Phone tracker data safety ‘must be guaranteed’

Victoria’s Information Commissioner has called for safeguards to be placed on the government’s COVID-19 contact-tracing app.

Elias Visontay and PAUL MALEY

2 min read

7:31PMApril 20, 2020.

Updated 12:30AMApril 21, 2020

Victorian information commissioner Sven Bluemmel. Picture: Supplied

Victoria’s Information Commissioner has called for data-storage safeguards to be placed on the government’s soon-to-be-released COVID-19 contact-tracing app.

Sven Bluemmel’s call came as Government Services Minister Stuart Robert spent Monday reassuring Australians the technology was safe to download, after Nationals MP Barnaby Joyce said he would not download the app because of privacy concerns.

The software is designed to help authorities track down anyone who has come into contact with confirmed cases of COVID-19. When two smartphones come within 1.5m of each other, and remain so for 15 minutes, an interaction or “digital handshake” will be recorded on each phone.

A user’s name, contact number, age range and postcode will be stored on the smartphone, and will be downloaded to a government database for use by state health authorities only if another user they have come into contact with is diagnosed with COVID-19.

Mr Bluemmel said data collected by the government should not be able to be “reidentified” to a specific user. He noted two instances of government data collection in recent years — a Medicare data set and Victorian public transport usage data — that had been designed to be recorded anonymously but were able to be matched to specific people by hackers.

Mr Bluemmel also stressed the importance of storing data from diagnosed users across a decentralised database “to make it a less attractive target”. He argued it was “entirely appropriate” to question the safety concerns of the app and said “the voluntary nature of the app is crucial” for the government to maintain trust with Australians.

While the government has said the app would not collect location data, only proximity information, Mr Bluemmel said such measures were “not always foolproof” and that location data could still be inferred.

Mr Robert said while the ultimate intention was to destroy any data collected by the app, it would be protected with the highest encryption until then. “The encryption is being done in concert with the Australian Cyber Security Centre and the Australian Signals Directorate,’’ he said. “So you’d have to defeat ASD.

“When the pandemic is finished, I’ll be encouraging everyone to delete the app. The data base will be destroyed and we’ll get external assurances that that has been done.’’

He acknowledged it could be a target for state-sponsored hackers but no more so than existing data sets kept by agencies such as Medicare and Centrelink.

Mr Robert said discussions were under way within the government about enshrining privacy protections in legislation to be passed in the next sitting of parliament or by regulation.

He said no commonwealth agency or police force would have access to any data collected by the app, which has been modelled on a similar app used in Singapore.

The government believes 40 per cent of Australians will need to download the app for it to be effective, and has committed to releasing the app’s source code to allay further privacy concerns.

Law Council of Australia president Pauline Wright expressed concern over the privacy implications, calling for a “comprehensive privacy impact statement” to be released publicly and for “strict limits on what kind of data can be collected and … how long data can be kept and when it must be deleted”.