Let’s have a look at the new coronavirus tracing app.
Is it a good idea?
Is it a bad idea?
Should you install it?
I think the best way to arrive at an answer to that is firstly to simply explain how it works.
First, you download the app. Once you’ve downloaded it, you enter some information: your phone number, your postcode, and your approximate age (from a selection of age ranges).
You don’t have to enter your name. You can put a pseudonym in or your own name – whichever you like.
That information is then sent to the central server, which is in Australia, and which I believe is an Amazon server.
The server then takes that little piece of recorded information, which is not particularly invasive data, applies a unique code to it, and sends that code back to your phone.
Everything that happens from this point onwards happens on your phone and on your phone only.
The code that your phone has received is broadcast via your phone’s Bluetooth signal to about a 10-metre radius around your person at all times.
At the same time, the app scans for the presence of other unique codes from other people who have phones with the COVIDSafe app operating on them.
If one of those people comes within about a 10-metre radius of your phone, your phone will scan and pick up their code, the make and model of the phone that it’s come from, the signal strength that it detected, and the length of time for which that code was within the scanning radius of your phone.
Those little pieces of information are completely useless by themselves. They don’t identify anybody and they don’t tell you or anybody else where you were.
The app just takes those bits of data and stores them on your phone in a place where other apps cannot access them. The data just sits there for 21 days, and then each piece of data is deleted 21 days after its collection.
Now, there’s no identifying information in that; no location data; nothing particularly invasive.
Then, if you are unfortunately diagnosed with coronavirus, you have the option to upload the last 21 days’ worth of data to the central server. A health professional will say to you, “Do you want to share the data from your last 21 days?”
You say, “Yes, I do. I want people who I was near to be notified.”
They say, “Great, press the button on your phone.”
You press the button in the app, and it uploads that data.
The central server is then able to match the codes that you’ve just sent it from your phone which represent people that you were near, and find their phone numbers.
It only does that for people who were within 1.5 metres of your person for 15 minutes or more. That’s why it picks up the signal strength in the phone, the make and the model, because it uses that information to calculate the approximate distance between your phone and theirs. If it’s within 1.5 metres for 15 minutes or more, the health professionals will get the phone numbers of those people, and presumably the other data as well – postcodes, age range and so on – so there’s a sense of how vulnerable they are. Then they’ll ring those numbers and inform those people that they should go and get tested.
That’s how the app works, in a nutshell. And here’s the thing: at the end of the pandemic, the data on that central server will be deleted.
In fact, the legislation requires it.
Now note this: the app does not track your location. It does not have any GPS function. It doesn’t actually communicate any of the data recorded in it to the central server unless and until you tell it to, which is in the unlikely event of being diagnosed.
Neither does it tell anyone who you are, or identify you in any meaningful way through that operation of scanning and sending the code out. It’s anonymous.
In addition to that, the following (among other things) are criminal offences punishable in some cases by up to five years in prison:
- It is a criminal offence to access the data unless you are employed by a State Health Authority and you are conducting contact tracing, which is the process of identifying people who have been in contact with a person who has tested positive for coronavirus. And if you are an authorised person, you’re only allowed to access the data supplied to the extent necessary to do that job.
- It is a criminal offence to upload the app data from someone’s phone without their permission.
- It is a criminal offence to keep the app data on a phone for more than 21 days as it automatically deletes itself after 21 days.
- It is a criminal offence to upload any app or central server data to a server outside Australia.
- It is a criminal offence to require somebody to use the app for any reason.
That relevant legislation also binds the Commonwealth to delete the data once the pandemic is over.
What does that mean overall?
Firstly, the data that’s disclosed in the process of using the COVIDSafe app is minimal. It really is.
The data on your phone by itself, as far as I can see, is pretty much useless.
And the data on the server is very minimal. It really doesn’t reveal much. It seems that you need to bring those two things into connection with each other, really, to find anything meaningful – and even then, it’s not very much.
Secondly, I don’t believe the way that the app operates is invasive. It’s not a breach of privacy; it’s not sending personal details; and it’s not identifying anybody.
Thirdly, the chance of misappropriating the data is slim to none.
On the negative side, though, I do wonder whether it can really solve things, because I understand that coronavirus is also transferred through contact with surfaces. It’s being sold as a silver bullet, but it only deals with one method of transmission of the virus.
And perhaps more significantly, there is a question in a lot of people’s minds about whether or not the government should really be going here. Should they be entering into this sphere wherein they are creating apps with a tracking or contact tracing capability?
‘Tracking’ has negative connotations. But whether you call it tracking or contact tracing, is this a precedent we want to set: the government collection of personal data, and use of that personal data to pinpoint your proximity to people or your whereabouts?
As minimally invasive as this app is, there is this question of precedent, and people have concerns about that.
I completely understand that.
So should you install it?
It’s morally neutral, in my opinion. It’s up to you.
The government policy is that this is optional, and so therefore, I think as a matter of personal duty, it’s optional.
Many people find it a minimally invasive way of being potentially helpful, and therefore, they download it. One of the strongest points I’ve heard was somebody who said, “If I got coronavirus, I would want the people who’ve been in contact with me to know that they should go and get tested.”
On that basis, a lot of people will download it. But there will be others who are concerned about the precedent that it sets, and will not download it, and I think that’s a reasonable observation as well. That’s also born out of a broader concern.
It’s not the fact that one perspective is moral and the other is not. It’s the fact that there are competing moral concerns.
I’m personally conflicted.
I’m drawn to the idea of the good it can do. I’m also cautious about the idea of the precedent that it sets.
However, I think – and I haven’t yet made this decision, but I’ll say it – I think I’m leaning towards downloading it. And that’s a change in my position since two weeks ago when I heard that there was a ‘tracing app’ coming out, which sounded quite ominous, and I thought, “Well, no. That’s a terrible idea!”
But here’s the thing: I’m so glad that we live in a country where the easy option, which could have been to simply put GPS tracking on everyone’s phones, or something really invasive like that, was not countenanced.
We live in a country where there was robust debate around the app when it was first being thought of, where politicians within the government itself actually raised concerns and said that this has to be done well, in a non-authoritarian, non-invasive, and non-privacy-breaching way.
All of those concerns were heard and adopted. Now we have a solution that collects absolutely minimal data. It doesn’t really collect anything the government shouldn’t have, to any great degree. It has a number of processes built into it to make it less invasive and to allay privacy concerns.
And it’s optional.
I think that’s a fantastic outcome.
I’m glad I live in a country that makes those things priorities, and produces a solution that seems to be walking a really fine line and doing it reasonably well.
Should you install it?
It is honestly up to you. I thought I’d give you the details about how it works, because I think once you know the details, it is clear that it is not, in itself, a really bad thing, though questions remain about the kind of precedent it sets as the government goes into this particular realm.