Agilient Security Consultants Australia

Cybersecurity & Risk Management Specialists

Contact Us

What is a data tracing app?

The data tracing app collects data that will allow people who were near a person who later tests positive to Coronavirus to be easily traced and contacted. This allows them to advise that they may be infectious and to seek medical advice.

The app is based on the Singapore Government’s Digital Services Agency’s app, TraceTogether, which uses a technical protocol called BlueTrace to enable global interoperability.

Why do we need it?

  • ‘Contact Tracing’ is fundamental infectious disease control best practice. It has historically been used against infectious diseases such as measles and meningococcal disease;
  • Since the outbreak of COVID-19 in Australia, contact tracing has been conducted over the phone by clinicians and scientists;
  • As this manual process is time and labour intensive, the proposed data tracing app is intended to augment the manual process, to hasten the infection detection process. This will then lead to quicker mitigation responses, thereby resulting in speedier disease containment;
  • Data tracing apps are currently in use in Asia and Europe to monitor infected people and enforce home quarantine. Many countries are seeking ways to exit lockdown while avoiding/controlling a subsequent outbreak;
  • Over 50 countries have expressed interest in the Australian version of the BlueTrace app, which has been designed with global use in mind. Initially, this may facilitate an early return to interstate and trans-Tasman travel;
  • The combined manual and digital data tracing efforts are intended to assist authorities in determining when the current restrictions can be progressively relaxed, based on successful control of COVID-19;
  • The app should empower the community to be involved in their own health outcomes, subject to satisfactory resolution of data privacy and security concerns.

How will it work?

The data tracing app uses short-distance Bluetooth signals to connect one phone using the app with another within approx. 1.5m for approx. 15 minutes. The phones swap an encrypted package containing the mobile number, name, age and postcode of the person, which is then stored on each phone for 21 days.

If a data tracing app user later tests positive to the virus, the stored data would be decrypted to allow authorised state health personnel to contact the people that they interacted with (who also used the tracing app) during the period they may have been infectious.

An arbitrary 40% take up has been proposed by Australian Government officials, however this will not be mandated. It is unclear whether a minimum take up is required to deliver anticipated benefits.

What are the concerns?

Data Privacy:

  • Various media and privacy advocates have raised concerns about government access to personal data. Ensuring the data will not be re-purposed by other government agencies is another concern. Acceptance and use of the app will be influenced by Australian’s level of comfort with the Government’s responses to these concerns;
  • Government Services Minister Stuart Robert stated that the Government will release the source code and privacy impact assessment for the ‘COVID trace’ contact tracing app;
  • Although it appears mobile location data will not be collected through the app, the aims needs to be closely considered. Defining the dataset required to achieve the minimum level of data required for effectiveness,providing clear policies and procedures, independent oversight and transparent messaging are key tools in a privacy enhancing framework.

Security:

  • Government Services Minister Stuart Robert claims that the Australian Signals Directorate (ASD) and the Australian Cyber Security Centre (ACSC) are engaged in the security checking of the app;
  • iTnews reported that Robert stated that a “national data store” would be created for use by authorised State Government heath personnel and that the stored data would not be used by any Federal agencies and also pledged to delete the data when “the pandemic is done”;
  • Experts in Australia and Europe believe tracking apps should be decentralised, unlike the centralised model that Singapore is using. This would allow all relevant contacts to be registered in encrypted form on our phones and we would receive a notice if someone we had been in close enough contact with for a sufficient period tested positive for COVID-19;
  • With a decentralised system, neither we nor the Government know the identity of the relevant person, but our phone would recognise the person’s encrypted identity as a contact in a list of new cases broadcast by the system. We would then be alerted if we needed to self-isolate or seek medical advice;
  • Singapore’s centralised model, which Australia is looking to replicate, gives the Government capacity to know both users’ identities and a complete list of their contacts, as would a hacker accessing the government’s system.

Conclusion

Although the COVID-19 data tracing app is a sensible public health initiative, it is likely that robust legislative safeguards will need to be in place before it is widely adopted. Clarity regarding data privacy regulations, data sharing, retention and disposal are reasonable minimum requirements.

Contact us if you need any further details on the implications of the app for your business, or assistance with your cybersecurity.

Author: Phillipa Lee, Agilient Consultant

Tweet
Share