For me, the reason to download the COVIDSafe app is that my personal risk of not using it is greater than the risk of the possible misuse of my data. From a technical and legal point, I am satisfied that the app is as safe as you can expect from any technology.
If you are using a smartphone with apps such as Google and Facebook than far more personal data is collected by them than the government does in the covid app. Trust is an issue but personally and professionally I have no reason to believe that the government has any intention to misuse the data. If they would misuse the app, the whole system would collapse overnight. Trust is a key issue.
Technically I am satisfied that the right checks and balances are in place to protect our privacy. This is the information from the government on which I base my assesment:
- using Bluetooth technology, the app “pings” or exchanges a “digital handshake” with another user when they come within 1.5 metres of each other, and then logs this contact and encrypts it. It only registrates contacts with people that last for 15 minutes or more.
- The data remains encrypted on a user’s phone for 21 days, after which it is deleted if they have not been in contact with a confirmed case.
- The application will have two stages of consent that people will have to agree to: initially when they download the app so data can be collected, and secondly to release that data on their phone if they are diagnosed with the virus.
- If a person with the app tested positive to COVID-19, and provided they consent to sharing the information, it will be sent to a central server.
- From here, state and territory health authorities can access it and start contacting other people who might have contracted coronavirus.
- Strict laws will govern the use of information the app collects.
- A user will be unable to access the data on their phone and Commonwealth officials and law enforcement will be unable to access the central server.
- The central server must store all data in Australia, and it cannot be transferred overseas.
- Anyone who accesses the data illegally faces up to five years in jail, according to new laws enacted overnight under the Biosecurity Act.
- The rules will be legislated for the duration of the pandemic when Parliament returns next month.
Criminals (individuals, businesses, governments) are hacking into banks, military operations, Facebook, personal accounts and so on you will never ever be able to stop that. Hacking into mobile phone apps is rare, these are much better protected than using the internet on tablets and computers.
In everything what we do there is risk involved, crossing the road and you can be hit by a car.
As I mentioned above it is a personal risk assessment that you need to make, what are your risks if hacking or misuse of the data happens and what are your risk in relation to Covid-19. In the end this is a personal choice and it is up to you to make that assessment.
Paul Budde
PS Beyond the government’s handling of the pandemic in relation to privacy and security I remain critical of them as per my blog from a few weeks ago.