I wrote previously about issues with the Australian Government's recently-released COVIDSafe app for Android and iPhone and how the government's past history with data protections left everyone rather wary. I strongly suggest you read that piece before continuing.
Since the release at 6pm last Sunday, there have been approximately 4 million downloads
It seems the government has poisoned this well too many times. By the way, when the app's official launch happened (a little over a week ago) did anyone else notice that the Minister was surrounded by medical people all asking us to help them, but there wasn't one single person there with IT, privacy or security credentials. Telling, I thought.
Further, there have been warnings in a tweet from Diabetes Australia that the app is interfering with sub-skin continuous glucose monitor (CGM) systems. These devices constantly monitor glucose levels for diabetics and communicate (oddly enough) using Bluetooth.
Diabetes Australia has recommended CGM users uninstall the app if they have it.
Over the weekend we learned that despite the app being live for over a week, there is currently no ability for state health authorities to access and use the contact data. This means that if I found out LAST MONDAY that I was either afflicted or had come in contact with someone who was, I'd obviously hit the "I'm Unclean" button.
And then, NOTHING WOULD HAPPEN. We're told that the rules will be finalised later this coming week. I think the technical term is "couldn't organise a <nice activity> in a <suitable location>."
After a deeper reading, it seems there is a fatal flaw.
The policy discusses that you can use a pseudonym and also that you must provide your mobile number. That is enough to constitute personal information. That's fine, the policy describes storage rules, usage, correction and deletion.
However, we also know that when a contact is established, details are exchanged between the two devices. Personal information.
Of course, we can delete the app from our device, and we're promised that our data also goes. But here is where the difficulty comes in.
If I have been close to you for 15 minutes, and we both have the app, we will exchange the appropriate personal information. Next, I get cold feet and delete the app.
Despite the fact that my information is deleted from my device, it is NOT deleted from your device. In fact there is no way to achieve this. The app is all or nothing - the only way my information could be removed is if you delete it too.
Worse, if you hit the 'I'm unclean' button my details will be uploaded as part of the contact package. If that happens, there is no way to remove it. The privacy statement is very clear: "To ensure maximum security of your COVIDSafe data, you will not be able to access your data held in the data store."
My reading of current privacy legislation is that this is not legal. Please, someone correct me if I'm wrong.
As a final "aside", if any European citizen is currently in Australia and installs the app, GDPR will apply. I believe it too identifies the same problem.
The Department Privacy Officer has been contacted, but as this was written in the early hours of Monday morning, no response is expected immediately. An update will be provided if appropriate.