Tim Watts (Gellibrand, Australian Labor Party, Shadow Assistant Minister for Communications) Share this | Hansard source

I'm pleased to have the opportunity to speak on the Privacy Amendment (Public Health Contact Information) Bill. We all have a role to play in our nation's fight against the COVID-19 pandemic, and I'm pleased that for this week at least parliamentarians are being allowed to do their job in this place, providing representation for our communities and accountability and scrutiny of the government. If footy players are getting back on the training pitch, we can certainly do our job in this chamber. On the whole, the bill before the House today is a good one. The bill provides an enduring legislative framework for the protection of information collected by the government's new COVIDSafe tracing app. In many ways the privacy protections included in this bill are, to use a word of our times, 'unprecedented' in Australian law. These protections are important not only for delivering on the substantive privacy outcomes but also for boosting public confidence and helping increase the take-up of this app.

Labor has worked constructively with the government on amendments to further strengthen these privacy protections and I thank the shadow Attorney-General for his work as well as other members of the Labor side, including the members for Chifley, Hoffman, Maribyrnong and the shadow health minister. I also thank the government for their constructive and cooperative approach in this regard. The result is a bill that will provide the strongest privacy protections for any data ever collected in Australia. The way that Labor has constructively worked with the government on this bill reflects our support for the idea of a contact-tracing app to assist our public health experts in the next stage of our response to COVID-19.

Many Australians—around five million people, or 20 per cent of the general population—have also shown their willingness to do their bit to support this endeavour, by downloading the app to their phones. The government has been able to tap into an enormous wellspring of solidarity and community support in reaching this level of take-up. It is a genuinely impressive response from the Australian community that we should all be proud of. However, the ultimate effectiveness of this app will depend on more than just this initial public response. Those who want this app to succeed should be clear-eyed about these challenges. We need to understand the app's limitations so that the government can continue to improve it and so that the public can adapt its behaviour to take its limitations into account.

The first thing that's important for everyone to understand is that the COVIDSafe app's objective is to protect the community, not the individual. The contact tracing enabled by the COVIDSafe app is designed to stop the spread of COVID-19 throughout the community, making us all, collectively, safer. But the public must understand that installing this app will not provide any form of individual protection to you. It's not a prophylactic; it's not individually preventative. It is misleading to describe this app as being 'like sunscreen'. That might be effective as a sales job to drive downloads, but it is misleading when it comes to the COVIDSafe app's individual health benefits. Unfortunately, there is an emerging misconception amongst some in the community that the app does provide some form of personal protection or, say, a warning if COVID-19 infected people are nearby. It doesn't, and it's important that people who have installed the app do not behave as if it does.

If people think installing the app is a licence to engage in risky behaviour, it will undermine the work of the public health officials that we are trying to assist here today. Even if you have installed the app, you still need to carefully follow the medical advice of our health experts in your state or territory on social distancing. The second challenge for the effectiveness of this app that needs to be confronted is its performance limitations. The COVIDSafe app is not a silver bullet for contact tracing. Government, health officials and the general public need to be aware of its technological limitations to guide their behaviour. Unfortunately, a fortnight after the public release of this app, the functionality of the app on iOS devices—nearly half the market—is still unclear.

Troublingly, statements from the government about the way the app works on iOS devices have varied over time. In the hours before the app was launched by the Prime Minister, the government's COVIDSafe information page stated: 'COVIDSafe app needs to be open to work effectively. Keep the app open and notifications on when you're out and about, especially in meetings and public places. Activate the inner power save mode. Flip your unlocked device upside-down or face down while the app is running. This keeps the app open with a dim screen so that it can detect other devices running COVIDSafe app.' But shortly before the Prime Minister's press conference releasing the app this text was altered to: 'Keep COVIDSafe running and notifications on when you're out and about, especially in meetings and public places.' This inconsistent messaging was reflected in statements from government ministers and public servants. On the day of the launch of the app, the Minister for Government Services declared: 'To be effective users should have the app running in the background when they are coming into contact with others. Your phone does not need to be unlocked for the app to work.' Yet, later, the head of the DTA, Randall Brugeaud, hedged and said: 'The quality of bluetooth connectivity for phones that have the app installed running in the foreground is very good but it progressively deteriorates and the quality of the connection is not as good as you get to the point where the phone is locked and the phone is running in the background.'

This was only compounded when these statements about how the app actually works were tested against real-world performance of the app by the Australian tech community. Today the actual effectiveness of the app on iPhones in background mode remains obtuse. It certainly isn't catching all of the potential contacts between locked iPhones or between iPhones where the app is operating in the background. These performance issues have real consequences. The most obvious is its impact on the public health messaging required from the government. Public health messaging shouldn't require citizens to follow GitHub forks to know what to do to use the app the right way. If the app requires users to take actions in order for the app to work effectively, the government messaging needs to make this clear, and it's not just users who need to understand this either. These technical limitations may well have implications for employers too. Mobile device management policies frequently require the automatic locking of devices for corporate phones, including the policies of the Department of Parliamentary Services. This applies to handsets for people in this chamber. Those managing these systems need to understand the impact of these policies on the operation of the app. Public health officials need to understand this too in order to be able to judge the tracing capability available to them through this app for managing further outbreaks.

Epidemiologists studying the transmission dynamics of COVID-19 have sought to model the effects that app based contact tracing could have in helping to contain the epidemic in a country. Epidemiologists at Oxford University have found that around half of COVID-19 transmission occurred before individuals were symptomatic, and they developed a model looking at how contact tracing via an app could help reduce this form of onward transmission. Their modelling tested the impact of a contact tracing app based on a range of assumptions and concluded that if 80 per cent of smartphone users—or 56 per cent of the general population—used the app then it could effectively contain an epidemic in a country. Lower take-up rates of the app would still assist in reducing infection and death rates, though, as well as reducing the prospects of subsequent lockdowns.

Importantly, however, underpinning each of these scenarios in the Oxford University modelling was an assumption:

… 80% of modelled contacts are registered by the app, either for technical reasons, or due to some contacts involving people not carrying their phones. We've seen a range of take-up targets for the number of people downloading the COVIDSafe app floated by members of the government in recent weeks, ranging from the Prime Minister's 40 per cent of the total Australian population, to the Prime Minister's 40 per cent of smartphone users in Australia to the Chief Scientist's target of at least a third of Australians, which was the Chief Medical Officer's target as well. We haven't, however, heard what proportion of potential contacts between apps the government is expecting the current configuration of the app to register. It's a key variable in the modelling. This figure has big consequences.

As Dr Adam Dunn, a biomedical informatics expert at the University of Sydney, explained to the ABC that if 70 per cent of Australians downloaded the app and the app registered all potential contacts, up to half of all theoretical contacts would be caught by the app—50 per cent effectiveness. In contrast, if 40 per cent of the population downloaded the app but only half of the potential digital handshakes between downloaded apps were completed then only four per cent of potential contacts—fewer than one-in-20 contacts—would be caught by the app. This is why the effectiveness of the app the government has designed in registering contacts matters.

We should be clear that the reduced effectiveness of the COVIDSafe app on iOS devices is the result of a design decision taken by government—specifically its decision not to wait for the new Google-Apple API for contact tracing. The Prime Minister's decision to move away from his initial, complete rejection of the need to use the Google-Apple API for this app, stated in mid-April, is welcome. But it's now important that the government prioritises incorporating the Google-Apple API iOS integration as soon as possible to maximise the number of potential contacts caught. Once this new version is released, we'll also need a new public information campaign to encourage people to update the app to catch the 10 to 20 per cent of users who don't regularly update the apps on their phones. This app could play an important role in helping us move beyond the current coronavirus restrictions, so it's important that the government gets its implementation right.

Finally, I want to make a few comments on this bill from the perspective of my cybersecurity portfolio. The provisions in this bill and the government's overall approach to this app highlight an ongoing philosophical problem in the government's approach to security. For this government, security seems to be founded on secrecy and obscurity. They won't be accountable to the parliament about the cybersecurity posture of Commonwealth entities, because they believe talking about the security posture is a security risk, as though adversaries rely on Senate estimates for vulnerability scanning. They respond to good-faith reports of security issues by threatening the employment of academic researchers and seeking to make independent security research a crime. They gag security researchers with views that scare them from speaking at government security conferences. They instinctively overclassify, creating needless obstacles to cybersecurity threat intelligence sharing and genuine engagement with the private sector stakeholders. Security doesn't work this way.

Transparency doesn't create security threats; it reveals them. Security vulnerabilities continue to exist whether you talk about them or not. Accountability doesn't undermine security; it strengthens it by identifying problems and creating incentives to fix them. The broader technology and security communities aren't a threat to be managed; they're an opportunity to be engaged.

While the process that the government has pursued in the development and release of this app has offered more transparency than is usual from the government in this space, it's still fallen short of that seen in peer nations. I want to thank Vanessa Teague for her diligent work in compiling international comparisons of government transparency and accountability in this respect.

It wasn't until two weeks after the public launch that the government released the source code for the iOS and Android versions of the app. In comparison, both the UK and Singapore released the source code for their apps either before the launch or at the time of the launch. The Australian government has stated that it will not be releasing the source code for the national COVIDSafe server supporting the app. In contrast, Singapore has released a source code for both the app and the server.

Both Singapore and the UK released white papers explaining the security and encryption decisions made in the implementation of the app at length. The UK has published a detailed paper from the technical director of the National Cyber Security Centre. We haven't seen anywhere near the same security transparency from the Australian bodies who have reviewed the app. We're told that it received the thumbs up, but there isn't anything detailed that external researchers can engage in to validate this. We don't know, for example, why the COVIDSafe design team chose to rotate handset encrypted IDs every two hours instead of every 15 minutes or why they chose to obtain only a single new temporary ID from an essential server at a time. Contrary to the recommendation in a traced together white paper is that daily batches are downloaded, leaving handsets without a new ID if they're outside internet coverage.

Finally, there's no vulnerability disclosure process for this app. Members of the Australian tech community—public interest technologists—who want this app to succeed have donated countless hours to analysing the code of the COVIDSafe app, looking for bugs and vulnerabilities, and they have found issues with both the security and the performance of the app. While on the whole, most researchers believe that the bugs and vulnerabilities they've found would not have dissuaded them from downloading the app given the potential public benefits, it would be better for these unintended privacy issues to be remedied. As one researcher, Jim Mussared, put it:

Don't Panic! Users are advised to be aware of these issues but in most cases might reasonably conclude that they are not significant enough to warrant not using the app.

I still have the app installed, and will continue to do so. I support the COVIDSafe application and want to see lives saved, but, at the same time, it's very important to me that these privacy issues are addressed. But, when Jim disclosed security issues via the public-facing email address for the app, as well as via emails to the DTA, ASD, ACSC and the Cyber Security CRC, he received no response to his issues for eight days. It was only when the issue began to attract media attention that he received a one-line acknowledgement via email. An update to the app released the day that he received this response did not address the issue that he had raised.

At a minimum, a functioning vulnerability disclosure process should set expectations for how an organisation will engage with outside reports of vulnerabilities and bugs and subsequently respond. An email address that operates as a black hole is not a vulnerability disclosure process. The best technology companies in the world seek external feedback. They operate with these vulnerable disclosure processes. The US military does this. The UK government has a government-wide vulnerability disclosure platform operated by HackerOne, and Australia should follow suit.

We shouldn't exaggerate the impact. Vulnerability disclosure processes and their extension bug bounty programs are supplements to good security practice, not replacements for it, but we've already seen the value that an extra set of eyes can offer to improving the security and performance of this app, and the government should avail itself of it. All of us in this chamber, all of us in the Australian community and all of us in the Australian technology sector want the government to succeed with this app. The government should listen to those trying to help it in this initiative.

See this speech in context