University of New South Wales Law Journal
|
|
Home
| Databases
| WorldLII
| Search
| Feedback
University of New South Wales Law Journal |
|
THE EFFICACY, EQUITY AND EXTERNALITIES OF AUSTRALIA’S COVIDSAFE APP AS A POLICY INTERVENTION DURING THE COVID-19 PANDEMIC: WAS IT SUNSCREEN OR TANNING LOTION?
DR JOHN SELBY[1]*
Digital contact tracing apps, such as the COVIDSafe App in Australia, have been rapidly implemented by many governments as a public policy solution to increase the efficiency of health screening testing during the COVID-19 viral pandemic. This article analyses how the COVIDSafe App’s unresolved efficacy and equity issues and the cybersecurity and privacy externalities it imposes onto Australians have prevented the App from making a significant positive contribution towards reducing the impact of the pandemic in Australia. It attributes some of the failure of Bluetooth-based digital contract tracing apps to their mis-characterisation as a Lessigean ‘code as law’ policy response, arguing instead that such apps are more complex and fragile cyber-physical systems requiring more analysis prior to implementation.
In late April 2020, Australian Prime Minister Scott Morrison held a press conference where he stated, ‘Slip, slop and slap on the app! ... If you want to return to a more liberated economy and society, it is important that we get increased numbers of downloads when it comes to the COVIDSafe app’.[1] Based upon a similar mobile phone app which had been rolled out in Singapore, this statement from the Prime Minister formed part of a significant[2] public relations campaign mounted by the government[3] (including potentially tens of millions of dollars of advertising spending)[4] to increase public confidence and stimulate the Australian economy after its initial pandemic shutdown (which was designed to suppress community transmission in Australia of the novel coronavirus known as COVID-19).[5]
Whilst the COVIDSafe App (the ‘App’) received an initial burst of public support upon its launch when the Commonwealth government agreed to make use of the App voluntary,[6] to eventually release its source code,[7] and to update it when flaws were found,[8] a number of scholars (including this author)[9] engaged in public debate to caution that the App may not be the technological panacea proclaimed by the Prime Minister. After the pandemic’s first year, the App was not being heavily used by public health officials[10] and Commonwealth Department of Health officials admitted to a Senate Estimates hearing that the App had not detected any new contacts in 2021.[11]
This article assesses the effectiveness of this technology-based public policy response to the COVID-19 pandemic from a variety of perspectives. It explores the efficacy, equity and externality (privacy and cybersecurity) challenges the COVIDSafe App faced with the goal of improving future Australian government policy responses.
Part II of this article gives a brief overview of the COVIDSafe App. Part III examines the legislative framework for the App. Part IV identifies and analyses the App’s efficacy problems. Part V identifies and analyses its equity problems. Part VI identifies and analyses its negative externalities, focusing on privacy and cybersecurity issues. Part VII assesses whether Lessig’s ‘regulation by architecture’ analysis or cyber-physical systems analysis provide better insights to this public policy debate. Part VIII concludes the article.[12]
This first Part gives a brief overview of the COVID-19 viral pandemic and how the COVIDSafe App was developed as part of the Australian government’s response to that public health emergency.
As was experienced with the ‘Spanish flu’ a century ago, a viral pandemic such as COVID-19 can spread rapidly across a highly interconnected world.[13] First detected[14] in Wuhan, China in November 2019,[15] subsequent sanitation studies have claimed its existence in sewerage samples collected across northern Italy by at least December of that year and in Brazil by at least November of that year.[16] By the end of August 2020 the COVID-19 virus had claimed the lives of over 846,000 people and infected more than 25 million people worldwide.[17]
The COVID-19 virus infects the respiratory systems of the human body and spreads primarily through direct contact, aerosolised droplets or surface contact.[18] Those with a vitamin D deficiency seem more likely to be infected.[19] A proportion of those infected remain asymptomatic whilst most cases suffer only relatively minor symptoms.[20] However, in up to 20% of cases (particularly amongst the elderly, those with compromised immune systems, and those with other co-morbidities such as chronic obstructive pulmonary disorder or obesity), hospitalisation is required.[21] At least in the early stages of the pandemic, approximately one-quarter of those who required hospitalisation went on to develop severe symptoms[22] such as Acute Respiratory Distress Syndrome (‘ARDS’)[23] which requires oxygen therapy or artificial ventilation for extended periods of time. Males are reported to have died from COVID-19 at approximately twice the rate of females in the United States of America (‘US’), United Kingdom (‘UK’) and Australia.[24] The virus is highly contagious and can spread rapidly through communities if social distancing and face mask-wearing protocols are not widely followed.[25] During severe outbreaks, some cities have had to lock down their populations[26] and some countries (such as Australia) have closed their international (and some domestic) borders.[27] In practice, not all countries have followed those transmission control protocols to the same extent, with higher rates of transmission or deaths seen in the US, Brazil, Russia, and the UK.[28] Mutations in several recent variants of the virus have seen significant increases in the rate at which it can infect people.[29]
Whilst it was initially thought that people who survived infection with the virus may develop lasting immunity to it (similarly to smallpox), examples of individuals catching the virus for the second time are now emerging, suggesting that ‘natural herd immunity’[30] is unlikely to be a possibility.[31] This new evidence likely restricts the policy options open to governments because repeated infections would preclude adoption of the ‘let it rip’ strategy initially pursued in the UK.[32] There is now mounting evidence that a proportion of those infected by the virus who recover will suffer long-lasting side effects, such as brain fog, and damage to the kidneys, liver, lungs and heart[33] which could interfere with both their quality of life and economic productivity.[34] The world’s best hope for a solution to the COVID-19 virus appears to be in the form of a vaccine. The rapid development of over 160 drug and vaccine candidates has occurred around the world,[35] with community vaccination campaigns using the fastest-to-reach-market vaccines beginning in late 2020.[36] Whilst some of the earliest vaccine candidates have claimed effectiveness greater than 90%, there have also been instances of deaths occurring shortly after a small number of patients received their COVID-19 vaccination injections.[37]
As one part of its strategy to reduce the rate of community transmission of COVID-19 in Australia, health departments have rolled out a program of manual contact tracing. This typically involves a detailed interview of each person who tests positive for the virus to collect information about where they have been and with whom they have been in close contact during the period of time when they were likely to have been infectious.[38] Notifications are then sent to the identified people encouraging them to get tested for the virus and the general public is notified of locations where infected people spent significant time so that those places can be deep cleaned and others who visited those locations can also seek testing.
One challenge with manual contact tracing is that it is expensive and time-consuming (and relies upon human memory which can be fallible). Therefore, it struggles with scalability.[39] Concerned to address this scalability issue and building upon a strategy adopted by the Singaporean government, as part of a suite of policy responses to the COVID-19 pandemic the Australian government rapidly developed a mobile phone contact tracing application, the COVIDSafe App, based upon the BlueTrace Protocol[40] and Singapore’s TraceTogether App[41] which use BluetoothLE (low energy) technology (‘Bluetooth’).[42] This was one of several alternative contact tracing protocols which were under development around the world at the time.[43] In December 2020, the COVIDSafe App’s Bluetooth protocol was updated to improve its effectiveness.[44]
A simplified explanation of the COVIDSafe App is that it uses Bluetooth signal strength to measure the distance between an individual’s mobile phone and the mobile phone of another individual who has also installed the app (and has it running). Individuals download from either the Apple or Android app stores and install the COVIDSafe App onto their mobile phones and through it they register their personal details (name or pseudonym, phone number, age range and postcode) with the National COVIDSafe Data Store (‘NCDS’).[45] The user is verified to a mobile phone through a six-digit pin code sent by SMS to that mobile phone. Each individual’s COVIDSafe App then broadcasts via Bluetooth signal a unique (anonymised) identifier which is stored in encrypted form by other instances of the App when within Bluetooth range (typically 10 m or less) for a sufficient period of time. If an individual who has been using the App tests positive for COVID-19, they are notified by the Health Department and given a unique code which they can type into their instance of the App. That code enables the App on their phone to upload the identifiers of other individuals’ phones it has stored to a central COVIDSafe Store operated by the Commonwealth Department of Health. That database can then be used by authorised manual contact tracers to notify individuals that they have been exposed to a person who has tested positive (without revealing the identity of that infected person) and that they should get tested for the virus.[46] The COVIDSafe App does not collect or store geolocation data from Global Positioning System (‘GPS’) or cell tower signal strength data.
Development of the initial version of the COVIDSafe App was done in just a few weeks through contracts between the Digital Transformation Agency and the Boston Consulting Group, Amazon Web Services, Delv and Shine Solutions.[47] Whilst a privacy impact assessment for the App was undertaken by the law firm, Maddocks, on behalf of the Department of Health, no public consultations relating to privacy concerns about the App were undertaken prior to its launch.[48]
Having given a brief overview of the COVID-19 virus and how the Australian government developed its COVIDSafe App, the next Part of this article explores its legislative framework.
Two pieces of legislation have underpinned the Australian government’s digital contact tracing strategy during the COVID-19 pandemic. This Part examines how the government’s initial emergency response using its powers under the Biosecurity Act 2015 (Cth) (‘Biosecurity Act’) was superseded by the addition of a new Part VIIA to the Privacy Act 1988 (Cth) (‘Privacy Act’).
Chapter 8 of the Biosecurity Act enables the Governor-General to make emergency declarations if the Commonwealth Health Minister is satisfied that special powers are needed to deal with a human biosecurity emergency.[49] The Health Minister must first be satisfied that there is a listed human disease posing a severe and immediate threat, or is causing harm, to human health on a nationally significant scale; and that the declaration is necessary to prevent or control the entry, emergence, establishment or spread of that disease into Australia. Such a declaration is a non-disallowable legislative instrument[50] which has to specify the human disease to which the declaration relates, the nature of the human biosecurity emergency and the conditions which gave rise to it, and the period during which the declaration is in force[51] (up to three months, though the Governor-General may vary the declaration to extend its operation by up to three months at a time)[52]. Section 477 of the Biosecurity Act grants the Health Minister broad powers during the period of the human biosecurity emergency and overrides any inconsistent provisions in existing legislation, such as the Privacy Act, though such legislation would continue to apply to the extent to which it was consistent with the Biosecurity (Human Biosecurity Emergency) (Human Coronavirus with Pandemic Potential) (Emergency Requirements – Public Health Contact Information) Determination 2020 (Cth) (‘Biosecurity Determination’).[53]
After the World Health Organisation notified Australia on 5 January 2020 that COVID-19 was a novel coronavirus causing a pneumonia outbreak in China, just 16 days later that virus was specified as a ‘listed human disease’ by a legislative instrument made by the Director of Human Biosecurity under the Biosecurity Act. As evidence emerged in February 2020 that the virus had spread to Australia, an emergency response plan was activated. The Health Minister then made the first of a series of determinations which exercised emergency powers capable of overriding any Commonwealth, state or territory laws.[54] The penalty for breaching or failing to comply with such a determination was a maximum of five years imprisonment and/or a fine of 300 penalty units.[55]
On 25 April 2020, the Health Minister made a determination designed to ‘make contact tracing faster and more effective by encouraging public acceptance and update of [the] COVIDSafe [App]’.[56] The next day, the COVIDSafe App was released for public download, along with the Explanatory Statement to the Determination and a privacy impact assessment undertaken at short notice for the Commonwealth Department of Health by the law firm, Maddocks.[57] The Biosecurity Determination contained a number of privacy-protecting provisions, including prohibiting anyone from collecting, using or disclosing data from the COVIDSafe App unless they were: a) a contact tracer employed by, or in the service of a state or territory health authority; or b) an officer, employee or contractor of the Commonwealth Health Department or Digital Transformation Agency for the purposes of enabling contact tracing or to ensure the proper functioning, integrity or security of the COVIDSafe App or the NCDS. It also prohibited the uploading of COVIDSafe App data from a mobile telecommunications device without the consent of the person who had possession or control of that device, precluded the retention of COVIDSafe App data on a mobile phone for more than 21 days, required the NCDS to retain its uploaded data on databases only within Australia, and required the Commonwealth to delete the contents of the NCDS once the COVID-19 pandemic had concluded.[58] Finally, the Determination prohibited the decryption of encrypted COVIDSafe App data stored on mobile telecommunications devices, and clearly specified that the COVIDSafe App was voluntary and that services, access or other adverse actions could not be taken against anyone who had chosen not to download the COVIDSafe App.[59]
The Biosecurity Determination was subject to significant scholarly and public criticism[60] (particularly because such a Determination could be withdrawn or altered by the Minister at any time), and the government decided to bring (with very short notice) legislation before the Parliament in relation to the COVIDSafe App.[61]
The Privacy Amendment (Public Health Contact Information) Act 2020 (Cth) (‘Contact Tracing Amendment’) inserted into the Privacy Act a new Part VIIIA focused on public health contact information, the goal of which was to ‘provide stronger privacy protection for the COVID app data and COVIDSafe users in order to: a) encourage public acceptance and uptake of the COVIDSafe App; and b) enable faster and more effective contact tracing’.[62]
Not only did this legislation codify the offences set out in the Biosecurity Determination[63] (and repeal that Determination),[64] it placed the operation of the COVIDSafe App under the purview of the Office of the Australian Information Commissioner and required mandatory data breach notifications for breaches of the NCDS or the COVIDSafe App.[65] The Contact Tracing Amendment clarified the relationship between the powers of state and territory privacy regulators[66] and the Australian Federal Police and granted users of the COVIDSafe App the right to compel the administrator of the NCDS to delete their registration data.[67] A 21-day retention time limit was imposed for data collected on the COVIDSafe App.[68] Individuals who receive COVIDSafe App data in error are required to delete that data[69] and users who choose to delete the COVIDSafe App from their devices will not upload data to the NCDS.[70] Transparency was improved through a requirement that the Minister for Health report on the operation and effectiveness of the COVIDSafe App and the NCDS every six months and that the Information Commissioner report on the relevant functions and exercise of their powers under Part VIIIA every six months.[71]
As Greenleaf and Kemp have extensively analysed the strengths and flaws of the Contact Tracing Amendment,[72] it is not proposed to undertake a similar analysis in this Part. This legislation was passed in just three days by the Australian Parliament, after very limited opportunity for public consultation. As will be argued in subsequent Parts of this article, the rushed nature of this aspect of the Australian government’s response to this pandemic meant that suboptimal policy and legislative strategies were adopted – the consequences of which may extend beyond the end of the pandemic.
Having explored relevant aspects of the Australian government’s legislative response to this pandemic, the next Part analyses the efficacy problems with the COVIDSafe App.
One of the major challenges for any public policy intervention is to determine whether the policy can deliver the benefits claimed to justify its introduction. Implementation problems can be significant. This Part explores aspects of the technical challenges of digital contact tracing using Bluetooth, including analysis of how the COVIDSafe App is, in effect, a public health screening test.
One of the main purposes of digital contact tracing apps is (for each person who has installed and is using such an app) to screen the population into two categories:
1. those people with whom a particular person has had close physical contact (ie those ‘close contacts’ at risk of transmission of the virus[73]); and
2. all other people (those not at risk of transmission from/to a particular person – who are ignored for the purposes of the App).
For it to make a positive contribution towards reducing the health and economic consequences of the COVID-19 virus, the COVIDSafe App (and its server functionality) needs to be able to accurately determine into which category a person’s contacts should be placed. If the COVIDSafe App fails to make reliable and accurate categorisations, then its contribution towards fighting the pandemic will be marginal (at best) and it may compromise the liberty of those who need not have been quarantined.
For public health purposes, screening tests are assessed for their validity and effectiveness on a number of criteria.[74] The specificity and sensitivity of a screening test quantify the rate at which it produces inaccurate results (ie false positive results and false negative results).[75] A highly sensitive test produces few false negatives whilst a highly specific test produces few false positives. As Maxim, Niebo and Utell argue, ‘[p]ublications about screening tests typically report both the sensitivity and specificity of the test. It is clearly desirable to have a test that is both highly sensitive and highly specific’.[76]
Table 1: Logical possibilities for true disease state and screening test outcome[77]
|
Test result
|
Subject has disease
|
Subject disease-free
|
Subtotal
|
|
Positive
|
Correct result
|
False positive
|
Total positive test results
|
|
Negative
|
False Negative
|
Correct result
|
Total negative test results
|
|
Subtotal
|
Total subjects with disease
|
Total subjects’ disease-free
|
Total subjects
|
In the context of the COVIDSafe App, a false positive would typically result in a person being needlessly notified that they have been a close contact of another person who has been diagnosed with the COVID-19 virus and that they should get tested for the virus and self-isolate until they have the results of that diagnostic test. This would likely have a number of consequences for the recipient of such a false positive message,[78] including: 1) psychological stress; 2) loss of productivity whilst organising to be tested, pre-test self-isolation, travelling to the test centre and self-isolating until receiving notification of the outcome of their test result; 3) potential loss of income; and 4) residual stress transferred to their family members, friends and work colleague who may fear having been exposed to the COVID-19 virus. The needless impingement of a person’s liberty due to a false positive message is likely to be significant.
If the specificity of the COVIDSafe App is high, it will rarely generate such false positive results and an individual will be unlikely to experience the negative consequences discussed above. However, if the specificity of the COVIDSafe App is low, then many individuals may experience those negative consequences.[79] Even worse, if an individual were to receive repeated false positive messages via the COVIDSafe App, then their rate of compliance with the instruction to seek a diagnostic test is likely to fall substantially (ie after experiencing the consequences of five or more (unpleasant) diagnostic tests all of which have generated negative outcomes, individuals are likely to pay less attention to subsequent notifications they receive from the COVIDSafe App).[80] In the context of widespread community transmission of the virus, a low-specificity screening test would needlessly increase the burden and expense to the health system of allocating resources to run diagnostic tests on uninfected people. Due to physical and financial limits on diagnostic testing facilities,[81] this may also cause delays in the notification of true-positive COVID-19 results and create a harmful feedback loop.
If the sensitivity of the COVIDSafe App is high, then it will rarely generate false negative results and (if compliance rates with the request to undertake a diagnostic test are high) individuals who have been infected with the COVID-19 virus by a close contact detected by the App will get swiftly tested and treated for the virus. This should slow the rate of spread of the virus in our society. However, if the sensitivity of the COVIDSafe App is low, then it will generate a significant number of false negative results and many individuals who have been infected with the COVID-19 virus by a close contact will not receive timely notifications to self-isolate/seek a diagnostic test – causing those people to accelerate the rate of community transmission of the virus. A low sensitivity screening test would needlessly increase the burden upon the health system and economy by unintentionally causing more Australians to be infected with COVID-19.
Therefore, the capability of the COVIDSafe App as a screening test to deliver results with both high specificity and high sensitivity is essential when determining whether it can make a useful contribution towards fighting this viral pandemic. It is consequently necessary to examine whether the technology relied upon by the COVIDSafe App and the NCDS is capable of meeting those requirements.
There are two components which need to be considered when assessing the sensitivity and specificity of the COVIDSafe App: 1) the accuracy of the raw data about contacts collected by the COVIDSafe App installed on a person’s mobile phone; and 2) the accuracy of the classification algorithm used by the NCDS to determine which of the contacts of an infected person should be notified to seek diagnostic testing for the COVID-19 virus. Each will be analysed below.
Determining the distance that one person is away from someone else is important when assessing the risk of COVID-19 transmission between people.[82] There are several technologies that the Australian government could use to track the movements and interactions of Australians for the purposes of contact tracing during the COVID-19 pandemic, including surveillance cameras, GPS, mobile phone signals, Near-Field Communication (‘NFC’), and Bluetooth. It is worthwhile briefly considering why Bluetooth was selected as the appropriate technology rather than these alternative technologies (or those adopted elsewhere, such as New Zealand’s rollout of a contact tracing app which relied upon mobile devices scanning QR codes).[83]
Surveillance cameras would not work very well in this situation: they typically operate in public spaces and not all public spaces have surveillance cameras.[84] Facial recognition technology is inaccurate and produces many false positives, especially for women and for people who are not ‘lighter-skinned’.[85] The bandwidth costs and AI processing costs of video is very high and using such technology would, justifiably, raise concerns of slipping into a Big Brother surveillance state.[86]
Whilst interactions between wild animals are often tracked using GPS technology, GPS is only accurate to around 10 m and struggles to find a signal amongst high-rise buildings.[87] It also does not work indoors and cannot tell whether a person is on the ground floor or the 50th floor of a building, so it would not be very useful for tracing the people with whom a person has been in close contact. Turning GPS on also drains the battery on a mobile phone relatively quickly.[88]
Mobile phone cell tower signal triangulation is reasonably accurate and could potentially work in a geographically-small country,[89] but many parts of Australia lack mobile phone reception (as you have probably experienced if you have driven significant distances outside of Australia’s major cities).[90] Triangulation through cell tower signal triangulation would worsen the divide between city-dwellers and country-dwellers and would raise concerns about slipping into a Big Brother surveillance state.
NFC is a technology that has only been around for the last few years in mobile phones. It enables devices to communicate with each other over distances of a few centimetres and uses very little power to operate.[91] Whilst it would be possible for the COVIDSafe App to use NFC, it would require a person to press their mobile phone up close to the mobile phone of every person with whom they come into contact. This might be feasible in an office environment, but it would be very impractical whilst walking down the street or riding on a bus or rush hour train carriage.
Bluetooth is designed to be a relatively short-range communications technology (typically up to 10 m).[92] Quite a few Australians use Bluetooth on their mobile phones every day, often to connect their phone to their car so that they can make hands-free telephone calls or listen to music through wireless headphones/earbuds.[93] Bluetooth works both outdoors and indoors but its signals do not penetrate too far through concrete walls.[94] The latest versions of Bluetooth (v4 onwards) can use significantly less of a mobile phone’s battery than the earlier versions.[95] This makes Bluetooth appear to be the ‘least-worst’ technology option for a pandemic contact tracing application (at least when compared to surveillance cameras, GPS, NFC and mobile phone signal cell tower triangulation).
As discussed earlier, the COVIDSafe App relies upon Bluetooth on a mobile phone to communicate with other mobile phones whose users have also installed that App. Bluetooth must be turned on at all times for the COVIDSafe App to function properly (as well as Internet data).[96] The COVIDSafe App seeks to detect when another mobile phone user who has installed that App comes within range (up to 10 m) of another person’s phone.[97] It then sends a message to the other phone containing (amongst other things) a unique random code identifying the registered user of the first phone and receives a different unique random code identifying the registered user of the second phone.
Whilst it is possible to relatively accurately measure distance between mobile phones using Bluetooth in a laboratory,[98] in the real world this becomes a much more complex task (which the inventors of Bluetooth admitted).[99] Unfortunately, there is a wide variation in the Bluetooth signal strength emitted by different mobile phones, so signal strength on its own cannot be used to accurately or reliably measure the distance between two mobile phones.[100] This means that the received signal strength of a Bluetooth signal detected by a mobile phone needs to be related back to the particular model of mobile phone that sent the digital handshake (which the COVIDSafe App does by collecting information about the models of the mobile phones with which it makes handshakes). Given the large number of different mobile phone models being used by the Australian public, there remains the practical challenge of ensuring that there is a sufficiently detailed database of the signal strengths of most of those phone models.
Another complexity with using Bluetooth to measure the distance between two phones is that the orientation of each mobile phone in relation to the other often affects the received signal strength.[101] The existence of objects between the two phones can attenuate (weaken) the signal (eg, one phone has been placed on top of a table whilst the other person’s phone is in their pocket under the table whilst they are seated). Even having a phone in your left pocket versus your right pocket can affect the received signal strength because the human body partially absorbs the Bluetooth radio signal.[102] Carrying a mobile phone in a handbag also lowers its signal strength. Conversely, being in a room with metal fittings (such as a train carriage) can cause a signal to be strengthened, so a received signal strength would inaccurately under-estimate the distance between two phones.[103] Even the presence of leafy plants or trees between two phones weakens the Bluetooth signal strength.[104]
Other electronic devices which emit radio waves at the same 2.4 GHz frequency used by Bluetooth (such as 802.11b wireless Internet routers or microwave ovens) might also interfere with the accuracy of the COVIDSafe App.[105] The Bluetooth radio band is 83 MHz wide, which Bluetooth LE uses for 40 x 2 MHz channels within it. A Bluetooth device can hop from one channel to another to try to overcome interference.
When the Singaporean government developed the first version of the contact tracing app (which formed the basis of the Australian government’s COVIDSafe App), they realised that different mobile phones emit Bluetooth signals with very different strengths.[106] This meant that calculating the distance that one type of mobile phone is away from another mobile phone can be complicated. The Australian government has said that they also took this complexity into account when designing the COVIDSafe App, but the source code for the NCDS has not yet been released to confirm that is the case.
Depending upon the model of mobile phone upon which it has been installed, the COVIDSafe App has been found to have difficulty maintaining a connection with various other types of mobile phones. This has been attributed to the variety of operating systems able to be installed on those mobile phones (ie the most recently released version of an operating system is not always possible to install onto older models of mobile phones). This has meant that a proportion of mobile phones upon which the COVIDSafe App has been installed have been unable to consistently exchange handshakes (and relative signal strength information) even if placed close to each other.[107] Updates have been released for the COVIDSafe App designed to reduce (but not eliminate) the extent of this problem.[108]
Finally, overall adoption rates for the COVIDSafe App have been insufficient to enable it to collect information on a meaningful proportion of the contacts an infected person may have. Whilst there was an initial spike in downloads of the COVIDSafe App in Australia, after a few weeks the number of total downloads (not installations and not actual users) slowed down substantially – only seven million downloads had occurred by June 2021.[109] The actual rate of usage is lower than that because only a subset of users who download the app install it and only a subset of those keep the app running on their mobile devices. Modelling suggests that a digital contact-tracing app is far less effective if it has a low rate of community adoption (ie that its effectiveness declines at a quadratic rate).[110]
These real-world implementation issues mean that ‘the development of accurate methods for proximity detection based on Bluetooth LE received signal strength is likely to be challenging and time consuming’.[111] In its first interim report, the Commonwealth Senate Select Committee on COVID-19 found that the COVIDSafe App
has significantly under-delivered on the Prime Minister’s promise that the app would enable an opening up of the economy in a COVID safe manner. The app was launched with significant performance issues and has only been of limited effectiveness in its primary function of contact-tracing.[112]
Whilst the COVIDSafe App has attracted significant public attention and debate, the NCDS is, perhaps, the more important component of Australia’s Digital Contact Tracing strategy. The NCDS has a number of important tasks: a) to securely receive and store information about registered users of the COVIDSafe App; b) to receive notifications from persons who use the COVIDSafe App that have been infected with the COVID-19 virus about the digital handshakes the App stored on their phone in the last 21 days; c) to filter those contacts using an algorithm to determine which contacts should be contacted regarding their potential exposure to the COVID-19 virus; and d) to release information to authorised state and territory health workers for the purposes of manual contact tracing and managing the pandemic.[113]
Whilst the source code for the COVIDSafe App has been released for public review (which identified numerous problems), the source code for the NCDS has remained hidden.[114] In particular, whilst scholars have developed an algorithm for converting Bluetooth signal strength into distance between mobile phone devices,[115] it is unclear to what extent the Australian government has used or modified that algorithm for the purposes of determining which potential contacts are worth notifying to get tested.
This is a critically important issue – as mentioned above, the risks of false positives and false-negatives in screening tests are significant. Whichever algorithm the Commonwealth is using to make those determinations is effectively a filter that can be set to be too broad (ie notifying too many contacts and creating too many false positives) or set too narrow (ie notifying too few contacts and creating too many false negatives). Without access to the source code for the NCDS, the algorithm being used and the testing data used to develop that algorithm, it is unfortunately not possible for there to be an informed public debate about whether the algorithm has been configured appropriately.
Whilst legislation requires reports to be published about how digital contact tracing is operating (which might help inform that public debate), those reports are only due each six months.[116] Unlike the Department of Health, the Privacy Commissioner released its first two reports about the COVIDSafe App in a timely manner.[117] Media reports suggest that the NCDS has detected around 544 contacts who had not been found by manual contact tracers and, of those, only 17 people who had been infected by the COVID-19 virus.[118] The extent to which the technical inadequacies of the Bluetooth protocol in reliably and accurately measuring the distance between two mobile devices based on signal strength have contributed to these results is also unclear. Whether those results are evidence of success or failure (and the overall efficacy of the COVIDSafe App) is also difficult to determine at this stage.
This Part has focused on how the efficacy challenges relating to accurate and reliable distance measurement affect the data collected by the COVIDSafe App, and highlighted how the lack of information about how the NCDS operates is limiting the Australia public’s ability to make informed decisions about whether or not to support the government’s digital contact tracing strategy. The next Part explores distributional questions around the equity of using the COVIDSafe App as a digital contact tracing strategy.
As a public health strategy, digital contact tracing via a mobile phone Bluetooth app raises several equity issues, particularly related to the digital divide in Australia.
Whilst the COVID-19 virus first appeared in Australia via the relatively privileged (eg those who could afford international travel and cruise ship holidays),[119] it rapidly spread to infect less privileged socio-economic groups across the country. Large outbreaks amongst meat-packing plant workers and their families,[120] and in private nursing homes,[121] demonstrated that this pandemic was not only an issue for the Aspen ski holiday crowd.[122] This was not by chance, as social distancing is a privilege for the relatively wealthy.[123] Whilst well paid professional service workers could reduce their risk of exposure by working from home (and/or decamping to countryside homes),[124] minimum wage earners in Australia were compelled to attend work in-person (it is impossible to carve meat from an animal carcass via Zoom) and to work in close proximity to colleagues, often without adequate personal protective equipment.[125] Such workers are also more likely to have to use public transport to get to and from their workplaces, putting them at a higher risk of exposure than individuals who can drive their own car.[126]
The consequence of this is that, as the pandemic has progressed, individuals in less privileged socio-economic groups (particularly within major cities) have been more likely to be exposed to the COVID-19 virus than individuals in more privileged socio-economic groups.[127]
There is significant evidence that, upon infection, the COVID-19 virus affects individuals in less privileged socio-economic groups more intensely than those in higher socio-economic groups.[128] This appears to be due to the increased prevalence of comorbidities such as obesity,[129] smoking,[130] chronic obstructive pulmonary disorder[131] and diabetes[132] amongst less privileged socio-economic groups. As of August 2021, in the hardest hit Australian states (Victoria and New South Wales) the COVID-19 virus has imposed its greatest damage upon each state’s capital’s most disadvantaged municipalities.[133]
The consequence of this is an equitable ‘quintuple-whammy’: individuals in lower socio-economic groups are: 1) more likely to be exposed to the virus; 2) more likely to contract the virus; 3) more likely to suffer worse health outcomes from that infection; 4) are less likely to have paid sick leave which would enable them to self-isolate at home; and 5) are more likely to share their homes with other people who may be infected and spread the virus further to their workplaces,[134] places of worship[135] or educational institutions,[136] etc.
Benefiting from the COVIDSafe App requires: 1) an individual to own or have access to a smartphone; 2) a smartphone with an operating system installed which is new enough to be able to install the App; and 3) the individual to have the digital literacy to be able to install and use the App effectively. Each of those prerequisites are undermined by the digital divide[137] which exists in Australia.[138] Whilst the rate of mobile phone ownership in Australia is relatively high by global standards, those devices are by no means ubiquitous in this country.[139] Indeed, almost one-in-five Australians did not own a smartphone capable of installing the COVIDSafe App when it was launched.[140] Those individuals are not spread evenly across socio-economic groups, with individuals in less privileged socioeconomic groups being over-represented.
This means that digital contact tracing through the COVIDSafe App is effectively a regressive public health strategy,[141] ie it provides the greatest benefits to those in more privileged socio-economic groups who face the least exposure to the virus, are less likely to suffer severe harm if they get infected, are more likely to be able to afford to quarantine at home at the first signs of symptoms, and live in smaller households so are less likely to infect others. The COVIDSafe App provides fewest benefits to those in less privileged socio-economic groups.
These equity issues first need to be recognised before they can be addressed. When the COVIDSafe App was launched, it was not available in languages other than English[142] (this was corrected in later versions).[143] The resources spent on the App were diverted from other public health strategies where they might have had greater benefit for less privileged socio-economic groups. For example, purchasing personal protective equipment such as face masks (or building factories capable of making that equipment) may have provided more equitable public health benefits than investing money into developing and advertising the COVIDSafe App.
Having explored the significant equity issues which may cause the COVIDSafe App to effectively be a regressive public health screening test, the next Part examines the cybersecurity and privacy negative externalities imposed by that App.
It is arguable that there are two significant negative externalities which the COVIDSafe App has imposed on Australian society: cybersecurity risks and privacy risks.[144] Each of these will now be analysed.
Smart phones are much more than mere devices upon which to make telephone calls and send text messages – they are miniature computers capable of accessing, processing and storing significant volumes of sensitive data.[145] One of the ways in which employers have responded to the COVID-19 pandemic has been to ask employees to work from home as much as possible which means that workers are connecting their personal devices via less-secure home networks onto corporate networks.[146] It is in this context that the Australian government has introduced the COVIDSafe App which requires users to 1) install the app onto their mobile devices; and 2) leave Bluetooth (and the Internet) running on those mobile devices. Each of these creates cybersecurity risks for Australians, which will be discussed below.
Since the COVIDSafe App was launched, its source code has been released[147] and cybersecurity experts have been able to examine that code to determine whether vulnerabilities exist within it that could be exploited by attackers.[148] In its rush to release the COVIDSafe App, the Australian government did not follow best practice by setting up an easy means through which experts could report flaws to the App’s developers.[149] Nor was a bug bounty system established that would have motivated and rewarded cybersecurity experts who identified and disclosed vulnerabilities in the App’s code to disclose those risks in a structured and secure manner.[150]
Unsurprisingly for software code developed in a hurry, the COVIDSafe App has been discovered to contain at least 37 flaws,[151] including:
• the app being vulnerable to a denial of service attack;[152]
• facilitating remote control of other people’s Android mobile phones;[153]
• users being vulnerable to a long-term re-identification attack;[154]
• Android users being re-identifiable through advertising beacons;[155]
• plain-text communication of device model data which could permit re-identification;[156]
• remote attackers being able to access phone name and model information sufficient to identify the mobile phone device owner’s name;[157]
• unsafe use of the Bluetooth transport option which may allow attackers to trick the application into establishing a connection that would reveal the public Bluetooth address of the victim’s phone without authorisation;[158]
• causing diabetic monitoring devices to fail;[159] and
• confusing App users as to whether they had already tested positive to the COVID-19 virus,[160]
some of which were (eventually) patched by updates to the App.
Even if the COVIDSafe App had been perfectly coded with no exploitable bugs, simply leaving Bluetooth running on a mobile device exposes users of the App to several cybersecurity attacks because the Bluetooth protocol itself has vulnerabilities which can be exploited by attackers (some of which were only discovered in 2020). These include the remote code exploit known as BlueFrag;[161] an attack which could defeat Bluetooth encryption known as BLURtooth;[162] KNOB: an attack which permitted the injection of arbitrary ciphertext without the victim noticing;[163] method confusion attacks;[164] impersonation attacks;[165] key negotiation attacks;[166] and Diffie-Hellman Key Exchange attacks.[167] Some of these attacks could be used by an attacker to gain privileged remote access to a person’s mobile device. This would enable a sophisticated attacker to use that mobile device as a basis to launch attacks against other information technology (‘IT’) systems to which that mobile device is connected.
Whilst Google released a patch for the BlueFrag vulnerability in February 2020, not all Android phone manufacturers have released their security updates to fix this problem (which primarily affects v8 and v9 of that operating system). Owners of older phones (eg the Galaxy S6 phone for which Samsung is no longer releasing security updates) do not benefit from those security patches and likely remain vulnerable to those flaws.[168] The COVIDSafe App help pages advise that it will only work on mobile phones running on the Android 5.1 (or newer) or iOS 10 (or newer) operating systems.[169]
At the same time, Australians are becoming more exposed to these vulnerabilities. Mobile phone manufacturers tend to release security updates for their phones only for limited periods of time (eg for three – four years from the release date for Android-based phones and five years from release date for Apple phones).[170] Deloitte’s 2019 Mobile Consumer Survey revealed that the average Australian is now keeping their phone for at least three and a half years.[171] This suggests that many (if not most) Australian Android users and a proportion of iPhone users are likely using mobile phones for which the manufacturers are no longer issuing security patches protecting against the latest Bluetooth vulnerabilities. Even if a manufacturer is still releasing security updates for an Australian’s mobile phone, there is no guarantee that the user has installed those updates. This further reduces the proportion of Australian mobile phones that would be protected from Bluetooth vulnerabilities.
The Singaporean authors of the BlueTrace App (upon which the COVIDSafe App was based) admit that ‘vulnerabilities are occasionally discovered in the underlying technology that BlueTrace depends on, ie Bluetooth. These vulnerabilities have to be patched at the operating system-level, and we therefore urge users to ensure that their operating systems are regularly patched’.[172] They recommended that BlueTrace apps ‘consider notifying users if an outdated operating system is detected, in order to prompt users to update them’.
It is arguable that Australians who are, or may be, considering using the COVIDSafe App should conduct a risk assessment to determine the extent to which leaving Bluetooth running on their mobile devices will increase cybersecurity risks for themselves and their businesses/employers. Those risks relate not only to the content stored on each person’s mobile device but also the external systems to which their mobile device is able to authenticate, such as business email accounts, banking accounts, cryptocurrency wallets, business IT systems, cloud data storage, etc. Some workplaces explicitly prohibit the use of Bluetooth on mobile devices whilst on their premises,[173] which could mean that some employees could be in violation of their employment agreements if they use the COVIDSafe App on their mobile devices whilst at work or whilst remotely connected to work networks.
Recognising the security risks that Bluetooth poses, the Australian Government’s Information Security Manual contains controls which require ‘mobile devices [be] configured to remain undiscoverable to other Bluetooth devices except during Bluetooth pairing’.[174] In 2017, the US National Institute for Standards and Technology released Report 800-121, a Guide to Bluetooth Security, which outlines recommended steps that organisations should take to avoid being vulnerable to Bluetooth exploits.[175] Pages 37–41 of that Report set out a lengthy list of vulnerabilities and known exploits which affect various versions of Bluetooth.
Victims of domestic violence should also consider whether leaving Bluetooth running on their mobile devices will increase their personal safety risks. The Australian government’s own Office of the eSafety Commissioner explicitly recommends such persons should not use Bluetooth in public: ‘If security is a worry for you, avoid pairing devices in public places’.[176]
Bluetooth vulnerabilities have been exploited for nearly two decades.[177] A quick search of the dark web reveals several guides for how to implement Bluetooth exploits for sale and exploit kits containing Bluetooth attack tools.[178] There is evidence that an East Asian focused Advanced Persistent Threat team, ScarCruft, has been using a Bluetooth attack in its arsenal of tricks for more than a year.[179] Cyber criminals have quickly adapted their attack strategies to exploit general fears about the COVID-19 virus.[180] Consequently, it is highly likely that the Bluetooth-based COVIDSafe App and its installed Bluetooth-using userbase will be targeted by cyber-attackers.
The COVIDSafe App has been the subject of considerable debate by scholars and industry experts in relation to the extent to which Australian government departments, law enforcement agencies and intelligence agencies might be able to infringe upon the privacy of Australians who use that App.[181] The initial Biosecurity Determination was subject to considerable criticism, much of which has been addressed in the new Part VIIIA of the Privacy Act. However, whilst no amendments were made to that legislation, it is subject to review by Parliamentary Committees which may recommend further amendments.[182] In particular, the Contact Tracing Amendment does not contain requirements on state and territory health agencies that have downloaded data from the NCDS to implement data minimisation principles, such as deleting that data when it is no longer needed for the purposes of fighting the viral pandemic. Nor does the Contact Tracing Amendment classify as ‘sensitive information’ under the Privacy Act data collected by the COVIDSafe App and the NCDS.[183] The Contact Tracing Amendment allows data to be stored on the NCDS for an indefinite period of time (ie until the Health Minister declares the COVID-19 pandemic to be over).[184]
Given the extensive analysis by scholars of the ways in which the public sector might exploit the COVIDSafe App and NCDS to infringe upon privacy, this Part will focus on how the private sector in Australia might exploit the COVIDSafe App to infringe upon individuals’ privacy.
The COVIDSafe App does not operate in a technological vacuum. Rather, it is being launched into a digital ecosystem with many other apps and pre-existing Bluetooth movement tracking infrastructure. For example, Westfield Shopping Centres state in their privacy policy that
When customers use mobile applications developed by Scentre [the owner of Westfield], ... or third party applications utilising Scentre’s infrastructure (including Bluetooth beacon networks), customers provide Scentre with certain information, including their contact details and location. Scentre collects this information to enable customers to be informed about upcoming events, activities and promotions, both in-centre and as part of Scentre's other activities, sponsor and retailer promotions and other activities.[185]
Aldi Supermarket’s privacy policy states:
We may also use mobile phone technology to track your movement within certain ALDI stores for the purpose of optimising the merchandising and layout of our stores. If you do not wish to participate you may turn off Bluetooth and WiFi capability on your mobile device.[186]
Sydney Airport’s privacy policy states:
Where a device (for example mobile telephones, tablets or laptops) is identifiable by our Wi-Fi or Bluetooth networks at Sydney Airport, we or our third party service providers may collect data relating to the device identification code and its location. We use this data to better understand space utilisation and passenger flows for security purposes and in order to improve the customer experience and our services.[187]
Australians typically have installed quite a few apps on their mobile phones, so the COVIDSafe App will be installed in addition to those previously-installed apps. Previously-installed apps have permissions which are often turned on by default when first installed (many people simply click accept when an app asks for permissions on their phone).[188] Some apps try to communicate with third parties through Bluetooth,[189] but cannot communicate with those third parties unless Bluetooth is functioning on the phone (similar to the way in which the COVIDSafe App itself needs Bluetooth to be activated on a mobile device to work properly). A privacy-conscious mobile device user can install an app but not turn on Bluetooth. An even more privacy-conscious and security-conscious mobile phone owner can sort through the permission requests of every app installed on their mobile phone to deny most of those permissions.[190] Unfortunately, the average mobile device user is unlikely to have taken those steps to effectively control app access authorisations.[191]
Operators of shopping centres and retail stores who have installed Bluetooth beacons for customer-tracking purposes can exploit Australians’ use of the COVIDSafe App to increase their collection of information about users habits (and possibly their identities) only because those App users were complying with a government recommendation to install that App.[192] Google operates Project Beacon through which it sends physical Bluetooth beacons to stores to use with Google AdWords.[193] Individuals who have installed other apps on their mobile devices, particularly free apps, which have software code within them, will have information transmitted about them via Bluetooth to the operator of such Bluetooth beacons.[194]
Although they may contain similar information (potentially the identity of the mobile device user, information about the mobile device, the date and time at which that user was in proximity to the Bluetooth beacon), the databases of Bluetooth beacon information collected by private sector businesses are not subject to the protections in Part VIIIA of the Privacy Act relating to the COVIDSafe App because that data was not collected from either the COVIDSafe App or the NCDS. Instead, the existence of a parallel Bluetooth private sector infrastructure does not appear to have been considered by the Australian government when it developed the COVIDSafe App or this legislation.
Whilst other provisions of the Privacy Act would regulate the datasets collected by operators of Bluetooth beacon infrastructure,[195] it is unlikely that many members of the public who have followed the Prime Minister’s call to install the COVIDSafe App (and activated Bluetooth on their mobile devices to enable that App to work) were aware of the existence of such private sector Bluetooth tracking systems, nor had read the terms and conditions of shopping centres or stores to realise that they could be sacrificing aspects of their privacy to the private sector whilst trying to help reduce the rate at which community transmission of the COVID-19 virus occurred in Australia.
This Part has explored how the COVIDSafe App imposes negative externalities in relation to cybersecurity risks and privacy risks onto some Australian individuals and businesses. At present, the government’s digital contact tracing strategy does not appear to have included procedures to effectively remedy those negative externalities. The next Part analyses the consequences of the efficacy, equity and externality issues covered in Parts IV–VI of this article.
In the late 1990s, Lawrence Lessig wrote one of the seminal works of Internet regulatory theory, Code and Other Laws of Cyberspace, in which he argued that there were four modalities of regulation which can constrain behaviour: laws, market forces, norms and physical architecture (including software code).[196] Each of these modalities has different advantages and disadvantages, so policy makers can choose which one (or combination) of them to achieve their regulatory goals.[197]
Widely cited, the idea that software code is law has been subject to some scholarly critique.[198] For example, Grimmelmann argued that software should be regarded as a separate modality of regulation because it is automated, immediate, plastic, and consequently a more sophisticated form of regulation than physical architecture.[199] His analysis demonstrated that software is rules-based (rather than standards-based); whilst architectural standards are transparent, software code can be hidden by licensing terms (closed-source) or through obfuscation; software is ex ante regulation so its rules cannot (generally) be ignored; and software is fragile because it is hackable and lacks robustness.[200] Mayer-Schonberger critiqued the linearity of Lessig’s claim that markets drive technology, which in turn shapes society. He argued that the existence of information asymmetry would undermine the possibility that markets would effectively drive choice (whereas network effects have created feedback loops that facilitated the emergence of online monopolies) and that software is often a ‘market for lemons’ because users cannot easily tell whether those products will work effectively and will not be altered in the future to limit their choices.[201]
Arguably, what has been seen with the rapid development and rollout of the COVIDSafe App was a classic[202] example of an attempt to achieve a regulatory goal (decreased rates of community transmission of the COVID-19 virus) through adoption of what was perceived to be an architectural solution.[203] Complicating the achievement of this goal has been that the COVIDSafe App is not just Layer 7 software[204] – as it relies upon Bluetooth, it is more accurately characterised as a cyber-physical system[205] which utilises signal strength information from the Radio Layer 1 into its Layer 7 software. The inherent inaccuracy and unreliability of measuring in the real world the distance between two people based on a proxy of the received signal strength of their mobile phones (Layer 1 technical limitations) has undermined the efficacy of the (Layer 7) software code used in the COVIDSafe App and the NCDS as a public health screening test. Further problems have been created by the failure to consider the broader infrastructure environment in which digital contact tracing apps have been launched – they have been rolled out into a world in which exist private ecosystems of Bluetooth based tracking systems that are not subject to the protections legislated to assuage the public’s privacy concerns with the COVIDSafe App.
Combining those efficacy problems with its equity challenges appears to have prevented the COVIDSafe App from making a significant or effective contribution to fighting this viral pandemic.[206] The well-known problems of rapid software development (ie minimal viable product)[207] in imposing cybersecurity externalities and privacy externalities have also increased the costs to Australian society of this regulatory solution. Attempting to patch some of these complex problems associated with a cyber-physical system through legislation has been insufficient.[208] State government based QR code applications have seen significantly wider adoption by the Australian public than the COVIDSafe App.[209]
That hastily developed government regulatory proposals may have unintended consequences is well-known.[210] Fortunately, the public sector has developed over the past few decades a control which is meant to assist government departments to identify ex ante when policy proposals may cause greater harms than they deliver in benefits to Australians, ie regulatory impact analysis.[211]
One month before the COVIDSafe App was released, the Commonwealth Office of Best Practice Regulation within the Office of Prime Minister and Cabinet released its updated ‘Australian Government Guide to Regulatory Impact Analysis’[212] and regulatory Guidance Note, ‘Cost-Benefit Analysis’.[213] That Guidance Note sets out the government’s preferred strategy for assessing regulatory proposals ‘in order to encourage better decision making’.[214] Unfortunately, whilst the Department of Health’s website makes public the Privacy Impact Assessment of the COVIDSafe App, a search of that COVID-19 virus-related publication on that website for ‘cost benefit’ and ‘regulatory impact assessment’ revealed zero results. Whilst the Explanatory Memorandum to the Contact Tracing Amendment contains a statement of its conformance with human rights principles,[215] that document does not set out either a cost-benefit analysis or a regulatory impact assessment for the App.
In the context of a viral pandemic, the tempo of policy development by all Australian governments has, understandably, been accelerated.[216] However, given the Contact Tracing Amendment contains a six-monthly reporting requirement for the Health Minister and the Office of the Australian Information Commissioner, it is hoped that their reports will provide evidence and analysis of the costs and benefits of the COVIDSafe App.[217]
As of June 2021, evidence for the benefits of the COVIDSafe App appears scant. Contact tracing units have not found the COVIDSafe App useful during occasional pandemic outbreaks across Australia.[218] Government reports suggest that only 17 individuals not known to manual contact tracers who were notified via the App to seek testing have tested positive for the COVID-19 virus and 544 individuals have been identified as contacts who were unknown to manual contact tracers at the time.[219] Whilst detection of less than 1% of COVID-19 cases is better than zero, the rate of false positives and false negatives is currently unknown. The Department of Health admitted ‘BLE technology had not previously been used to perform contact tracing, and its benefits and limitations were uncovered through its use’.[220] Use of the COVIDSafe App by the Australian public appears to be relatively low.[221] Thus, at this stage, it is arguable that the benefits of the COVIDSafe App appear to be minimal and its costs significant (ie due to its efficacy and equity issues and the externalities it imposes). Evidence of government practice suggests that the COVIDSafe App no longer plays a significant role in fighting the COVID-19 pandemic in Australia: during the most recent Delta-strain Coronavirus outbreak in Sydney (which started in June 2021), focus has been on requiring the public to use QR code-based registration at venues rather than to use the COVIDSafe App.[222]
In other countries, digital contact tracing apps appear to have lost their appeal to governments as second wave outbreaks indicate that those apps have not delivered the benefits originally claimed for them.[223] In terms of their claimed effectiveness as sunscreen, digital contact tracing apps such as the COVIDSafe App appear (at this stage) to be closer to tanning lotion.
This article has explored the Australian government’s implementation of a health screening test through digital contact tracing during the early stages of the COVID-19 pandemic in 2020. After setting out the legislative basis for this policy, it has identified significant issues with the efficacy of the Bluetooth technology upon which the COVIDSafe App depends. Such technological limitations mean that the data generated by the App which can be subsequently analysed by the NCDS is of low quality. As a health screening test, the COVIDSafe App is a regressive strategy because the digital divide in Australia and the way the virus spreads through the community mean that the App provides greatest benefits to those who are at lower risk of being harmed by the virus and fewest benefits to those at greatest risk of harm.[224] These significant equity issues do not appear to have been adequately dealt with through compensatory measures within the government’s digital contact tracing strategy.
Due to the inherent insecurities in Bluetooth, the COVIDSafe App imposes negative cybersecurity externalities onto Australian businesses and some individuals who use it. Due to the existence of private sector Bluetooth beacon infrastructure, the App imposes negative privacy externalities onto some Australian individuals who use it. Whilst these negative externalities are not universally experienced, it is arguable that individuals should assess their own exposure to those risks before deciding whether their perceived benefits from using the App (despite its efficacy problems) outweigh the costs which could be incurred if those risks crystallised into actual losses.
Businesses should assess their exposure to cybersecurity risks from their employees using the App on their mobile devices whilst either in the office or working from home. Although the legislation prohibits the denial of services or access to individuals on the basis of their not using the App, it does not appear to prohibit businesses from requiring employees to refrain from using the App whilst working. For some organisations, the risks of allowing Bluetooth enabled mobile devices to operate whilst remotely connected to work networks or whilst physically present in the office may be sufficiently high that such prohibitions would be necessary. As this may be a sensitive topic with employees, care may be needed when broaching that topic.
Although the Australian government’s digital contact tracing strategy has been branded as an app, it is not just code within Lessig’s four modalities of regulation. Arguably, as it uses Bluetooth Layer 1 received signal strength as a proxy to determine distance between individuals, the COVIDSafe App is more than mere code – it could more accurately be characterised as a cyber-physical system.
Whilst the COVIDSafe App remains part of the Australian government’s COVID-19 pandemic response strategy, it would be useful for the government to include within its six-monthly reports by the Health Minister and/or the Office of the Australian Information Commissioner detailed information on regulatory impact assessments and/or cost-benefit analyses that have been done on the App. It is only by transparently measuring the App’s effectiveness that the public’s confidence can be maintained in the value of the government’s digital contact tracing strategy through the COVIDSafe App. At this stage, the COVIDSafe App appears to be closer to tanning lotion than sunscreen.
* Honorary Research Fellow, Centre for Risk Analytics, Macquarie University. Correspondence to Dr John Selby: john.selby@mq.edu.au.
Although the benefits of using sunscreen are now well-known, during the author’s childhood a belief still existed that tanned skin was healthy. Tanning lotions, such as Le Tan, were marketed as products which accelerated the rate at which skin would develop a suntan. The significant rise in skin cancer rates in Australia in recent decades has demonstrated the illusory benefits of such tanning lotions as compared to the scientifically informed benefits of wearing high-SPF sunscreen. See, eg, Neil Shoebridge, ‘Le Tan Jostles to Win Back Its Place in the Sun’, Australian Financial Review (online, 1 August 1994) <https://www.afr.com/companies/le-tan-jostles-to-win-back-its-place-in-the-sun-19940801-kaumt>.
[1] Ronald Mizen, ‘COVIDSafe: A Tale of Two Apps’, Australian Financial Review (online, 20 July 2020) <https://www.afr.com/technology/covidsafe-a-tale-of-two-apps-20200717-p55cze>.
[2] Andrew Brown, ‘Lobby Group Paid TikTok Influencers to Promote COVIDSafe App’, The Canberra Times (online, 15 July 2020) <https://www.canberratimes.com.au/story/6834993/lobby-group-let-us-play-paid-tiktok-influencers-to-promote-covidsafe-app/>.
[3] Vivienne Kelly, ‘Government Ramps Up Advertising Push for Covid Safe App’, Mumbrella (online, 6 May 2020) <https://mumbrella.com.au/government-ramps-up-advertising-push-for-covid-safe-app-627159>.
[4] Jonathan Kearsley and Luke Cooper, ‘Coronavirus: Government’s COVIDSafe App Could Have Cost “Tens of Millions” for Zero Tracing Results’, 9News (online, 20 July 2020) <https://www.9news.com.au/national/coronavirus-covidsafe-app-could-have-cost-contact-tracing-millions-in-advertising-government-health-news/bd69cbbe-ad14-4547-baf9-eb81aead1198>; Samantha Dick, ‘COVIDSafe App: The $8 Million Ticket to the Pub That Has Barely Been Used’, The New Daily (online, 4 June 2021) <https://thenewdaily.com.au/news/coronavirus/2021/06/04/covidsafe-app-cost/>.
[5] ‘Coronavirus Disease (COVID-19) Pandemic’, World Health Organisation (Web Page, 2021) <https://www.who.int/emergencies/diseases/novel-coronavirus-2019>.
[6] ‘COVIDSafe App’, Australian Government Department of Health (Web Page, 26 July 2021) <https://www.health.gov.au/resources/apps-and-tools/covidsafe-app>.
[7] Digital Transformation Agency, ‘DTA Publicly Releases COVIDSafe Application Source Code’ (Media Release, 8 May 2020) <https://www.dta.gov.au/news/dta-publicly-releases-covidsafe-application-source-code>.
[8] Digital Transformation Agency, ‘The Next Release of COVIDSafe is Live’ (Media Release, 14 May 2020) <https://www.dta.gov.au/news/next-release-covidsafe-live>.
[9] Interview with John Selby (Matt Doran and Monique Wright, Weekend Sunrise, 2 May 2020) <https://7news.com.au/technology/coronavirus-the-bluetooth-dangers-to-be-aware-of-c-1012930>.
[10] Dick (n 4): ‘When asked this week if the COVIDSafe app had been used during Victoria’s current [May 2021] outbreak, health officials openly laughed. “No, not to my knowledge,” the state’s Health Minister Martin Foley responded. “And I’m sure in such a rare event, it would have been brought to my attention”’.
[11] Denham Sadler, ‘COVIDSafe Hasn’t Found Any Contacts This Year’, InnovationAus (online, 2 June 2021) <https://www.innovationaus.com/covidsafe-hasnt-found-any-contacts-this-year/>.
[12] See generally Lawrence Lessig, Code: And Other Laws of Cyberspace Version 2.0 (Basic Books, 2006).
[13] See generally John M Barry, The Great Influenza: The Story of the Deadliest Pandemic in History (Penguin, 2005); Laura Spinney, Pale Rider: The Spanish Flu of 1918 and How It Changed the World (Hachette Books, 2017).
[14] Helen Davidson, ‘First COVID-19 Case Happened in November, China Government Records Show’, The Guardian (online, 13 March 2020) <https://www.theguardian.com/world/2020/mar/13/first-covid-19-case-happened-in-november-china-government-records-show-report>.
[15] ‘Timeline of WHO’s Response to COVID-19’, World Health Organisation (Web Page, 29 June 2020) <https://www.who.int/news-room/detail/29-06-2020-covidtimeline>.
[16] See, eg, Giuseppina La Rosa et al, ‘SARS-CoV-2 Has Been Circulating in Northern Italy Since December 2019: Evidence from Environmental Monitoring’ (2021) 750 Science of the Total Environment 141711:1–8. One Spanish sewage study claims to have detected COVID-19 in samples from March 2019 but did not find subsequent evidence of that virus’ presence until early 2020, casting doubt on the accuracy of claims that the virus was circulating in Europe during the first half of 2019: Claire Crossan, ‘Was Coronavirus Really in Europe in March 2019?’, The Conversation (online, 29 June 2020) <https://theconversation.com/was-coronavirus-really-in-europe-in-march-2019-141582>; Gemma Chavarria-Miró et al, ‘Time Evolution of Severe Acute Respiratory Syndrome Coronavirus 2 (SARS-CoV-2) in Wastewater during the First Pandemic Wave of COVID-19 in the Metropolitan Area of Barcelona, Spain’ (2021) 87(7) Applied Environmental Microbiology e07250-20:1–9; Gislaine Fongaro et al, ‘The Presence of SARS-CoV-2 RNA in Human Sewage in Santa Catarina, Brazil, November 2019’ (2021) 778 Science of the Total Environment 146198:1–4.
[17] ‘Home’, John Hopkins University of Medicine: Coronavirus Resource Center (Web Page, 1 September 2020) <https://web.archive.org/web/20200831223425/https://coronavirus.jhu.edu/>.
[18] Dyani Lewis, ‘Mounting Evidence Suggests Coronavirus Is Airborne: But Health Advice Has Not Caught Up’, Nature (online, 8 July 2020) <https://www.nature.com/articles/d41586-020-02058-1>; ‘Coronavirus (COVID-19): How Is It Transmitted?’, World Health Organisation (Web Page, 30 April 2021) <https://www.who.int/emergencies/diseases/novel-coronavirus-2019/question-and-answers-hub/q-a-detail/q-a-how-is-covid-19-transmitted>.
[19] David O Meltzer et al, ‘Association of Vitamin D Status and Other Clinical Characteristics with COVID-19 Test Results’ (2020) 3(9) Jama Network Open e2019722:1–12.
[20] ‘Symptoms of COVID-19 and How the Virus Spreads’, HealthDirect (Web Page, March 2021) <https://www.healthdirect.gov.au/coronavirus-covid-19-symptoms-and-how-the-virus-spreads-faqs>.
[21] Shikha Garg et al, ‘Hospitalization Rates and Characteristics of Patients Hospitalized with Laboratory-Confirmed Coronavirus Disease 2019: COVID-NET, 14 States, March 1–30, 2020’ (2020) 69(15) Morbidity and Mortality Weekly Report 458. The Economist’s model of Coronavirus hospitalisation and mortality rates indicated hospitalisation rates in the United States of America (‘US’) rose above 20% for males aged 66+ and females aged 78+ (without co-morbidities): ‘See How Age and Illnesses Change the Risk of Dying from COVID-19’, The Economist (online, 11 March 2021) <https://www.economist.com/graphic-detail/covid-pandemic-mortality-risk-estimator>.
[22] Susan J Tzotzos et al, ‘Incidence of ARDS and Outcomes in Hospitalised Patients with COVID-19: A Global Literature Study’ (2020) 24 Critical Care 516: 1–4, 1–3.
[23] See generally Peter G Gibson, Ling Qin and Ser Hon Puah, ‘COVID-19 Acute Respiratory Distress Syndrome (ARDS): Clinical Features and Differences from Typical Pre-COVID-19 ARDS’ (2020) 213(2) Medical Journal of Australia 54; Charles J Lowenstein and Scott D Solomon, ‘Severe COVID-19 Is a Microvascular Disease’ (2020) 142(17) Circulation 1609.
[24] Grace Huckins, ‘COVID Kills More Men than Women. Experts Still Can’t Explain Why’, Wired (online, 9 July 2020) <https://www.wired.com/story/covid-kills-more-men-than-women-experts-still-cant-explain-why/>; Pamela Duncan, ‘Men Die of Coronavirus at Twice Women’s Rate in England and Wales’, The Guardian (online, 16 April 2020) <https://www.theguardian.com/world/2020/apr/16/men-die-of-coronavirus-at-twice-womens-rate-in-england-and-wales>; Liam Mannix, ‘Men Are More Likely to Die from COVID-19 than Women: Why?’, Sydney Morning Herald (online, 22 April 2020) <https://www.smh.com.au/national/men-are-more-likely-to-die-from-covid-19-than-women-why-20200422-p54m8b.html>.
[25] Derek K Chu et al, ‘Physical Distancing, Face Masks and Eye Protection to Prevent Person-to-Person Transmission of SARS-CoV-2 and COVID-19: A Systematic Review and Meta-Analysis’ (2020) 395(10242) Lancet 1973.
[26] For example, the city of Melbourne entered a multi-week Stage IV lockdown on 2 August 2020: ‘Victoria’s Restriction Level’, Victoria State Government Health and Human Services (Web Page, 20 August 2020) <https://web.archive.org/web/20200820150953/https://www.dhhs.vic.gov.au/victorias-restriction-levels-covid-19>.
[27] See, eg, ‘Coronavirus (COVID-19) Advice for International Travellers’, Australian Government Department of Health (Web Page, 1 September 2021) <https://www.health.gov.au/news/health-alerts/novel-coronavirus-2019-ncov-health-alert/coronavirus-covid-19-restrictions/coronavirus-covid-19-advice-for-international-travellers>; ‘Queensland Border Restrictions’, Queensland Government (Web Page, 24 August 2020) <https://web.archive.org/web/20200824121100/https://www.covid19.qld.gov.au/government-actions/border-closing>.
[28] World Health Organization, Coronavirus Disease (COVID-19) (Situation Report No 198, 5 August 2020) 9, 12. Updated situation reports released weekly by the World Health Organization can be found at: ‘Coronavirus Disease (COVID-19) Weekly Epidemiological Update and Weekly Operational Update’, World Health Organization (Web Page, 2021) <https://www.who.int/emergencies/diseases/novel-coronavirus-2019/situation-reports>.
[29] ‘Tracking SARS-CoV-2 Variants’, World Health Organization (Web Page, 13 August 2021) <https://web.archive.org/web/20210815095245/https://www.who.int/en/activities/tracking-SARS-CoV-2-variants/>; Kai Kupferschmidt, ‘Fast-Spreading UK Virus Variant Raises Alarms’ (2021) 371(6524) Science 9, 10; Antony Sguazzin, ‘South African Virus Strain More Transmissible, Not More Severe’, Bloomberg (online, 8 January 2021) <https://www.bloomberg.com/news/articles/2021-01-07/s-africa-virus-strain-more-transmissible-not-more-severe>; ‘WHO Announces Simple, Easy-to-Say Labels for SARS-CoV-2 Variants of Interest and Concern’, World Health Organisation (Web Page, 31 May 2021) <https://www.who.int/news/item/31-05-2021-who-announces-simple-easy-to-say-labels-for-sars-cov-2-variants-of-interest-and-concern>.
[30] Jeffrey Seow et al, ‘Longitudinal Observation and Decline of Neutralizing Antibody Responses in the Three Months Following SARS-CoV-2 Infection in Humans’ (2020) 5(12) Nature Microbiology 1598; Luke Taylor, ‘COVID-19: Is Manaus the Final Nail in the Coffin for Natural Herd Immunity?’ (2021) 372 British Medical Journal n394: 1–2.
[31] Andrew Joseph, ‘First COVID-19 Reinfection Documented in Hong Kong, Researchers Say’, Stat (online, 24 August 2020) <https://www.statnews.com/2020/08/24/first-covid-19-reinfection-documented-in-hong-kong-researchers-say/>.
[32] Colby Cosh, ‘Colby Cosh: How the British Got Their COVID-19 Strategy So Wrong (But Might Still Be Right)’, National Post (online, 23 March 2020) <https://nationalpost.com/opinion/colby-cosh-how-the-british-got-their-covid-19-strategy-so-wrong-but-might-still-be-right>.
[33] Carolyn Barber, ‘COVID-19 Can Wreck Your Heart, Even If You Haven’t Had Any Symptoms’, Scientific American (Blog Post, 31 August 2020) <https://www.scientificamerican.com/article/covid-19-can-wreck-your-heart-even-if-you-havent-had-any-symptoms/>.
[34] ‘COVID-19 (Coronavirus): Long-Term Effects’, Mayo Clinic (Web Page, 18 August 2020) <https://www.mayoclinic.org/diseases-conditions/coronavirus/in-depth/coronavirus-long-term-effects/art-20490351>.
[35] Derek Lowe, ‘Coronavirus Vaccine Roundup, Early September’, Science: Translational Medicine (Blog Post, 3 September 2020) <https://blogs.sciencemag.org/pipeline/archives/2020/09/03/coronavirus-vaccine-roundup-early-september>; Alex Phillippidis, ‘COVID-19 Drug & Vaccine Candidate Tracker’, Genetic Engineering & Biotechnology News (Web Page, 18 May 2020) <https://www.genengnews.com/covid-19-candidates/covid-19-drug-and-vaccine-tracker/>.
[36] Jessica Murray, ‘COVID Vaccine: UK Woman Becomes First in World to Receive Pfizer Jab’, The Guardian (online, 9 December 2020) <https://www.theguardian.com/world/2020/dec/08/coventry-woman-90-first-patient-to-receive-covid-vaccine-in-nhs-campaign>.
[37] Zania Stamataki, ‘Pfizer Vaccine: What an “Efficacy Rate Above 90%” Really Means’, The Conversation (online, 11 November 2020) <https://theconversation.com/pfizer-vaccine-what-an-efficacy-rate-above-90-really-means-149849>; Azeem Majeed, Marisa Papaluca and Mariam Molokhia, ‘Assessing the Long Term Safety and Efficacy of COVID-19 Vaccines’ (2021) 114(7) Journal of the Royal Society of Medicine 337, 337.
[38] ‘Contact Tracing for Coronavirus (COVID-19): How It’s Done in Queensland’, Queensland Health (Web Page, 23 March 2020) <https://www.health.qld.gov.au/news-events/news/contact-tracing-novel-coronavirus-covid-19-confirmed-case-notify-Queensland>.
[39] ‘Scaling Up Staffing Roles in Case Investigation and Contact Tracing’, Centers for Disease Control and Prevention (Web Page, 3 December 2020) <https://www.cdc.gov/coronavirus/2019-ncov/php/contact-tracing/contact-tracing-plan/scaling-staff.html>.
[40] ‘BlueTrace Protocol’, BlueTrace Protocol (Web Page, 3 September 2020) <https://bluetrace.io/>.
[41] Dean Koh, ‘Singapore Government Launches New App for Contact Tracing to Combat Spread of COVID-19’, MobiHealth News (online, 20 March 2020) <https://www.mobihealthnews.com/news/asia-pacific/singapore-government-launches-new-app-contact-tracing-combat-spread-covid-19>.
[42] BluetoothLE was introduced as v4 of the Bluetooth protocol: Bluetooth Special Interest Group, ‘Specification of the Bluetooth System: Architecture and Terminology Overview’ (Specification No 1, 30 June 2010) 20 [1.2].
[43] Isobel Braithwaite et al, ‘Automated and Partly Automated Contact Tracing: A Systematic Review to Inform the Control of COVID-19’ (2020) 2(11) Lancet Digital Health 607, 610–12 [Table 1]; Muhammad Shahroz et al, ‘COVID-19 Digital Contact Tracing Applications and Techniques: A Review Post Initial Deployments’ (2021) 5 Transportation Engineering 100072: 2–4.
[44] ‘Technology behind COVIDSafe’, Australian Government (Web Page, 15 December 2020) <https://covidsafe.gov.au/technology.html#herald>.
[45] Maddocks, Department of Health: The COVIDSafe Application (Report, 24 April 2020) 17–18; ‘Protect Yourself and the Community’, CovidSafe (Web Page, 2021) <https://covidsafe.gov.au/index.html>.
[46] Australian Government Department of Health, ‘COVIDSafe App: How Does It Work?’ (YouTube, 4 June 2020) 00:00:59 <https://www.youtube.com/watch?v=JI3uPu9sYRg>.
[47] Denham Sadler, ‘DTA Seeks New Contractors for COVIDSafe’, InnovationAus (online, 24 July 2020) <https://www.innovationaus.com/dta-seeks-new-contractors-for-covidsafe/>.
[48] ‘Given the general public interest surrounding the development and implementation of the App, we recognise that widespread community consultation would have been desirable for this PIA process. However, the truncated timeframes have meant that it has simply not been possible for us to conduct stakeholder workshops with the many individuals or groups that might be impacted by the issues raised by this PIA’: Maddocks (n 45) 14.
[49] Biosecurity Act 2015 (Cth) ss 473–9 (‘Biosecurity Act’).
[50] The Parliament cannot exercise its power under section 42 of the Legislation Act 2003 (Cth) to pass a motion to overturn or repeal this emergency declaration: ibid s 475(2).
[51] Ibid s 475(3).
[52] Ibid ss 475(4), 476(1).
[53] Explanatory Statement, Biosecurity (Human Biosecurity Emergency) (Human Coronavirus with Pandemic Potential) (Emergency Requirements – Public Health Contact Information) Determination 2020 (Cth) 10.
[54] In the first instance, this power was used to preclude international cruise ships from entering Australian waters without permission unless those ships had already been at sea since 15 March 2020 and were bound directly to arrive in an Australian port: Biosecurity (Human Biosecurity Emergency) (Human Coronavirus with Pandemic Potential) (Emergency Requirements) Determination 2020 (Cth) (‘Biosecurity Determination’).
[55] Explanatory Statement, Biosecurity (Human Biosecurity Emergency) (Human Coronavirus with Pandemic Potential) (Emergency Requirements – Public Health Contact Information) Determination 2020 (Cth) 1.
[56] Biosecurity Determination 2020 (Cth) cl 4.
[57] Maddocks (n 45).
[58] Biosecurity Determination 2020 (Cth) cls 6, 7.
[59] Ibid cls 8, 9.
[60] See, eg, Graham Greenleaf and Katharine Kemp, ‘Australia’s “COVIDSafe” Law for Contact Tracing: An Experiment in Surveillance and Trust’ (2021) 11(3) International Data Privacy Law 257 (‘“COVIDSafe” Law for Contact Tracing’).
[61] Privacy Amendment (Public Health Contact Information) Act 2020 (Cth) (‘Contact Tracing Amendment’).
[62] Ibid s 94B.
[63] Ibid ss 94D–J.
[64] Ibid sch 2.
[65] Ibid ss 94Q–W.
[66] Ibid s 94X.
[67] Ibid s 94L.
[68] Ibid s 94K.
[69] Ibid s 94M.
[70] Ibid s 94N.
[71] Ibid ss 94ZA–ZB; Angelene Falk, COVIDSafe Report May–November 2020 (Report, 23 November 2020). Combining its first two required reports, the Commonwealth Department of Health only released its first COVIDSafe report on 26 July 2021, more than one year after the COVIDSafe App was first introduced: Australian Government, Report on the Operation and Effectiveness of COVIDSafe and the National COVIDSafe Data Store: 16 May 2020 to 15 November 2020, 16 November 2020 to 15 May 2021 (Report, July 2021) (‘Report on COVIDSafe’).
[72] Greenleaf and Kemp, ‘“COVIDSafe” Law for Contact Tracing’ (n 60).
[73] ‘Background to COVIDSafe’, Australian Government (Web Page, 2020) <https://www.covidsafe.gov.au/background.html>.
[74] A screening test is ‘a medical test or procedure performed on members (subjects) of a defined asymptomatic population or population subgroup to assess the likelihood of their members having a particular disease. With few exceptions, screening tests do not diagnose the illness. Rather subjects who test positive typically require further evaluation with subsequent diagnostic tests or procedures’: L Daniel Maxim, Ron Niebo and Mark J Utell, ‘Screening Tests: A Review with Examples’ (2014) 26(13) Inhalation Toxicology 811, 811 (emphasis omitted) (citations omitted).
[75] Ibid 813.
[76] Ibid.
[77] Ibid 812.
[78] ‘COVIDSafe App’, Australian Government Department of Health (Web Page, 26 July 2021) <https://www.health.gov.au/resources/apps-and-tools/covidsafe-app>; Dinesh Kumar and PJ Radcliffe, ‘False Positives, False Negatives: It’s Hard to Say If the COVIDSafe App Can Overcome Its Shortcomings’, The Conversation (online, 18 May 2020) <https://www.theconversation.com/false-positives-false-negatives-its-hard-to-say-if-the-covidsafe-app-can-overcome-its-shortcomings-138129>.
[79] Maxim, Niebo and Utell (n 74) 815.
[80] Ashkan Soltani, Ryan Calo and Carl Bergstrom, ‘Contact-Tracing Apps Are Not a Solution to the COVID-19 Crisis’, Brookings (Blog Post, 27 April 2020) <https://www.brookings.edu/techstream/inaccurate-and-insecure-why-contact-tracing-apps-could-be-a-disaster/>.
[81] Hassan Vally, ‘Got a COVID-19 Test in Victoria and Still Haven’t Got Your Results? Here’s What May Be Happening: And What to Do’, The Conversation (online, 16 July 2020) <https://theconversation.com/got-a-covid-19-test-in-victoria-and-still-havent-got-your-results-heres-what-may-be-happening-and-what-to-do-142821>.
[82] ‘Physical Distancing for Coronavirus (COVID-19)’, Australian Government Department of Health (Web Page, 26 June 2020) <https://www.health.gov.au/news/health-alerts/novel-coronavirus-2019-ncov-health-alert/how-to-protect-yourself-and-others-from-coronavirus-covid-19/physical-distancing-for-coronavirus-covid-19>.
[83] ‘NZ COVID Tracer App’, Ministry of Health (Web Page, 24 May 2021) <https://www.health.govt.nz/our-work/diseases-and-conditions/covid-19-novel-coronavirus/covid-19-resources-and-tools/nz-covid-tracer-app>.
[84] Matthew PJ Ashby, ‘The Value of CCTV Surveillance Cameras as an Investigative Tool: An Empirical Analysis’ (2017) 23(3) European Journal on Criminal Policy and Research 441, 454–5. See generally Robert Carr, ‘Surveillance Politics and Local Government: A National Survey of Federal Funding for CCTV in Australia’ (2016) 29(4) Security Journal 683; Tehilla Shwartz Altshuler and Rachel Aridor Hershkovitz, Digital Contact Tracing and the Coronavirus: Israeli and Comparative Perspectives (Research Report, August 2020).
[85] Joy Buolamwini and Timnit Gebru, ‘Gender Shades: Intersectional Accuracy Disparities in Commercial Gender Classification’ (2018) 81 Proceedings of Machine Learning Research 77, 77; Willie Jones, ‘Racial Profiling Goes High Tech with Facial Recognition: Biased Facial Recognition System Disproportionately Labels Minority UCLA Students and Faculty as Criminals’, Institute of Electrical and Electronics Engineers Spectrum (online, 24 Feb 2020) <https://spectrum.ieee.org/do-you-have-the-right-complexion-for-facial-recognition>.
[86] Altshuler and Hershkovitz (n 84) 6.
[87] Michael Birnbaum and Christine Spolar, ‘Coronavirus Tracking Apps Meet Resistance in Privacy-Conscious Europe’, The Washington Post (online, 18 April 2020) <https://www.washingtonpost.com/world/europe/coronavirus-tracking-app-europe-data-privacy/2020/04/18/89def99e-7e53-11ea-84c2-0792d8591911_story.html>; Youjing Cui and Shuzhi Sam Ge, ‘Autonomous Vehicle Positioning With GPS in Urban Canyon Environments’ (2003) 19(1) Institute of Electrical and Electronics Engineers Transactions On Robotics And Automation 15, 15; Devanshi, Sunil Agrawal and Sarvjit Singh, ‘Indoor Localization Based on Bluetooth Technology: A Brief Review’ (2014) 97(8) International Journal of Computer Applications 31, 32. See generally Rashmi Bajaj, Samantha Ranaweera and Dharma Agrawal, ‘GPS: Location Tracking Technology’ (2002) 35(4) Computer 92.
[88] Shannon Liao, ‘Why GPS-Dependent Apps Deplete Your Smartphone Battery’, The Verge (online, 17 August 2018) <https://www.theverge.com/2018/8/17/17630872/smartphone-battery-gps-location-services>.
[89] Sarah Basford, ‘Police Deny Phone Tracking Coronavirus Cases but Experts Think It Might Soon Change’, Gizmodo (online, 26 March 2020) <https://www.gizmodo.com.au/2020/03/police-deny-phone-tracking-coronavirus-cases-but-experts-think-it-might-soon-change/>.
[90] Mark Bennett, ‘Illegal Mobile Phone Signal Boosters Causing Problems for Other Network Users’, ABC News (online, 7 March 2015) <https://www.abc.net.au/news/2015-03-07/mobile-repeaters-disrupting-mobile-phone-signal/6287256>.
[91] Roy Want, ‘Near Field Communication’ (2011) 10(3) Institute of Electrical and Electronics Engineers Pervasive Computing 4, 4.
[92] Devanshi, Sunil Agrawal and Sarvjit Singh, (n 88). See generally Jaap C Haartsen and Ericsson Radio Systems BV, ‘The Bluetooth Radio System’ (2000) 7(1) Institute of Electrical and Electronics Engineers Personal Communications 28, 34; Jacopo Tosi et al, ‘Performance Evaluation of Bluetooth Low Energy: A Systematic Review’ (2017) 17(12) Sensors 2898.
[93] ‘Bluetooth’, eSafety Commissioner (Web Page) <https://www.esafety.gov.au/women/connecting-safely/bluetooth>.
[94] Jon Gunnar Sponas, ‘Things You Should Know About Bluetooth Range’, Nordic Semiconductor (Blog Post, 7 February 2018) <https://blog.nordicsemi.com/getconnected/things-you-should-know-about-bluetooth-range>.
[95] Carles Gomez, Joaquim Oller and Josep Paradells, ‘Overview and Evaluation of Bluetooth Low Energy: An Emerging Low-Power Wireless Technology’ (2012) 12(9) Sensors 11734, 11735.
[96] The COVIDSafe App sends an alert to its users if they turn Bluetooth off on their mobile phones and requires Internet access to receive data from and transmit data to the central COVIDSafe Data Store. On 19 December 2020, the underlying protocol used by the COVIDSafe App was shifted to the Herald Bluetooth Protocol in an attempt to address some of these failings: ‘COVIDSafe Uses the Herald Protocol to Improve App Performance’, Australian Government Digital Transformation Agency (Web Page, 19 December 2020) <https://www.dta.gov.au/news/covidsafe-uses-herald-protocol-improve-app-performance>.
[97] Medical advice regarding the distance at which a person can be infected by the COVID-19 virus is still evolving, with current Australian government advice suggesting a maximum of 1.5 m: ‘Physical Distancing and How to Avoid COVID-19’, Healthdirect (Web Page, July 2021) <https://www.healthdirect.gov.au/coronavirus-covid-19-how-to-avoid-infection-faqs>.
[98] hanyangtan, ‘OpenTrace Calibration: Trial Methodologies’, GitHub (Web Page, 11 April 2020) <https://github.com/opentrace-community/opentrace-calibration/blob/master/Trial%20Methodologies.md>; Joonyoung Jung, Dongoh Kang and Changseok Bae, ‘Distance Estimation of Smart Device Using Bluetooth’ (Conference Paper, Eighth International Conference on Systems and Network Communications, 2013); Johan Larsson, ‘Distance Estimation and Positioning Based on Bluetooth Low Energy Technology’ (Masters of Science Thesis, KTH Royal Institute of Technology, 2015) 25–9.
[99] Sam Biddle, ‘The Inventors of Bluetooth Say There Could Be Problems Using Their Tech for Coronavirus Contact Tracing’, The Intercept (online, 5 May 2020) <https://theintercept.com/2020/05/05/coronavirus-bluetooth-contact-tracing/>.
[100] Douglas J Leith and Stephen Farrell, ‘Coronavirus Contact Tracing: Evaluating the Potential of Using Bluetooth Received Signal Strength for Proximity Detection’ (2020) 50(4) Computer Communication Review 66, 67 (‘Coronavirus Contact Tracing’). See generally Doug Leith and Stephen Farrell, ‘Testing Apps for COVID-19 Tracing (TACT)’, Testing Apps for COVID-19 Tracing (TACT) (Web Page, 15 April 2021) <https://down.dsg.cs.tcd.ie/tact/>; Qingchuan Zhao et al, ‘On the Accuracy of Measured Proximity of Bluetooth-Based Contact Tracing Apps’ in Noseong Park et al (eds), Security and Privacy in Communication Networks (Springer, 2020) 49.
[101] Leith and Farrell, ‘Coronavirus Contact Tracing’ (n 100).
[102] ‘When the human body covers the mobile phone, the [Bluetooth] signal are weakened’: Yapeng Wang et al, ‘Bluetooth Positioning Using RSSI and Triangulation Methods’ in Institute of Electrical and Electronics Engineers (ed), 2013 IEEE 10th Consumer Communications and Networking Conference (2013) 837, 842.
[103] Ibid.
[104] K Matthew, B Issac and CE Tan, ‘Evaluation of Signal Attenuation for Bluetooth, ZigBee and Sound in Foliage’ (2017) 9(2) Journal of Telecommunication, Electronic and Computer Engineering 43, 48.
[105] Thomas W Rondeau, Mark F D’Souza and Dennis G Sweeney, ‘Residential Microwave Oven Interference on Bluetooth Data Performance’ (2004) 50(3) Institute of Electrical and Electronics Engineers Transactions on Consumer Electronics 856.
[106] hanyangtan (n 98).
[107] Josh Taylor, ‘Covidsafe App Is Not Working Properly on iPhones, Authorities Admit’, The Guardian (online, 6 May 2020) <https://www.theguardian.com/world/2020/may/06/covidsafe-app-is-not-working-properly-on-iphones-authorities-admit>.
[108] Josh Taylor, ‘Covidsafe App Overhaul Compensates for “Handshakes” Only Connecting 27% of the Time on Some iPhones’, The Guardian (online, 18 August 2020) <https://www.theguardian.com/australia-news/2020/aug/18/covidsafe-overhaul-improves-app-but-it-still-works-only-27-of-the-time-on-some-apple-mobiles>.
[109] Jane Norman, ‘Deputy CMO Urges Australians to Download and Activate Coronavirus Contact-Tracing App Following Updates’, ABC News (online, 9 August 2020) <https://www.abc.net.au/news/2020-08-09/australians-encouraged-to-activate-covidsafe-coronvirus-app/12539494>; Paul Garrett and Simon Dennis, ‘Australia Has All but Abandoned the COVIDSafe App In Favour of QR Codes (So Make Sure You Check In)’, The Conversation (online, 1 June 2021) <https://theconversation.com/australia-has-all-but-abandoned-the-covidsafe-app-in-favour-of-qr-codes-so-make-sure-you-check-in-161880>.
[110] Braithwaite et al (n 43) 609, 618.
[111] Leith and Farrell, ‘Coronavirus Contact Tracing’ (n 100) 10.
[112] Senate Select Committee on COVID-19, Parliament of Australia, First Interim Report (Report, December 2020) 43.
[113] Maddocks (n 45) 17–29.
[114] ‘[T]o ensure the privacy of individuals and integrity of the overall system, the code that relates to the National COVIDSafe Information Storage System will not be released’: Digital Transformation Agency (n 7).
[115] Jung, Kang and Bae (n 98).
[116] Contact Tracing Amendment 2020 (Cth) ss 94ZA, 94ZB.
[117] Falk (n 71). The second report from the Privacy Commissioner due in May 2021 was published on 17 June 2021: Angelene Falk, COVIDSafe Report November 2020–May 2021 (Report, 17 June 2021).
[118] As of 28 June 2020, the COVIDSafe App had not detected a single person infected with the COVID-19 virus: Ben Grubb, ‘“Dishonest”: COVIDSafe App Has Not Detected a Case Despite 6 Million Downloads’, Sydney Morning Herald (online, 28 June 2020) <https://www.smh.com.au/politics/federal/dishonest-covidsafe-app-has-not-detected-a-case-despite-6-million-downloads-20200627-p556s7.html>. By 2 August 2020, reports indicated that the COVIDSafe App had identified two people who subsequently tested positive for the COVID-19 virus: Allie Godfrey, ‘COVIDsafe App Actually Found NSW Coronavirus Cases’, 7News (online, 2 August 2020) <https://7news.com.au/news/public-health/covid-safe-app-actually-found-nsw-coronavirus-cases-c-1210745>. By December 2020, 17 cases had been detected in NSW through the COVIDSafe App who had not been detected by manual contact tracers (out of approximately 2000 locally acquired cases – or ~0.85% of known infected persons in that state): First Interim Report (n 112) xii.
[119] Bret Walker, Report of the Special Commission of Inquiry into the Ruby Princess (Report, 14 August 2020).
[120] Terry Sim, ‘Victorian Red Meat Processor COVID-19 Restrictions Stay in Force’, Beef Central (online, 7 September 2020) <https://www.beefcentral.com/processing/victorian-red-meat-processor-covid-19-restrictions-stay-in-force/>.
[121] Anne Connolly, ‘Coronavirus Is Devastating the Aged Care Sector, and It All Feels Shockingly Familiar’, ABC News (online, 25 August 2020) <https://www.abc.net.au/news/2020-08-25/coronavirus-aged-care-australia-crisis-feels-shockingly-familiar/12592178>.
[122] Cameron Houston, ‘Wealthy Couple Return from Skiing with Coronavirus Then Do Not Self-Isolate’, The Age (online, 25 March 2020) <https://www.theage.com.au/national/victoria/wealthy-couple-return-from-skiing-with-coronavirus-then-do-not-self-isolate-20200325-p54du5.html>.
[123] Richard V Reeves and Jonathan Rothwell, ‘Class and COVID: How the Less Affluent Face Double Risks’, Brookings Institution (Memo, 27 March 2020) <https://www.brookings.edu/blog/up-front/2020/03/27/class-and-covid-how-the-less-affluent-face-double-risks/>.
[124] Duncan Hughes, ‘Prestige Seaside Holiday Homes Defy COVID-19 Gloom’, Australian Financial Review (online, 11 July 2020) <https://www.afr.com/property/residential/prestige-seaside-holiday-homes-defy-covid-19-gloom-20200709-p55aic>.
[125] Jasmine Kerrissey and Clare Hammonds, ‘Low-Wage Essential Workers Get Less Protection Against Coronavirus: And Less Information About How It Spreads’, The Conversation (online, 3 June 2020) <https://theconversation.com/low-wage-essential-workers-get-less-protection-against-coronavirus-and-less-information-about-how-it-spreads-138076>.
[126] Trevor Hughes, ‘Poor, Essential and on the Bus: Coronavirus Is Putting Public Transportation Riders at Risk’, USA Today (online, 14 April 2020) <https://www.usatoday.com/story/news/nation/2020/04/14/public-transportation-users-risk-coronavirus-spreads-across-us/2979779001/>.
[127] Geoffrey Anderson et al, ‘Using Socioeconomics to Counter Health Disparities Arising from the COVID-19 Pandemic’ (2020) 369 British Medical Journal m2149:1–4, 3.
[128] Margaret Douglas et al, ‘Mitigating the Wider Health Effects of COVID-19 Pandemic Response’ (2020) 369 British Medical Journal m1557:1–6, 2.
[129] Barry Popkin et al, ‘Individuals with Obesity and COVID-19: A Global Perspective on the Epidemiology and Biological Relationships’ (2020) 21(11) Obesity Reviews 13128:1–17, 2.
[130] Stanton A Glantz, ‘Reduce Your Risk of Serious Lung Disease Caused by Corona Virus by Quitting Smoking and Vaping’, Center for Tobacco Control Research and Education (Blog Post, 11 August 2020) <https://tobacco.ucsf.edu/reduce-your-risk-serious-lung-disease-caused-corona-virus-quitting-smoking-and-vaping>.
[131] ‘People with Certain Medical Conditions’, Centers for Disease Control and Prevention (Web Page, 20 August 2021) <https://www.cdc.gov/coronavirus/2019-ncov/need-extra-precautions/people-with-medical-conditions.html>.
[132] Ibid.
[133] Ben Schneiders and Royce Millar, ‘A City Divided: COVID-19 Finds a Weakness in Melbourne’s Social Fault Lines’, The Age (online, 8 August 2020) <https://www.theage.com.au/national/victoria/a-city-divided-covid-19-finds-a-weakness-in-melbourne-s-social-fault-lines-20200807-p55ji2.html>; Jordan Baker and Matt Wade, ‘A Tale of Two Sydneys: “We’re in the Same Storm, but Different Boats”’, Sydney Morning Herald (online, 15 August 2021) <https://www.smh.com.au/national/nsw/a-tale-of-two-sydneys-we-re-in-the-same-storm-but-different-boats-20210813-p58ifz.html>; Josh Nicholas, ‘Most Disadvantaged Areas of Sydney Suffer Twice as Many Covid Cases as Rest of City’, The Guardian (online, 4 August 2021) <https://www.theguardian.com/news/datablog/2021/aug/04/most-disadvantaged-areas-of-sydney-suffer-twice-as-many-covid-cases-as-rest-of-city>.
[134] Schneiders and Millar (n 133).
[135] Julie Power et al, ‘Concerns for Churchgoers Amid Growing Western Sydney Coronavirus Cluster’, Sydney Morning Herald (online, 25 July 2020) <https://www.smh.com.au/politics/nsw/concerns-for-churchgoers-amid-growing-western-sydney-coronavirus-cluster-20200725-p55fef.html>.
[136] Doug Hendrie, ‘School COVID Clusters Are Rare: So What Can We Learn from the Al-Taqwa Outbreak?’, Royal Australian College of General Practitioners (Web Page, 5 August 2020) <https://www1.racgp.org.au/newsgp/clinical/school-covid-clusters-are-rare-so-what-can-we-lear>; Michael Atkin and Amelia Ballinger, ‘Al-Taqwa Coronavirus Outbreak Raises Questions About Schools’ Safety During Pandemic’, ABC News (online, 14 July 2020) <https://www.abc.net.au/news/2020-07-14/al-taqwa-coronavirus-outbreak-schools-reopening-questioned/12452266>.
[137] Whilst the term ‘digital divide’ is commonly attributed to the ‘Falling Through the Net: Defining the Digital Divide’ survey report released in 1995 by the US Department of Commerce National Telecommunications and Information Administration, Gunkel identified evidence that the term pre-dated that report, possibly having been coined in 1995 by two Los Angeles Times newspaper reporters, Jonathan Webber and Amy Harmon: David J Gunkel, ‘Second Thoughts: Toward a Critique of the Digital Divide’ (2003) 5(4) New Media and Society 499, 501. See also, Martin Hilbert, ‘The End Justifies the Definition: The Manifold Outlooks on the Digital Divide and Their Practical Usefulness for Policy-Making’ (2011) 35(8) Telecommunications Policy 715; Dmitry Epstein, Erik C Nisbet and Tarleton Gillespie, ‘Who’s Responsible for the Digital Divide: Public Perceptions and Policy Implications’ (2011) 27(2) Information Society 92; Jan AGM Van Dijk, ‘Digital Divide Research, Achievements and Shortcomings’ (2006) 34 Poetics 221.
[138] Telstra, Measuring Australia’s Digital Divide: The Australian Digital Inclusion Index 2019 (Report, 17 September 2019) 5–7.
[139] Kyle Taylor and Laura Silver, Smartphone Ownership Is Growing Rapidly around the World, but Not Always Equally (Research Report, 5 February 2019) 3.
[140] Ibid. Six% of Australians did not own a mobile phone in 2018, whilst another 13% owned a mobile phone which was not a smartphone. Installing the COVIDSafe App requires its users to own a mobile phone running a relatively modern Android or iPhone-based operating system (ie a smartphone). When initially launched, the COVIDSafe App required smart phones using the Android 6.0 operating system. However, subsequent updates (v3.0+) to that App have enabled it to be installed on smart phones using the Android 5.1 (or newer) operating system: Digital Transformation Agency, COVIDSafe: Cryptography Specification (Report, 2020) 1.
[141] See generally Efrat Shadmi et al, ‘Health Equity and COVID-19: Global Perspectives’ (2020) 19 International Journal for Equity in Health 104:1–16, 2.
[142] ‘The app itself is only available in English, which may affect uptake among Australians who don’t speak it’: Fergus Halliday, ‘COVIDSafe Explained: Everything You Need to Know About the Australian Government’s Coronavirus App’, PC World (Web Page) <https://www.pcworld.idg.com.au/article/678801/covidsafe-explained-everything-need-know-about-australian-government-coronavirus-app/>.
[143] ‘COVIDSafe App: Help Topics’, Australian Government (Web Page) <https://www.covidsafe.gov.au/help-topics.html#other-languages>.
[144] See generally Richard Cornes and Todd Sandler, The Theory of Externalities, Public Goods and Club Goods (Cambridge University Press, 1996).
[145] David Dagon, Tom Martin and Thad Starner, ‘Mobile Phones as Computing Devices: The Viruses Are Coming!’ (2004) 3(4) Pervasive Computing 11, 11–12.
[146] ‘COVID-19: Cyber Security Tips When Working from Home’, Australian Cyber Security Centre (Web Page, 14 April 2020) <https://www.cyber.gov.au/acsc/view-all-content/advisories/covid-19-cyber-security-tips-when-working-home>.
[147] ‘COVIDSafe’, GitHub (Web Page, 2021) <https://github.com/AU-COVIDSafe>.
[148] Ariel Bogle, ‘COVIDSafe Coronavirus Contact-Tracing App Faces Software Bugs and Lingering iPhone Issues’, ABC News (online, 1 May 2020) <https://www.abc.net.au/news/science/2020-05-01/covidsafe-contact-tracing-app-rollout-issues-iphone-wifi-bugs/12202876>; vteague (Vanessa Teague), ‘Why GAEN Exposure Information Should be Shuffled Relative to Diagnosis Keys’, GitHub (Web Page, 19 December 2020) <https://github.com/vteague/contactTracing>. See generally ‘Jim Mussared’, Twitter (Web Page) <https://twitter.com/jim_mussared?lang=en>.
[149] ‘At launch there was no process for the community to report serious issues, nor has there been any management of issue disclosure’: vteague (Vanessa Teague), ‘Contact Tracing’, GitHub (Web Page, 9 August 2020) <https://github.com/vteague/contactTracing/blob/master/blog/2020-07-07IssueSummary.md>.
[150] ‘“I would love if there was an easy reporting mechanism ... and an official bug bounty program would be very wise”’: Bogle (n 148).
[151] vteague (Vanessa Teague), ‘COVIDSafe Issues Found by the Tech Community’, GitHub (Web Page, 28 October 2020) <https://web.archive.org/web/20201130063500/https://github.com/vteague/contactTracing/blob/master/blog/2020-07-07IssueSummary.md>.
[152] ‘CVE-2020-12717 Detail’, NIST: National Vulnerability Database (Web Page, 21 July 2021) <https://nvd.nist.gov/vuln/detail/CVE-2020-12717>.
[153] ‘CVE-2020-12856 Detail’, NIST: National Vulnerability Database (Web Page, 20 May 2020) <https://nvd.nist.gov/vuln/detail/CVE-2020-12856>.
[154] ‘CVE-2020-12857 Detail’, NIST: National Vulnerability Database (Web Page, 21 July 2021) <https://nvd.nist.gov/vuln/detail/CVE-2020-12857>.
[155] ‘CVE-2020-12858 Detail’, NIST: National Vulnerability Database (Web Page, 21 July 2021) <https://nvd.nist.gov/vuln/detail/CVE-2020-12858>.
[156] ‘CVE-2020-12859 Detail’, NIST: National Vulnerability Database (Web Page, 20 May 2020) <https://nvd.nist.gov/vuln/detail/CVE-2020-12859>.
[157] ‘CVE-2020-12860 Detail’, NIST: National Vulnerability Database (Web Page, 21 July 2021) <https://nvd.nist.gov/vuln/detail/CVE-2020-12860>.
[158] ‘CVE-2020-14292 Detail’, NIST: National Vulnerability Database (Web Page, 21 July 2021) <https://nvd.nist.gov/vuln/detail/CVE-2020-14292>. This vulnerability was still being analysed at the time of writing this article.
[159] @DiabetesAus (Diabetes Australia) (Twitter, 30 April 2020, 11:31am AEST) <https://twitter.com/DiabetesAus/status/1255671094800871426>.
[160] Chanel Zagon, ‘Melbourne Woman Feared She Had Coronavirus After Confusing App Message’, 9News (online, 28 April 2020) <https://www.9news.com.au/national/covidsafe-app-melbourne-woman-feared-coronavirus-after-confusing-message/e9146501-6bbd-4509-b89a-406b2b98ed2a>.
[161] nu11secur1ty, ‘Android Bluetooth Remote Denial of Service’, Packet Storm Security (Web Page, 25 March 2020) <https://packetstormsecurity.com/files/156891/Android-Bluetooth-Remote-Denial-Of-Service.html>; ‘CVE-2020-0022’, NIST: National Vulnerability Database (Web Page, 13 May 2020) <https://nvd.nist.gov/vuln/detail/CVE-2020-0022>. See flaw 9: vteague (n 151).
[162] Pierluigi Paganini, ‘BLURtooth Flaw Allows Attacking Bluetooth Encryption Process’, Security Affairs (Web Page, 10 September 2020) <https://securityaffairs.co/wordpress/108096/hacking/blurtooth-bluetooth-attack.html>; ‘Bluetooth SIG Statement Regarding the Exploiting Cross-Transport Key Derivation in Bluetooth Classic and Bluetooth Low Energy Vulnerability (BLURtooth) and the Security Implications of Key Conversion between BR/EDR and BLE Vulnerabilities’, Bluetooth (Web Page, 2021) <https://www.bluetooth.com/learn-about-bluetooth/bluetooth-technology/bluetooth-security/blurtooth/>.
[163] ‘Vulnerability Details: CVE-2019-9506’, CVE Details (Web Page, 28 August 2019) <https://www.cvedetails.com/cve-details.php?t=1&cve_id=CVE-2019-9506>.
[164] Madison Oliver, ‘Bluetooth Devices Supporting LE and Specific BR/EDR Implementations Are Vulnerable to Method Confusion Attacks: Vulnerability Note VU#534195’, Carnegie Mellon University (Web Page, 26 May 2020) <https://www.kb.cert.org/vuls/id/534195>.
[165] Ibid; Madison Oliver, ‘Bluetooth Devices Supporting BR/EDR Are Vulnerable to Impersonation Attacks: Vulnerability Note VU#647177’, Carnegie Mellon University (Web Page, 10 February 2021) <https://www.kb.cert.org/vuls/id/647177>.
[166] Madison Oliver, ‘Bluetooth BR/EDR Supported Devices Are Vulnerable to Key Negotiation Attacks: Vulnerability Note VU#918987’, Carnegie Mellon University (Web Page, 14 August 2019) <https://www.kb.cert.org/vuls/id/918987>.
[167] Garret Wassermann, ‘Bluetooth Implementations May Not Sufficiently Validate Elliptic Curve Parameters During Diffie-Hellman Key Exchange: Vulnerability Note VU#304725’, Carnegie Mellon University (Web Page, 23 July 2018) <https://www.kb.cert.org/vuls/id/304725>.
[168] Installing the COVIDSafe App requires devices to have at least the Android 5.1 operating system: ‘Help Topics’, Australian Government (Web Page) <https://web.archive.org/web/20201022022710/https://www.covidsafe.gov.au/help-topics.html>.
[169] Ibid.
[170] Jesse Emspack, ‘When Does an Old Smartphone Become Unsafe to Use?’, TomsGuide (online, 26 May 2021) <https://www.tomsguide.com/us/old-phones-unsafe,news-24846.html>; Adamya Sharma, ‘Here Are All the Samsung Devices Eligible for Three Major Android Updates’, Android Authority (online, 10 May 2021) <https://www.androidauthority.com/samsung-android-updates-1148888/>.
[171] Deloitte, Mobile Consumer Survey 2019 (Report, 2019) 9.
[172] Jason Bay et al, BlueTrace: A Privacy-Preserving Protocol for Community-Driven Contact Tracing Across Borders (Report, 4 September 2020) 9.
[173] Samuel Chenoweth, Using Mobile Platforms for Sensitive Government Business (Report, January 2013) 9; Australian Cyber Security Centre, ‘Australian Government Information Security Manual’ (Guidelines, September 2021) 25, 50–1.
[174] Australian Cyber Security Centre, ‘Australian Government Information Security Manual’ (Guidelines, April 2019) 3.
[175] John Padgette et al, Guide to Bluetooth Security (Special Publication No 800-121, May 2017) 41–9.
[176] ‘Bluetooth’, eSafety Commissioner (Web Page) <https://www.esafety.gov.au/women/connecting-safely/bluetooth>.
[177] Luca Carettoni, Claudio Merloni and Stefano Zanero, ‘Studying Bluetooth Malware Propagation: The BlueBag Project’ (2007) 5(2) Institute of Electrical & Electronics Engineers Security & Privacy 17, 18–19.
[178] In the interests of security, I will not include direct links to these illicit offerings. Researchers can find them using the Tor Browser, a VPN, and Tor search engines such as Kilos or Candle. Do so at your own risk.
[179] Jai Vijayan, ‘Korea APT Adds Rare Bluetooth Device-Harvester Tool’, DARKReading (Web Page, 14 May 2019) <https://www.darkreading.com/attacks-breaches/korean-apt-adds-rare-bluetooth-device-harvester-tool/d/d-id/1334699>.
[180] ‘COVID-19 Malicious Cyber Activity’, Australian Cyber Security Centre (Web Page, 22 May 2020) <https://www.cyber.gov.au/threats/threat-update-covid-19-malicious-cyber-activity>; Australian Competition & Consumer Commission, ‘Scammers Targeting Superannuation in COVID-19 Crisis’ (Media Release No 66/20, 6 April 2020) <https://www.accc.gov.au/media-release/scammers-targeting-superannuation-in-covid-19-crisis>.
[181] See, eg, Mark Burdon and Brydon Wang, ‘Implementing COVIDSafe: The Role of Trustworthiness and Information Privacy Law’ (2021) 3(1) Law, Technology and Humans 35; Nicholas Biddle et al, Data Trust and Data Privacy in the COVID-19 Period (Research Report, 30 July 2020); Roba Abbas and Katina Michael, ‘COVID-19 Contact Trace Apps Deployments: Learnings from Australia and Singapore’ (2020) 9(5) Institute of Electrical and Electronics Engineers Consumer Electronics Magazine 65; Rae Thomas et al, ‘Concerns and Misconceptions about the Australian Government’s COVIDSafe App: Cross-Sectional Survey Study’ (2020) 6(4) Journal of Medical Internet Research Public Health and Surveillance 1; Samantha Floreani, ‘Navigating the COVIDSafe App Rhetoric’ (2020) 30(10) Eureka Street 33; Adam Lodders and Jeannie Marie Paterson, ‘Scrutinising COVIDSafe: Frameworks for Evaluating Digital Contact Tracing Technologies’ (2020) 45(3) Alternative Law Journal 153; David Watts, ‘COVIDSafe, Australia’s Digital Contact Tracing App: The Legal Issues’ (Working Paper, 3 May 2020) <https://papers.ssrn.com/sol3/papers.cfm?abstract_id=3591622>; Ruoxi Sun et al, Vetting Security and Privacy of Global COVID-19 Contact Tracing Applications (Research Report, June 2020); Graham Greenleaf and Katharine Kemp, ‘Australia’s COVIDSafe Experiment, Phase III: Legislation for Trust in Contact Tracing’ [2020] University of New South Wales Law Research Series 24 (‘Australia’s COVIDSafe Experiment’); Annelies Moens, ‘COVIDSafe App: Are You Sitting on the Fence?’, Privcore (Web Page, 4 May 2020) <https://www.privcore.com/covidsafe-app>.
[182] ‘Senate Select Committee on COVID-19’, Parliament of Australia (Web Page) <https://www.aph.gov.au/Parliamentary_Business/Committees/Senate/COVID-19/COVID19>; ‘Inquiry into the Implications of the COVID-19 Pandemic for Australia’s Foreign Affairs’, Parliament of Australia (Web Page, 2020) <https://www.aph.gov.au/Parliamentary_Business/Committees/Joint/Foreign_Affairs_Defence_and_Trade/FADTandglobalpandemic>.
[183] Greenleaf and Kemp, ‘Australia’s COVIDSafe Experiment’ (n 181) 39.
[184] Ibid 33.
[185] ‘Privacy Policy’, Westfield (Web Page, 1 December 2020) <https://www.westfield.com.au/privacy-policy>.
[186] ‘Privacy Policy’, Aldi (Web Page, 2021) <https://www.aldi.com.au/en/privacy-policy/>.
[187] ‘Privacy’, Sydney Airport (Web Page) cl 10 <https://www.sydneyairport.com.au/info-sheet/privacy>.
[188] In 2018, the average Australian had installed more than 100 apps onto their smart phone: App Annie, The State of Mobile 2019 (Report, 2019) 13.
[189] Michael Grothaus, ‘Use These 11 Critical iPhone Privacy and Security Settings Right Now’, Fast Company (Web Page, 18 February 2020) <https://www.fastcompany.com/90254589/use-these-11-critical-iphone-privacy-and-security-settings-right-now>.
[190] Alex Angove-Plumb, ‘How to Control Your App Permissions’, Choice Australia (Web Page, 3 December 2019) <https://www.choice.com.au/electronics-and-technology/internet/internet-privacy-and-safety/articles/how-to-control-app-permissions>.
[191] Lauren Goode, ‘App Permissions Don’t Tell Us Nearly Enough About Our Apps’, Wired (online, 14 April 2018) <https://www.wired.com/story/app-permissions/>. See generally Joel Reardon et al, ‘50 Ways to Leak Your Data: An Exploration of Apps’ Circumvention of the Android Permissions System’ (2019) 44(4) Login 11, 12–13.
[192] Michael Kwet, ‘In Stores, Secret Surveillance Tracks Your Every Move’, New York Times (online, 14 June 2019) <https://www.nytimes.com/interactive/2019/06/14/opinion/bluetooth-wireless-tracking-privacy.html>. See also Hadi Givehchian et al, ‘Evaluating Physical-Layer BLE Location Tracking Attacks on Mobile Devices’ in Institute of Electrical and Electronics Engineers (ed), 2022 IEEE Symposium on Security and Privacy: Conference Proceedings (forthcoming) 507, 520.
[193] ‘Get Started with Beacons’, Nearby (Web Page, 6 November 2017) <https://developers.google.com/nearby/notifications/get-started>; Mike B, ‘What Is the Google MyBusiness Beacon’ (YouTube, 21 September 2018) <https://www.youtube.com/watch?v=tm2Qr0e_JV8>.
[194] Logan Merrick, ‘5 Powerful Australian Examples of Beacon Technology in App Development’, Buzinga (Web Page, 21 June 2016) <https://www.buzinga.com.au/buzz/5-powerful-examples-beacon-technology-app-development/>; ‘New Bluetooth Low Energy (BLE) Innovation Lab and Showroom to Open in the Gold Coast Airport Precinct’, Intechnology (Web Page, 23 September 2019) <https://www.intechnology.com.au/2019/09/23/ble-lab-opens-gold-coast-australia/>.
[195] Whilst section 6C(1) of the Privacy Act excludes small business operators from the category of organisations bound by the Act’s obligations to protect privacy, the larger stores and supermarket chains which have implemented Bluetooth beacon infrastructure are likely to have turnover of at least AUD3 million per year (and therefore be bound by section 15 to comply with the thirteen Australian Privacy Principles (‘APP’) set out in schedule 1 of that Act). However, despite the privacy protections on collection, use and disclosure of personal information found throughout APPs 1 to 13, APP 6.2(e) permits the disclosure of personal information collected by an organisation to the police as long as the entity reasonably believes that the use or disclosure of the information is reasonably necessary for one or more enforcement related activities conducted by, or on behalf of, that enforcement body. APP 6.5 requires only that the organisation keep written records of its decision to make such a disclosure.
[196] Lawrence Lessig, Code and Other Laws of Cyberspace (Basic Books, 1st ed, 1999). For a useful summation of Lessig’s arguments, see Viktor Mayer-Schonberger, ‘Demystifying Lessig’ (2008) 4 Wisconsin Law Review 713.
[197] James Grimmelmann, ‘Regulation by Software’ [2005] YaleLawJl 31; (2005) 114(7) Yale Law Journal 1719, 1726.
[198] See, eg, Mayer-Schonberger (n 196); Grimmelmann (n 197); Tim Wu, ‘When Code Isn’t Law’ (2003) 89(4) Virginia Law Review 679; R Polk Wagner, ‘On Software Regulation’ (2005) 78(2) Southern California Law Review 457.
[199] Grimmelmann (n 197) 1728.
[200] Ibid 1732–44.
[201] Mayer-Schonberger (n 196) 723–4.
[202] For an early Australian analysis of technology regulation by architecture (including discussion of examples), see Graham Greenleaf, ‘An Endnote on Regulating Cyberspace: Architecture vs Law?’ [1998] UNSWLawJl 52; (1998) 21(2) University of New South Wales Law Journal 593.
[203] Karen Yeung, ‘“Hypernudge”: Big Data as a Mode of Regulation by Design’ (2017) 20(1) Information, Communication and Society 118; Julia Black, ‘Learning from Regulatory Disasters’ (Sir Frank Holmes Memorial Lecture, Victoria University, April 2014); Stuart Shapiro and John Morrall, ‘Does Haste Make Waste? How Long Does It Take to Do a Good Regulatory Impact Analysis?’ (2013) 48(3) Administration and Society 367.
[204] The Open Systems Interconnection Model (‘OSI Model’) for computer networking consists of seven layers, each of which is designed to operate independently of the other layers. The first (lowest) layer is the physical layer (copper wires, optical fibres, radio waves, etc) through which information is transmitted. The seventh (highest) layer is the application layer which is consists of the software that computer users interact with (such as an internet browser, word processor, video editing software, etc). Humans are sometimes (jokingly) referred to as the eighth layer in the OSI Model: ‘What is the OSI Model?’, Cloudflare (Web Page, 2021) <https://www.cloudflare.com/learning/ddos/glossary/open-systems-interconnection-model-osi/>; ‘The Bluetooth Protocol Stack’, O’Reilly (Web Page, 2021) <https://www.oreilly.com/library/view/from-gsm-to/9780470978221/c07_level1_4.xhtml>.
[205] Walid M Taha, Abd-Elhamid M Taha and Johan Thunberg, Cyber-Physical Systems: A Model-Based Approach (Springer, 2021) 3; Edward A Lee, Cyber Physical Systems: Design Challenges (Technical Report No UCB/EECS-2008-8, 23 January 2008) 1.
[206] First Interim Report (n 112) 42.
[207] ‘The Problem with a Lean Startup: The Minimum Viable Product’, Paul Kortman (Blog Post, 21 November 2012) <http://paulkortman.com/2012/11/21/the-problem-with-a-lean-startup-the-minimum-viable-product/> .
[208] Eduard Fosch-Villaronga and Christopher Millard, ‘Cloud Robotics Law and Regulation: Challenges in the Governance of Complex and Dynamic Cyber-Physical Ecosystems’ (2019) 119 Robotics and Autonomous Systems 77, 84–5.
[209] Garrett and Dennis (n 109).
[210] Shapiro and Morrall (n 203) 376–8.
[211] Peter Carroll, ‘Rethinking Regulation: An Assessment of the Report of the Taskforce’ (Conference Paper, Australasian Political Studies Association Conference, 25–7 September 2006) 2.
[212] Department of the Prime Minister and Cabinet, ‘Australian Government Guide to Regulatory Impact Analysis’ (Guide, 30 March 2020).
[213] Department of the Prime Minister and Cabinet, ‘Cost-Benefit Analysis’ (Guidance Note, 30 March 2020).
[214] Ibid 1.
[215] Explanatory Memorandum, Privacy Amendment (Public Health Contact Information) Bill 2020 (Cth) 4–7.
[216] See, eg, Lexy Hamilton-Smith, ‘Coronavirus Threat Prompts Health Emergency Laws to be Rushed through Queensland Parliament’, ABC News (online, 4 February 2020) <https://www.abc.net.au/news/2020-02-04/qld-coronavirus-threat-health-emergency-laws-rushed-parliament/11925566>.
[217] Whilst the Office of the Australian Information Commissioner prepared one report, the Health Minister’s reports appear to be delayed: Denham Sadler, ‘Govt Report on COVIDSafe App Long Overdue’, InnovationAus (online, 28 April 2021) <https://www.innovationaus.com/govt-report-on-covidsafe-app-long-overdue/>.
[218] Dick (n 4).
[219] Report on COVIDSafe (n 71) 7.
[220] Ibid.
[221] Only 7,418,328 registrations of the COVIDSafe App had occurred by 15 May 2021. That a registration has occurred does not mean that a person is actively using the App: ibid 10.
[222] Melissa Coade, ‘NSW to Introduce Customer Cards for COVID Check-Ins’, The Mandarin (online, 11 August 2021) <https://www.themandarin.com.au/165479-nsw-to-introduce-customer-cards-for-covid-check-ins/>.
[223] Craig Timberg et al, ‘Cellphone Apps Designed to Track COVID-19 Spread Struggle Worldwide Amid Privacy Concerns’, The Washington Post (online, 18 August 2020) <https://www.washingtonpost.com/technology/2020/08/17/covid-tracking-apps-cellphones/>.
[224] Baker and Wade (n 133).
AustLII:
Copyright Policy
|
Disclaimers
|
Privacy Policy
|
Feedback
URL: http://www.austlii.edu.au/au/journals/UNSWLawJl/2021/53.html