Get InQueensland in your inbox Subscribe

Five key questions about govt's contact tracing plans


The Federal Government will soon introduce a contact tracing app, which aims to identify who someone diagnosed with COVID-19 may have come into close contact with in case they need to be tested or quarantined.

Print article

But so far, the plan is a little light on detail.

The smartphone app will be modelled closely on one similar to that used by the Singaporean Government, according to a spokesperson for Government Services Minister Stuart Robert.

“This new tracing app will be voluntary and will digitise the current contact tracing process that already occurs when an individual tests positive to coronavirus,” he said.

“This app will ensure health authorities can get the full picture and not rely solely on the memory of an infected person.”

For the initiative to work most of us will need to use the app; it’s estimated that at least 40 per cent of the population will need to adopt the technology for it to succeed.

But before hitting download, we still need to know much more about how the app works and what happens to the data it collects.

Who will have access to our data?

The Government’s app is not yet available and the Digital Transformation Agency did not respond to detailed questions about how it will work.

But the Government has said Australia’s app will be “modelled” on Singapore’s TraceTogether. So for now, it’s our best indication of how it will function.

TraceTogether uses Bluetooth to create a record of other nearby phones that also have the app, but it does not track their location.

Bluetooth is a short-range wireless protocol, often used to connect your phone to speakers or headphones.

According to Mr Robert’s spokesperson, the app’s data will be fully encrypted, and “close contacts” will be shared with health authorities only after an individual has tested positive and consents to sharing their information.

But we also need to know if the data the app collects will be treated in a centralised or decentralised way, said Vanessa Teague, cryptographer and chief executive of Thinking Cybersecurity.

If it’s centralised and you test positive for COVID-19, the Government or health authority may be able to access a list of encrypted ID codes for all the close contacts you’ve had.

The Government will “unlock” that data or use it to notify potential contacts.

In Dr Teague’s view, this model raises problems of both reliability and privacy.

If there is only one government service that has the decryption key and it goes down, for example, we may not get the critical connections needed to quickly identify other infected people.

Meanwhile Apple and Google are also developing a digital contact tracing system that appears to avoid a central point of data collection, according to Dr Teague. (Mr Robert said this week the Government is not working with Apple and Google.)

When will the app be switched off and could it be used for something else?

Before rolling out technology built for a pandemic, we need to know if and when it would be “switched off”.

Technology that records who we’ve been physically near, even if that information is encrypted, raises serious implications, and may be tempting to use in other contexts like terrorism cases.

“This has to be absolutely limited,” said Kimberlee Weatherall, technology law professor at the University of Sydney. “It has to have sunsets, and some real-time limits.”

To win public trust in contact tracing, we need “genuine transparency” about how the app’s data will be treated and when it will be deleted, said Anna Johnston, director of Salinger Privacy.

In particular, she said, we need to know it won’t be used by authorities for another purpose — even to track a different disease.

What privacy protections will be in place?

According to the Government, the app will be subject to a Privacy Impact Assessment before it’s rolled out, but it’s still not clear who will have oversight or if there are penalties for misuse.

Previous government health data projects like My Health Record required serious legal and technical overhauls after public pushback.

It is also unclear how the app will interact with privacy legislation. Federal privacy laws, for example, require informed consent before health information can be collected.

If the app was designed in a way that prioritises preserving people’s privacy — which means no central government collection of health information or contact information — changes to privacy law may not be required, Johnston said.

But the legal implications are more complex if at any point one authority collects identifiable information, say, a list of phone numbers of potential contacts.

“You would have to have an exemption from the privacy law to collect information about all the people I was proximate to, because I don’t have their consent,” she said.

Could your employer force you to use the app?

Digital privacy is often built around the idea of consent — when you click “I agree” to those terms and conditions you didn’t read when downloading an app.

But among many privacy advocates and legal experts, consent is not always considered the best way to protect privacy.

The app is not mandatory, so how will government protect people from being penalised or excluded for not using it?

For example, what would happen if employers tell workers it’s compulsory to have in the workplace?

More Insights stories

Loading next article