Should you download and use the coronavirus tracing app?
No, but not so much because of the app itself as the people who are behind it.
In privacy terms, the app is relatively innocuous. It functions as a kind of decision tree in which you have to repeatedly opt in to make your personal data available: opt in to download it, opt in to register, opt in to leave the app running on your phone, opt in to leave your screen unlocked, opt in to share your information and that of other contacts that it has collected on other contacts if you test positive. You can “opt out” at any stage and not risk your data.
The number of people downloading the app — breathlessly reported by the media — isn’t a particularly good guide to its success. How many people leave it running with an open screen while they go about their daily life, which is the only way the app will fully work in the way intended by the government, is anyone’s guess.
It is conceivable, though highly unlikely, that the encrypted data on your phone is a privacy risk — though without seeing the full source code, we can’t be completely sure. The real risk is if you test positive — or for any other reason — and agree to upload your data to Amazon’s servers for the government’s contact tracers to access.
At that point, the question is no longer about the app, but about the government. What’s required for that isn’t a privacy impact assessment but a power impact assessment.
A power impact assessment would examine this government and find it badly wanting in relation to the abuse of personal information.
It introduced data retention laws supposedly reserved only for a small number of security agencies, protected against abuse and mission creep, and aimed only at serious crimes. Instead, the agencies using metadata have ballooned, the most trivial offences are now included and security agencies abuse the data without being held to account.
It defied laws designed to prevent the misuse of the personal information of transfer payment recipients to publicly vilify — via leaks to friendly journalists — a citizen who publicly criticised the government over robo-debt. Its bureaucrats insisted they had done so lawfully because they were correcting her “mistake”.
It used laws it introduced aimed at deterring whistleblowing within government to raid journalists’ homes in search of sources that caused embarrassment for security bureaucrats. It raided opposition offices and Parliament House itself searching for information on sources that had embarrassed NBN Co.
It used surveillance to undermine legal professional privilege and harassed and prosecuted the men who exposed criminal wrongdoing by ASIS, in the K/Collaery case.
It has given itself powers to force software and device manufacturers to secretly plant malware on devices to target citizens. Its signals intelligence body — which helped write the app — refuses to share information about major security vulnerabilities in widely used IT systems so it can exploit them for commercial espionage.
Given this, no amount of safeguards around government access to the information — and those safeguards won’t be legislated for weeks anyway — would be sufficient to guarantee that this government’s instincts to abuse its power would be curbed.
Still, advocates for the app urge that a small loss of, or risk to, privacy is nothing compared with the benefits of the app in helping alert people to the risk of infection and help the government identify cases. Except, those benefits could be obtained through a more decentralised app that doesn’t allow any part of the government to access the unencrypted information on the device of someone who has tested positive.
And such an argument is only a minor variation of the argument always put forward by governments, that we could all be safer if we gave up more rights, more freedom, more privacy, in the name of fighting crime, defending terrorism, stopping drugs — anything that saves lives and makes the community safer.
Public health bureaucrats and academics are little different from national security bureaucrats and academics in their command-and-control mentality, one that sees freedom and privacy as a minor inconvenience in the pursuit of the greater good. Indeed, one commentator on the weekend compared those who value their privacy to terrorist Carlos the Jackal.
Advocates also invoke another oft-repeated argument, that given IT companies already know so much about us, what does another breach in our privacy really matter — an argument best left on the shelf until the grim day when Apple, Google et al can raid our houses, prosecute journalists and jail whistleblowers.
If you’re not planning to embarrass or publicly criticise, or seek to hold to account, government ministers and bureaucrats, you probably don’t need to worry too much about how the government will abuse your personal information. And you can always, at various stages in the process, opt out of providing information. You can even delete the app if you want.
But the government can’t do what it would evidently prefer, which is to delete the facts about its long history of abusing power and personal information.
You are right. The government can’t be trusted with any of my personal information. However, in this case the potential intrusion on my privacy is minimal and is certainly worth the risk against the benefit I would get in the unlikely event that I spend 15 minutes with someone who subsequently is found to have been infected with the virus.
I have the app for the health of my grandchildren, my son and his wife and perhaps me. History speaks for itself about trusting any NSW government and its administration.
It’s most unfortunate, isn’t it? I think the app itself may be a worthwhile tool in the fight against the virus, but I don’t think I will download it because I can’t bring myself to trust this government’s ability to control its penchant for abuse of power: for precisely the reasons Bernard has indicated and despite the fact that it has shown a slightly more human, less ideology-obsessed face over the past few weeks. A leopard doesn’t change its spots.
Or perhaps more appropriately, using the app would feel a bit like the frog offering to help the scorpion across the river. We all know how that turned out.
No worries about privacy
You can download and install it (to satisfy ScoMo.
Then you delete Permissions and Notifications in COVIDSafe properties.
And as long as you do not press the Upload button, no data will be sent to the server.
This is pretty fair comment, Bernard. The least the government should do is sit to pass the legislation that is supposed to guarantee that the police won’t get their “extra uses” while we wait for legislation that ensures they don’t legally. And then you are right to wonder whether we can be confident when these “extra uses” are illegal that some government body won’t decide to use the data, if the illegality of that can’t be picked up and they get prosecuted or it.
A question Bernard,
Do you think that Mr Dutton might instruct SERCO contractors, guards etc to install the app, considering that they represent a high risk group of both catching and disseminating the virus because they are working in an area where there is no capacity for social distancing as recommended by the best Medical Advice?
In their current working conditions at a motel where international air crews are coming and going and these same guards are in close contact with a vulnerable group of people transferred on medical grounds to detention motels and camps. They are at risk of contracting and then spreading the virus to the community as well as the detention places.