The COVID-19 pandemic is shaking up practically every foundation of society. Both in terms of the health of its citizens and its economics, Australia is reeling from the effects of the virus, along with most other countries in the world. This has led to a number of initiatives to combat COVID-19’s spread, ranging from social distancing and self-isolation policies and advisements and the development of new technologies.
One of the newest technological innovations that might soon see the light of day is contact tracing apps. These applications would be installed on a plurality of mobile phones and enable government health agencies and citizens to know who is infected with COVID-19 and, thus, who to stay away from. However, such technology may come with a terrible cost to digital privacy. How will this affect Australia’s current privacy concerns? Let’s discuss.
What’s Going On? Contact Tracing? What’s That?
If you’ve been living under a proverbial rock, there’s currently a big pandemic going on affecting a huge proportion of the world’s population. COVID-19 is doing a lot more than just affecting physical health, however.
It’s also impacting the global economy. People can’t go to work, which is leading to mass layoffs and rent payment problems. Furthermore, national and industry leaders are scrambling in order to find ways to slow the rate of the virus spreading. They’re doing this in a number of ways, mostly through social policies; social distancing and widespread recommendation of mask use are two easy examples.
But another potential solution that has recently been gaining traction is “contact tracing”. In a medical context, this is referring to using technology to track known cases of COVID-19 for the purposes of projecting the virus spread rate and enforcing quarantines for infected individuals. Specifically, contact tracing has been proposed via implementation as a smartphone app.
This makes sense to a certain extent, given that almost half the world’s population owns a mobile device. But it also comes with significant privacy risks and lots of ethical questions.
How Does Contact Tracing Work?
The most famous example of a contact tracing app currently likely to succeed or be implemented across multiple countries is an app being jointly developed by both Google and Apple. This new application will be Bluetooth-based, using Bluetooth enabled devices and ensuring that it can work across both iOS and Android phones.
In a nutshell, the application will have an interface that allows public health organizations to tap into the movement data of affected individuals. Basically, the phone Bluetooth radios, which currently have a range of around 10 meters, will be able to keep track of a smartphone owner and ensure that they don’t come into contact with someone who is highly likely to have contracted COVID-19. This application could then alert the user and recommend testing locations or tell them to self-isolate.
Distinct Applications of Contact Tracing
More specifically, the contact tracing apps broadcast unique and rotating Bluetooth codes that are generated from a specific cryptographic key that can change every single day. In theory, this prevents hackers who already know the day’s key from getting too much information in the system before being locked out.
This lets app-enabled phones to monitor the phones around them record the codes of any other mobile device within a certain range and within a certain amount of time. Positive COVID-19 diagnoses can allow users to upload a unique code to the shared server so that any phone linked into the network can alert those who aren’t infected with the virus to stay away.
This being said, it still may be possible for people (or government officials) to track people surreptitiously even if there isn’t an official tracking function hidden somewhere within the application’s codes or permissions. Called “correlation attacks”, these essentially work if someone were to set up their mobile phone so they could see all of the contact tracing Bluetooth signals picked up from other mobile phone users.
If someone reported that they were COVID-19 positive, the spy or data collector could then receive all the keys from the contact tracing server and match up the codes as soon as the COVID-19 person passed by.
Possible Contact Tracing Concerns
Obviously, the regular privacy concerns that are pertinent whenever the government makes a new initiative to gather more data on its citizens apply here as well. The government of Australia and other developed countries can already gather incredible amounts of data from their citizens based on deals with companies like Facebook or Amazon, who openly or secretly sell data to government organizations and advertisers alike.
This can give organizations information about your likes, budget, schedule, and even more personal information like your identity.
Other data that can possibly be gathered include identification numbers, bank account information, and much more. With a dedicated tracing or tracking application on your phone, it’s not paranoid at all to wonder whether you are essentially offering up your digital identity on a silver platter to anyone who wants to partake.
Additionally, such tracking ability opens up the possibility of vigilante action, which can lead to negative consequences both for society and for anyone who happens to become infected with the coronavirus.
For instance, in our previous example of someone spying on connected phones and determining who contracted COVID-19, that spy could then take that information and post the person’s information and pictures for everyone to see. Any citizens that came to believe that the sick person didn’t take the correct precautions or purposefully left themselves open to coronavirus infection might decide to take action into their own hands. As you can imagine, this is a recipe for disaster.
Furthermore, there is some concern that these applications might be used for advertisements. We already live in an advertising inundated society where capitalism runs much of our daily lives and takes up a lot of our attention. Data-gathering technology and companies that we feed our information to (i.e. Facebook and Amazon) already use the data they have to advertise to us directly.
Essentially, they use data they already know to curate marketing campaigns or proffer certain products that we have more of a likelihood of buying even if we didn’t intend on purchasing anything in the first place.
This application could be used for further advertising potential. The above-mentioned correlation attack might be used for commercial tracking purposes. For instance, an advertising or marketing firm could install Bluetooth beacons in various stores or buildings and collect contact tracing codes that are emitted by customers who opt into the application.
Let’s say you go to the electronics store a few times a week while building a PC. This type of tactic could theoretically let someone trace your movements and determine that you were right for PC part advertising.
Of course, this scenario is a bit far-fetched. This type of tracing would rely on only tracking people who are COVID-19 positive, not general citizens. Besides, it’s likely that the places you shop at are already gathered by data-collection firms and marketing companies. Still, it’s a valid concern; we don’t necessarily want the implementation of surreptitious advertising to get even more complex or ubiquitous!
What About IP Addresses/Other Forms of Identification?
Virtually all of the contact tracing application variations that governments and companies are discussing are supposedly designed to not upload data from users. This is to keep people anonymous, particularly those who are eventually infected with the virus. Still, it does have to upload some data by design in order for the system to register a new COVID-19 positive individual.
As an example, the keys that such an application would theoretically use could still be linked to IP addresses on phones that upload the keys in the first place. Thus, anyone running the contact tracing server, like a government official, may be able to identify phones of people who report as coronavirus positive. It wouldn’t take a genius for someone to narrow down their location and identity, especially since most people don’t change the IP address of their phones.
Some phones use HTTPS encryption in order to stop others from eavesdropping on their IP addresses. Yet at the end of the day, citizens would have to trust the person running the application server to not collect and store any identifying information from the uploads.
Additionally, health or government agencies may desire to specifically identify COVID-19 positive people. They may be able to roll out vaccines, medicine, cures, or other types of treatment to infected individuals more quickly if they can use the application to determine identities or at least general whereabouts. This is directly counter to privacy priorities, but it may be necessary and even helpful as the coronavirus continues to spread.
So the questions, in the end, boil down to this:
- can the Australian people trust the government not to take too much information for nonmedical purposes?
- do the supposed medical benefits that may arise as a result of these contact tracing us outweigh the loss of digital privacy?
Contact Tracing Digital Privacy Concerns
Naturally, Google and Apple have both said that this contact tracing system won’t track user locations (at least in a long-term storage way), nor will it collect identifying data that can later be stored on a server or database. Instead, the application is allegedly being designed to only make use of short-term location data relative to other application users. In this way, the app will be more effective the more people who use it.
This new development comes in the wake of lots of high-profile conversations regarding technological progress in personal privacy. Governments around the world are increasingly seeking to tap into the data of their citizens, be it location, financial, or otherwise personal. The trade-off is better applications that provide you with more convenient services and access to products that seem to be uniquely tailored for your desires or needs.
This, of course, is a form of digital surveillance, and it’s something that’s already taken effect across most developed nations, including Australia, to some extent. Even some secure emails can already be easily monitored, as can other forms of digital communication.
For instance, smartphones can already track your location and movement history through both Bluetooth or GPS signals if you enable these applications or radios on your phone. Even when a consumer isn’t aware that an application may be sending their data to a server, they could still be being surveilled.
This is obviously a huge breach in privacy, but it’s one that has largely spread throughout the public consciousness without lots of vocal pushback aside from sites like this one or dedicated groups. The fact of the matter is that most people seem generally content to give away their data as long as they get more convenient service.
On the other hand, you can’t blame application developers from looking into using contact tracing apps as a potential way to track the spread of the virus. COVID-19 is shaping up to be one of the biggest economic and world health disasters in the last 100 years, and stopping the virus from reaching its maximum spreading potential is of the utmost importance. Some people might even say that digital privacy isn’t as important right now and that such issues can be returned to the future.
The spread of digital technology like smartphones means that they are already a perfect vector with which to implement this tracing measure.
To that end, Google and Apple have both said that the app they are developing will allow users to report positive COVID-19 diagnoses and that each application is only opt-in. In theory, this means that anyone who desires to use the app can do so and those who are more concerned about their privacy can ignore the feature. However, tech companies have hidden surreptitious surveillance technology or devices in their smartphones before.
This isn’t always Google and Apple’s fault, either. Google and Apple both have several potential security flaws in either company’s systems, meaning that those who do want to identify COVID-19 victims or retrieve the financial information of those who opt into this app might be able to do so. Relying on the privacy tools of individuals to keep their information safe seems like a risky gamit.
Australia’s Response to Contact Tracing
While Australia may also be affected by the joint application being developed by Google and Apple, they’re also eyeing contact tracing technology from Singapore. They already have a contact tracing app called TraceTogether.
It works essentially the same as the Bluetooth app described above, but it can also estimate the distance between smartphones and the duration of interactions. It’s a little more intrusive than the version allegedly being developed by Google and Apple, and the data is stored for 21 days, which is also the incubation period for COVID-19.
There are already other discussions about the ethics and intrusion of the TraceTogether app. What’s most important for Australians is that the government already has the main code from Singapore… and is very keen to develop their own version of the same application for use within their borders.
This follows the Australian government’s general trend of lowering user privacy in exchange for better data surveillance.
At this time, the Australian government has estimated that about 40% of Australians would need to voluntarily sign up for this program in order to be effective. Naturally, this variation of the contact tracing out would also be opt-in instead of mandatory. Yet the government is pressing that the COVID-19 emergency quarantine or social distancing measures might be able to light within a few months if the application is allowed to do its work.
That all sounds very convenient. Additionally, even Singapore, which is considered to be more “compliant” in terms of its society or culture, only has about 20% of its citizens sharing their mobile phone data with the government in this way.
Even though Australians have recently experienced more digital privacy infringement than before, they still aren’t as compliant as Singapore citizens. Thus, it’s unlikely that Australia will be able to get the touted 40% of people using this app soon unless things get seriously worse and privacy concerns can be alleviated.
Other countries, and specifically government agencies in Asian nations like China, South Korea, Hong Kong, and Taiwan, are already using variations of contact tracing apps and other digital monitoring technologies to ensure that citizens are following the correct quarantine restrictions. Then again, we already know about the privacy concerns in several of these countries and the freedoms that their citizens do not enjoy.
Australia is nowhere near as bad when it comes to government overstepping or privacy violations… but things do tend to happen in steps rather than all at once. People already need to do basic things like use a VPN to be protected. More may be needed in the future.
What Will Likely Happen?
At this point, COVID-19 restrictions in place across Australia and most other countries around the world. Australians are practicing social distancing and taking other measures to quarantine themselves or stay apart from infected individuals if anyone is suspected of contracting the virus. Additionally, some citizens are opting into phone-based monitoring systems for the purpose of contact tracing.
Yet at this time, it doesn’t seem like there’s enough public will to make transforming a contact tracing app from an idea into reality. For starters, while the Australian government has the code for the Singapore app, they still haven’t developed their own version. Additionally, the Google and Apple contact tracing app isn’t fully functional and is being rolled out slowly rather than being advertised as feature-complete and privacy safe.
Virus vs. Privacy
Additionally, development on these contact tracing apps may yet continue as governments and citizens talk about the importance of privacy, even in light of the pandemic. France, for instance, has publicly called for both Apple and Google to weaken their privacy protections around the contact tracing application. In other words, the French government is actively trying to lessen the privacy of its citizens in order to make the contact tracing app idea more effective.
All this is driven by increasing numbers of coronavirus-related deaths and stresses on the economy. It’s well-known that COVID-19 is causing widespread economic strain across virtually all sectors of the economy, resulting in people losing their jobs, not being able to pay their rent, and having to rely on government programs or other sources of income while the virus runs through the population.
Even beyond the economic impact, people are dying; that’s a serious issue and one that can cause people to reevaluate their concerns or priorities.
So will Australians decide that the privacy of their digital data is less important than the government’s ability to monitor their movements and health? It’s all possible. But nothing is for certain at this time.
The chief medical officer of Australia, Brendan Murphy, has said that the government is looking to “go harder if necessary” when it comes to contact tracing apps. Contact tracing that doesn’t use the apps takes about three days, which may be too slow for any reliable work to be done in slowing the virus.
Yet Shadow Attorney-General Mark Dreyfus has voiced the concerns of many citizens, explaining that complete public confidence and trust is required in order for most people to accept such an application. This is good news for anyone who is concerned about the long-term digital effects of privacy in Australia.
He says the government, “will need to do a great deal better on this tracking app”, as “it’s not going to work unless Australians have trust, have confidence, that their privacy is going to be protected if they upload this app on their phone”.
In the end, contact tracing apps may be a vital tool as governments and people band together to control the spread of COVID-19 and treat affected individuals. Health arguably comes before privacy at least to some extent, particularly when the consequences of not catching infected individuals before they manage to infect others can significantly outweigh any privacy concerns.
Still, digital privacy is already at a vulnerable state and it’s not looking to become better. COVID-19 may represent the perfect opportunity for more freedoms and digital privacy barriers to be broken all in the name of better security and health. Australian citizens will need to decide soon whether the tradeoffs are worth it and whether they trust their government officials to be true to their words.
As a security analyst working in Beijing in 2008, I struggled to connect to basic websites like Facebook and Wikipedia (coincidentally, many more websites are banned in China today than were then). Naturally, I started looking for a solution. VPN services were, at the time, security tools used by large I.T. companies or cybersecurity professionals.