, including sensitive information such as health information, should always be limited to the minimum information reasonably necessary to achieve a legitimate purpose. This includes considering alternative solutions which achieve the same purpose and do not require personal information to be collected into a record.
Purpose limitation: Information that is required to be collected for a specific purpose related to mitigating the risks of COVID-19 should generally not be used for other purposes. This is particularly important to ensure that Australians can have trust and confidence that their personal information is protected so they can continue to support the public health response to COVID-19.
Security: Reasonable steps must be taken to protect Australians’ personal information from misuse, interference and loss, and from unauthorised access, modification or disclosure. In line with community expectations, personal information should be stored in Australia.
Retention/deletion: Personal information should be destroyed once it is no longer needed for the purpose for which it was collected. The Australian community expects that the information they provide to support the COVID-19 public health response will not be retained indefinitely and should be deleted as soon as it is no longer needed.
Regulation under privacy law: Australians’ personal information should be protected by an enforceable privacy law to ensure that individuals have redress if their information is mishandled, either the Privacy Act 1988 (Cth) or a state or territory privacy law. This extends rights and protections to all Australians where their information is being shared for public health purposes.
Genie is out
Another interesting aspect of this situation is that none of it would be possible without the internet or our love for smart devices. Tracking was impossible during previous Coronavirus outbreaks, such as SARS in 2003 or MERS in 2012. Fast forward a few years, and the same technology that allows us to log runs on Strava or meet matches on Tinder now allows the government to enforce home quarantine.
Alec Christie is a partner specialising in technology law at Clyde & Co in Sydney. He tells LSJ it’s not just the government that is finding it “hard to resist the urge to use the data collected”, but also the private sector – even for those who say they have the best of intentions. This is important because community trust is critical to its efficacy. Contact tracing only works if people trust the system enough to actually use the apps, which means privacy must be a consideration from the get-go, not waved off as an afterthought.
The same applies to vaccine passports, which he says could be a “honey pot” for bad actors.
“There is no doubt in my mind that a vaccine passport could work in a cyber security and privacy protective manner. Most technologies can. The issue is ensuring that there are appropriate resources and effort put into building such [principles] into whatever the solution is from the beginning,” he says.
The risks are even greater for technologies that involve the collection and use of biometric data, such as facial recognition. This is currently being tested in new home quarantine apps across the country.
“These will need even more cyber security and privacy protections than a vaccine passport because once the facial recognition genie is out of the bottle, it will be impossible to put back in,” he explains. “Resultant malicious uses of our face or other biometric data may be impossible to spot or stop.”
But what about the other side? NSW Premier Dominic Perrottet is encouraging everyone to remember to check in and show their vaccination status, with cases expected to increase again as NSW progresses along its road map towards reopening. The state government has reserved the right to apply restrictions – including lockdowns – to manage infection rates as things slowly start returning to normal.
NSW Minister for Customer Service Victor Dominello introduced a “VaxPass” which enables check-ins while simultaneously displaying a user’s vaccination status.
“It’s one thing to store the certificate on the app. It’s another to integrate it with the check-in experience,” he said on October 8, prior to the state’s reopening. NSW is the first state to have this functionality, swiftly followed by Victoria and South Australia. This investment suggests Australia’s QR-code check-in systems are not going anywhere anytime soon.
At the end of the privacy versus freedom debate, one thing is clear: post-COVID recovery is a long and slow road.
Chief Health Officer Kerry Chant has said NSW residents may have to wear masks “for years” and show proof of vaccination at venues for a long time to come. We may also be required to get booster shots soon. And as we know, COVID-19 can mutate rapidly, shifting the goal posts at any time.