Should you download and use the coronavirus tracing app?
No, but not so much because of the app itself as the people who are behind it.
In privacy terms, the app is relatively innocuous. It functions as a kind of decision tree in which you have to repeatedly opt in to make your personal data available: opt in to download it, opt in to register, opt in to leave the app running on your phone, opt in to leave your screen unlocked, opt in to share your information and that of other contacts that it has collected on other contacts if you test positive. You can “opt out” at any stage and not risk your data.
The number of people downloading the app — breathlessly reported by the media — isn’t a particularly good guide to its success. How many people leave it running with an open screen while they go about their daily life, which is the only way the app will fully work in the way intended by the government, is anyone’s guess.
It is conceivable, though highly unlikely, that the encrypted data on your phone is a privacy risk — though without seeing the full source code, we can’t be completely sure. The real risk is if you test positive — or for any other reason — and agree to upload your data to Amazon’s servers for the government’s contact tracers to access.
At that point, the question is no longer about the app, but about the government. What’s required for that isn’t a privacy impact assessment but a power impact assessment.
A power impact assessment would examine this government and find it badly wanting in relation to the abuse of personal information.
It introduced data retention laws supposedly reserved only for a small number of security agencies, protected against abuse and mission creep, and aimed only at serious crimes. Instead, the agencies using metadata have ballooned, the most trivial offences are now included and security agencies abuse the data without being held to account.
It defied laws designed to prevent the misuse of the personal information of transfer payment recipients to publicly vilify — via leaks to friendly journalists — a citizen who publicly criticised the government over robo-debt. Its bureaucrats insisted they had done so lawfully because they were correcting her “mistake”.
It used laws it introduced aimed at deterring whistleblowing within government to raid journalists’ homes in search of sources that caused embarrassment for security bureaucrats. It raided opposition offices and Parliament House itself searching for information on sources that had embarrassed NBN Co.
It used surveillance to undermine legal professional privilege and harassed and prosecuted the men who exposed criminal wrongdoing by ASIS, in the K/Collaery case.
It has given itself powers to force software and device manufacturers to secretly plant malware on devices to target citizens. Its signals intelligence body — which helped write the app — refuses to share information about major security vulnerabilities in widely used IT systems so it can exploit them for commercial espionage.
Given this, no amount of safeguards around government access to the information — and those safeguards won’t be legislated for weeks anyway — would be sufficient to guarantee that this government’s instincts to abuse its power would be curbed.
Still, advocates for the app urge that a small loss of, or risk to, privacy is nothing compared with the benefits of the app in helping alert people to the risk of infection and help the government identify cases. Except, those benefits could be obtained through a more decentralised app that doesn’t allow any part of the government to access the unencrypted information on the device of someone who has tested positive.
And such an argument is only a minor variation of the argument always put forward by governments, that we could all be safer if we gave up more rights, more freedom, more privacy, in the name of fighting crime, defending terrorism, stopping drugs — anything that saves lives and makes the community safer.
Public health bureaucrats and academics are little different from national security bureaucrats and academics in their command-and-control mentality, one that sees freedom and privacy as a minor inconvenience in the pursuit of the greater good. Indeed, one commentator on the weekend compared those who value their privacy to terrorist Carlos the Jackal.
Advocates also invoke another oft-repeated argument, that given IT companies already know so much about us, what does another breach in our privacy really matter — an argument best left on the shelf until the grim day when Apple, Google et al can raid our houses, prosecute journalists and jail whistleblowers.
If you’re not planning to embarrass or publicly criticise, or seek to hold to account, government ministers and bureaucrats, you probably don’t need to worry too much about how the government will abuse your personal information. And you can always, at various stages in the process, opt out of providing information. You can even delete the app if you want.
But the government can’t do what it would evidently prefer, which is to delete the facts about its long history of abusing power and personal information.