Australia’s COVIDSafe app has been out for three weeks now but despite the government’s draft legislation stating the data cannot be accessed outside of coronavirus tracing purposes, some of its vague wording is causing legal experts concern over potential misuse.
The COVIDSafe app launched on April 26 and more than 5 million Australians have since downloaded the app, according to official figures.
While there were initial concerns about the app’s privacy implications, software developers have since torn down the app to reveal most of those concerns were unfounded. The government has since delivered on a promise to release the source code and while some developers have found privacy bugs within the app, the flaws are not causing serious alarm for the time being.
On Wednesday night five tech experts hosted a COVIDSafe App Teardown & Panel Discussion to present and explain their findings after looking into the code of the government's new COVIDSafe app. Despite issues with the app on iOS as well as general fears around security and privacy, the vast majority of what the experts had to say was positive.Read more
But despite the app seeming mostly fine on a software level, legal and tech experts still have their reservations about gaps in the legislation that could see foreign governments such as the United States access data held by the app’s datastore under certain circumstances.
The appÂ operates using Amazon Web ServicesÂ (AWS) meaning that when you sign up, you consent to the information you put into the app ” your name, postcode, age range and phone number ” being stored on AWS servers and released to authorities if you’ve been in contact with a confirmed COVID-19 case in the past 21 days. If you are confirmed to have COVID-19, you will need to provide consent to health authorities to inform those people who have been in close contact with you.
It is important to note, the AWS datastore holds the highest security certification as deemed by the Australian Cyber Security Centre (ACSC) and is used by the Australian government widely due to this security level. Despite this, Amazon, being a U.S. company, is also bound by U.S. law.
It’s something Dr Monika Zalnieriute, a technology law expert at UNSW Law, is following given the rapidly evolving nature of technology and the legislation trying to keep up with it. She is writing, along with her colleague Genna Churches, an academic piece and policy submission on the issue.
“In short, there is no Australian law, which would explicitly prevent access by overseas governments or sharing personal data of Australians with foreign governments,” Dr Zalnieriute told Gizmodo Australia over email.
Foreign governments could be interested in the data of Australians for the purposes of a criminal investigation that threatens national security as well as general intelligence gathering.
“As we know the U.S. has a big appetite for data, and might want it for many reasons ” just to have the data in case it might be relevant. Yet, it can request it for the purposes of investigating criminal activity,” Dr Zalnieriute said.
Genna Churches, a PhD candidate working with Dr Zalnieriute, explained Australia’s own laws allow the U.S. to access metadata ” personal telecommunications data, which has a murky definition in Australia ” held in the country by companies like Amazon in the case of a criminal investigation.
“There is an explicit provision under the Telecommunications Interception and Access Act 1979 (Cth), which permits the disclosure of metadata to overseas agencies. Under Division 4A of the Telecommunications Interception and Access Act 1979 (Cth), the AFP can authorise the disclosure of metadata for the enforcement of criminal law of a foreign country,” Churches said, though the legislation now rules out the possibility of the COVIDSafe data from being included under this law.
The Australian government's coronavirus tracing app is set to be released soon but it hasn't been without its fair share of controversy due to privacy concerns and a lack of clarity over whether it will be mandatory. The latest concern is the app's technical details might not be fully revealed for scrutiny prior to its public release and data security experts are concerned about what that could mean.Read more
The data being accessed might be minimal but principle comes into play
When you sign up for the COVIDSafe app, you willingly hand over a limited amount of information. This includes your mobile phone number, name, age range and postcode.
Professor Katina Michael, a cybersecurity expert at University of Wollongong, has explained the data held by Amazon Web Services is ultimately minimal. At its core, it’s data confirming whether you’ve been in proximity with an infected individual in the last 21 days plus the information you entered upon sign up.
“The COVIDSafe app does not contain ‘location-based’ data in the proximity records of a user, but there is a ‘time stamp’ and a ‘proximity anonymous identifier,'” Professor Michael said to Gizmodo Australia.
Professor Rubinstein, an information security expert at the University of Melbourne, believes this information is actually more valuable than it seems on the surface ” and that more information can be gleaned from the four data points than initially obvious.
For example, the app can record the contact between two COVIDSafe users down to the millisecond and when cross-checked with other details, such as postcodes and mobile numbers, it can offer a much more descriptive picture.
“Your app logs contacts with other phones running COVIDSafe, specifically the contact time down to the millisecond, the unique ID you sent to that contact, the unique ID that contact sent you, the contact phone’s make and model, and the signal strength of the Bluetooth connection,” Professor Rubinstein said over email.
It’s because of this, Professor Rubinstein believes it’s a better idea to build in technical limitations than to solely rely on legislative restrictions. One solution is to de-centralise the data by getting the phone to generate and store the unique IDs rather than using the AWS-supported datastore to hold registration data all together.
“While legal measures are an excellent back stop, technical measures are readily available to eliminate the possibility of this leakage with little apparent effect on contact tracing ” via a de-centralised approach,” Professor Rubinstein said.
“A key improvement of de-centralised approaches over COVIDSafe’s centralised approach, is the [list] of contacts is not shared. A de-centralised approach would reduce some of these privacy flaws with little apparent effect on contact tracing, and could be achieved with modifications to COVIDSafe. Put simply, instead of obtaining IDs from the National data store, the COVIDSafe could generate IDs on the phone.”
For Dr Zalnieriute, however, it’s not necessarily what data can be captured now but how it will shape what data can be accessed by authorities in the future. Law enforcement has shown it can exploit legal vulnerabilities in the past ” with the metadata legislation for example ” and it’s that ‘mission creep’ that worries Dr Zalnieriute most.
“Based on what we have seen with the decades of creeping data tracking and interception laws in Australia, ‘mission creep’ is inevitable,” Dr Zalnieriute said.
“This vagueness [of legislative language] will then be relied upon by Australian law enforcement and security agencies to exploit loopholes in the existing privacy, data retention and interception legal framework, which is already very confusing.”
As with all questions of data privacy, it’s a battle between principle and practicality. Most law-abiding Australians might not care about the government having a bit of our data here and there but as we hand over more of it, we start to lose control over something important to many ” our personal information.
Of course, the simplest way to quell any of these fears is to just delete the app and the data once its usage is no longer required. To do that, you’ll need to fill in a data deletion request and wait for it to be processed. Ultimately, however, the app’s purpose is to help control a public health crisis so for many, that’s not really a solution.
The CLOUD Act provides the U.S. its infrastructural data empire
The specific foreign legislation causing concern is the U.S. Clarifying Lawful Overseas Use of Data Act, more commonly known as the CLOUD Act. This act allows the U.S. to access data from any U.S. company, regardless of where it is situated in the world, for the purposes of a criminal investigation. The issue is many of the world’s biggest tech companies ” Google, Microsoft, Amazon and Apple ” are all bound by this law.
While in theory the CLOUD Act states it can compel data from those companies regardless of geographical location, experts are conflicted over whether it could actually supersede Australia’s domestic laws in practice.
“All services operated by U.S. companies are bound by the U.S. CLOUD Act, and this means that data stored in Australia by AWS is accessible by the U.S. authorities directly, without the need for any special requests under Australian law or mutual assistance agreements,” Dr Zalnieriute said.
“The dependency of world governments on U.S. tech capacity, and no ability to negotiate on equals terms here is clear,” she said. “[The CLOUD Act] reveals the degree of the U.S. infrastructural data empire, when you realise that U.S. government can access the data from most COVID tracing apps around the world easier than the very governments running them.”
University of Melbourne health data expert Associate Professor Mark Taylor is less certain the CLOUD Act would override domestic laws but admitted it could happen under specific circumstances. This is because of rules written into law by the Health Minister, known as a determination, put in force upon the app’s release. Those have now been strengthened by an amendment bill passed in parliament on May 14, which reiterated many of the determination’s key points.
“[The] determination… made under the Biosecurity Act 2015 [stated] that data collected by the COVIDSafe App must not be disclosed except for the limited purposes described. AWS should challenge any order to disclose under the U.S. CLOUD Act on the grounds that it would materially risk violating Australian law,” Professor Taylor said over email.
Gizmodo Australia contacted Amazon Australia to understand what it planned to do in the event that a CLOUD Act order required it to release any data it stores.
“AWS supports organisations around the world including the Australian Digital Transformation Agency in the fight against COVID-19 by providing the technology needed to measure the spread, test patients, monitor impacts, decode immune system responses, develop treatments, and many other critical functions,” a spokesperson for Iain Rouse, AWS Country Director for Public Sector in ANZ, said to Gizmodo Australia.
“With comprehensive services and features that enable customers to meet the highest security and compliance requirements, AWS can empower customers to move at the speed necessary to have an impact. As always, customers must adhere to applicable security and privacy laws in their jurisdictions.”
While Amazon was careful to avoid the act’s mention in its statement, Gizmodo Australia understands it’s aware of its legal obligations to the U.S. CLOUD Act but believes it only applies to a narrow category of data ” evidence sought in connection with a crime, such as terrorism, over which the U.S. has jurisdiction.
Draft legislation aims to plug some of these holes
The Australian government’s legislation does specify it’s illegal for someone to disclose data to a person outside Australia ” but it’s unclear if this would stop a foreign government from accessing the data.
Reassuringly, concerns about the potential legal ramifications of the COVIDSafe app are something the government is aware of.
Gizmodo Australia asked the DTA whether the legislative loophole that could allow the U.S. CLOUD Act to override Australian law was taken into consideration when it chose Amazon Web Services as its client. The DTA denied that the CLOUD Act would supersede the legislation but did not provide an explanation as to why. Instead, it stated that the amendment legislation passed in parliament strengthens the protections outlined in the determination.
“The Declaration under the Biosecurity Act specifically says a person must not disclose the data to a person outside Australia. The legislation to be introduced in May will mirror these protections,” a DTA spokesperson told Gizmodo Australia in early May prior to the legislation passing parliament. “It is a misunderstanding to suggest any overseas laws would diminish the triple-lock protection of the COVIDSafe app.”
Indeed, the government’s legislation amendments further strengthen the protections, calling the disclosure of data to a person outside of Australia a “serious offence” punishable with fines and jail time. The amendment’s vague language still doesn’t specifically clarify potential issues surrounding the U.S. CLOUD Act.
It’s been a bumpy road for the tracing app plagued by a government with a history of technological fumbles to its name. While the app may well be an important tool in the fight against a global pandemic, until the legislative issues are addressed, criticism of the COVIDSafe app will no doubt continue.
UPDATE: 15 May, 2020: This article has been updated to reflect the release of COVIDSafe legislation passed in parliament on 14 May. The new legislation does not make specific mention of the CLOUD Act, but Minister for Foreign Affairs Marise Payne stated Thursday: “In relation to the CLOUD Act, any transfer of data to any country outside Australia will constitute a criminal offence under the provisions of the bill and attract a penalty of five years imprisonment.”
The article has also been updated to clarify that COVIDApp data is not defined as telecommunications data, as made clear in the new legislation.
Laws are set to pass parliament in May in an attempt to address some of the privacy issues raised ahead of the release of the government's coronavirus tracing app.Read more