No Surprise: COVIDSafe Data ‘Incidentally’ Collected by Australia’s Intelligence Agencies

Did you install Australia’s COVID-19 contact tracing app? I certainly didn’t because I don’t trust any government to 1) create an app that does anything useful and well, and b) create an app in a security manner that doesn’t undertake mass surveillance.

Take a glance at the mobile phone on which you’re reading this blog post, or at the mobile phone sitting next to you. Do you think the government could create such a device and ecosystem? Now you’ve stopped laughing ask yourself if the government could create a useful app.

Maybe. But the jury is still out.

It came with no surprise to read that Australia’s intelligence services had sucked up citizens’ data from the so-called “COVIDSafe” app. Yes, a hastily created app with functionality issues on iOS devices has privacy issues, too.

An interim report by the Inspector-General of Intelligence and Security — a statutory office office established to ensure the legality and propriety of the Australian Intelligence Community’s (AIC) actions — found that, “Incidental collection in the course of the lawful collection of other data has occurred (and is permitted by the Privacy Act); however, there is no evidence that any agency within IGIS jurisdiction has decrypted, accessed or used any COVID app data“. Apparently intelligence agencies have policies and procedures to avoid intentional access.

I’ll translate: Australia’s intelligence agencies incidentally ingested COVIDSafe’s data, the data was likely available for intelligence agencies’ staff to view, but no one viewed any COVIDSafe data based on an analysis of audit data.

What data is required to sign up, who from the government has access to some of the data, and how data is protected is covered elsewhere, and I’m not going to re-hash covered ground.

However, I do have several points that I’d like to make about government’s involvement in technology:

  • Unexpected behaviour. Actually, this point should be called “expected behaviour”, as intelligence agencies ingesting citizens’ data that they shouldn’t is an obvious side-effect of a government-run contact tracing app.
  • Transparency. How did intelligence agencies even ingest the data? We were told that the COVIDSafe app was secure. Secure from everyone but intelligence agencies? I wrote about this problem in an earlier post: The government has no incentive not to collect or protect citizens’ data. How did intelligence agencies access data stored on AWS in Sydney? Can the FiveEyes countries access this information, too? Could the data have been decrypted? Who knows, is the answer.
  • Government reviews of government. How independent is the Inspector-General of Intelligence and Security? Is this department really free of political influence? Who knows, is the answer. Can the government mark its own homework?
  • Government involvement in healthcare technology. MyHealthRecord is a somewhat controversial but optional government-run system. However, the incentive for government to access such information — through a future law change — will remain. The danger is a government that rather than treating all citizens equally will treat citizens differently based on healthcare data.

Remember: Government involvement in gathering more data on citizens can only lead to more mass surveillance, not less.