Governments’ deft handling of the pandemic response – while no doubt inconsistently managed from state to state – has seen a significant boost in trust for public institutions.
Professional services group Deloitte notes that governments today are the most trusted institution, globally, for the first time in two decades.
One way that Australian governments have nurtured this trust in recent years has been to realise significant service improvements through open data-sharing practices – whether exchanging data between government authorities or between the public and private sectors.
Local examples abound, from Transport NSW’s Open Data Hub, a massive repository of public transport and roads data to the whole-of-government Data Integration Partnership for Australia, which shares de-identified and confidentialised data for policy analysis and research.
But this openness has its drawbacks, and the proliferation of Covid-19 contact tracing apps in Australia has exposed very real weaknesses in the regulation of aggregated, and potentially personally identifiable, datasets.
Indeed, concerns around data collection and storage practices from Covid-19 mobile check-in apps can rapidly erode this hard-earned trust, says Deakin University’s Dr Monique Mann, a senior lecturer in criminology and vice-chair of the Australian Privacy Foundation.
With the rapid shift from the Federal Government’s Bluetooth-backed COVIDSafe app to today’s state-led contact tracing Quick Response (QR) code-based apps, and increasingly into digital vaccination certificates, Dr Mann questions the rigour behind the management of data collected through these systems.
“What kind of auditing and oversight processes do we have in the collection, storage, and deletion of this information?”
Along with a team of other researchers, Mann is examining whether an app-based solution is necessarily the best way to address the problems raised by a global pandemic.
Governments today must grapple with the risk management issues inherent in the use of QR scanning codes, as well as protocols for data sharing between government authorities, and data deletion schedules.
QR codes present a risk
With Australians abandoning the Federal Government’s COVIDSafe app in droves, state or territory governments have opted to roll out their own QR code-based check-in apps for contact tracing.
This check-in based tech has its risks, though, says Michael Maher, chief executive and co-founder of OnePassport, a Melbourne-based digital records software developer. Maher is also a member of the COVID Credentials Initiative, a 300-strong global group of academics and healthcare professionals working to standardise Covid testing data and make vaccination certificates sharable globally.
For Mahar, QR codes present far from the most secure and reliable contact tracing solution.
“Technically, you could print a sheet that looked just like the official state or territory government site. But scan the fake QR code, and it could download malware onto your device, extract information from it or take you to a phishing site.”
This was an even bigger risk in the early days of the pandemic when some retail businesses developed their own proprietary apps.
Businesses were found to be collecting more information than needed for contact tracing. Worse still, this data was also being used for unsolicited marketing.
Since this early approach to contact tracing, state or territory governments have moved to consolidate and centralise their contact tracing programs, many of which have been embedded into existing one-stop-shop service apps (Service NSW and Service Victoria, for instance). But beyond the state-led approach and adoption of QR code-based scanning, the similarities between the state’s contact tracing apps are few.
While a security report reveals that NSW sends only minimal personal data through its Service NSW app – ensuring that, “even if someone has hacked that system, it’s not that risky”, Maher said – Victoria’s approach appears rather more data-hungry.
According to Maher, Victoria “sends through a three-megabyte file”, a veritable treasure trove of data for the unscrupulous.
He fears that “a serious player could intercept that information”.
Yet, for cybercriminals, it is often much easier to trick the human rather than attack the technology. Dark web forums are abuzz with activity on ‘QR code hacks’, offering tutorials and open-source tools that lure individuals to phishing sites, says Sean Duca, vice president and regional chief security officer for Asia Pacific at Palo Alto Networks, a cybersecurity software developer.
“There are numerous ways cybercriminals could leverage QR codes for their own malicious objectives. For example, hacking into a business’s website and replacing the QR code with their own. This could automatically route unsuspecting consumers to a phishing URL, where cybercriminals could request user credentials and then take control of email or social media accounts.”
Australian governments could learn much from early adopters of the QR-code model overseas. Cybersecurity experts point to New Zealand, the European Union, and the UK as exemplars of COVID QR code approach.
Fuzzy data-sharing protocols
Once a Covid app collects data, what then are the risks to governments in storing, sharing, and deleting that data?
The Office of the Australian Information Commissioner (OAIC) provides guidance to governments and agencies, based on Privacy Act provisions, on privacy and freedom of information regulations related to Covid app data. These also include bilateral agreements between federal, state, and territory health authorities.
The agreements compel state and territory health authorities to delete personally identifiable data after it is no longer needed for contact tracing purposes “unless otherwise required by law”. The Privacy Act, Section 94ZC, also holds that the app data remains the property of the Commonwealth.
Dave Colls, Director of the Data and AI Practice at technology consultancy Thoughtworks Australia urges governments to have clear data-handling standards, supported by technical controls that create a robust culture of “reporting, managing, and learning from security incidents”.
“It can be reassuring for the public to acknowledge these processes exist, and this promotes transparency,” he says.
Conversely, technical issues or instances of data misuse by authorities, which increase public distrust in these systems, can completely undermine public health efforts.
“If the risks aren’t properly managed, the end result is harm to citizens through the direct release of data or degraded performance of contact tracing and the impact on public health.”
And yet, despite these implications, the temptation to tap into these contact tracing datasets remains ever-strong.
In June, the Western Australian Government hastily introduced legislation to block authorities from accessing Covid app check-in data. The new law was triggered by the actions of the WA Police Force which was found to have on two separate occasions accessed contact tracing data – a process that, at the time, was still legal and required no judicial oversight (namely, a warrant).
Their Victorian peers, by contrast, have been required to obtain a warrant to access data from these apps; Victoria Police have, on three separate occasions, attempted to access this data, but in each instance was rebuffed by the health department, according to a report by Innovation Aus.
In Queensland, data can be used or disclosed where “authorised or required by law” – though this is yet to happen, the same report noted.
In one instance, Dr Mann confirms, Queensland Police tried to access the contact tracing data to help find an officer’s misplaced gun.
“A lot of the public backlash to this scope creep is that the information that’s supposed to be collected only for public health is now being used for a whole range of other purposes; it becomes skewed and problematic,” she says.
Dr Mann pointed to further concerns, also raised publicly, around a function in Victoria’s Covid tracing service (which is accessed via its Service Victoria app) that allows users to review locations they have visited.
“It was suggested people could look at Services Victoria for locations on where they’ve been. As a criminologist specialising in privacy and surveillance, if I have this mandatory record on my phone and am in an abusive relationship, [we have to ask] what other risks does this pose?”
Meanwhile, the Office of the Inspector-General of Intelligence and Security, in its most recent report issued in May, says its six intelligence agencies had taken “reasonable steps to avoid intentional collection of Covid app data”.
It found that where those agencies had “incidentally” collected such data, it had “not been accessed or used… [and] deleted as soon as practicable after the agencies become aware it has been collected”. The Privacy Act does allow for this incidental collection in the course of lawful collection of other data.
Data deletion: not so fast
Most state and territory health departments indicate that they will delete personal data from check-in apps 28 days after collection. In Queensland’s case, it is up to 56 days.
For example, an FAQ on the site SA Government states that check-in data is “retained for 28 days and then destroyed within seven days following this”. But the policy becomes somewhat more uncertain from here.
If “your data is required to be used”, the FAQ continues, SA Health will retain it “as long as necessary” for official contact tracing purposes or for managing the pandemic, and “no longer [after] the Covid-19 pandemic remains”.
This appears to be the norm across states and territories, as is the potential for aggregated data to be retained. Experts continue to stress the need for a rigorous de-identification process to ensure data privacy risk is minimised.
Dr Suneel Jethani, a researcher into open data practices at the University of Technology, Sydney, and co-author of a book on open data in government, expressed concern over the extended, and at times indeterminate, period that government agencies retain data.
“Twenty-eight days is understandable for incubation and how long someone’s contagious, but it’s still quite a long time to hold onto data that can be used to identify people,” he says.
Moreover, the data lifecycle within public agencies appears to be poorly understood by those outside of government (and potentially for many people within it).
“There’s very little in what some researchers call the ‘provenance of data’: what’s happening to it, how it moves through different systems, and how it’s decommissioned – that is, how they delete the data.”
He adds: “There are different approaches in the granulation of the data being put out there; some governments are more open than others, so it’s not uniform.
Jethani urged for a more coordinated approach to the governance and management of Covid data.
Governments need to fulfil regulatory and legal compliance mandates, ensuring that, if data is released, individuals cannot be identified. If a situation arises where they can be identified, the privacy breach must be investigated, he says.
Before governments collect data, they should consider what might happen to it, Jethani states.
“One problem is the way the technology is designed. Technology as a solution to a problem means you never really anticipate bad actors or nefarious users. You assume people will act for the greater good,” he says.
There are flaws at the source of the data as well. Citizens who do not trust governments are already liable to enter fake names and phone numbers into Covid tracing apps in order to show the ‘green tick’ to the venue host.
“It’s creating a dataset that’s not accurate. It’s subverting the tech.”
Jethani calls on governments to determine the minimum amount of data they need to collect for contact tracing and how it could be repurposed post-pandemic.
“It’s naïve to assume governments won’t do retrospective research. Does the data just become another information asset sitting in government available for policymakers?,” Jethani asks.
And at what cost does this come to the public’s trust in government?