Oh really, Harry? Our data is secure in government hands!

One day a rooster, the next day a feather duster!

By LAURIE PATTON | 23 April 2020

So, the Attorney General Christian Porter will ban law enforcement agencies from accessing metadata from the proposed Coronavirus contact tracing app. What, just like he stopped them obtaining people’s web browsing history without a warrant under the data detention scheme?

The Commonwealth Ombudsman has discovered multiple occasions on which telcos unlawfully handed over the URL’s for sites visited by one of their customers.

Not only is there a potential for illegal or inappropriate use of people’s personal information there’s also the prospect of catastrophic accidents. For example, details concerning hundreds of asylum seekers applying for protection visas were inadvertently published on the Federal Court’s website. Or like the debacle, back in March 2013, when ASIC’s well-meaning attempt to block a few shonky online operators  shut down more than 250,000 innocent websites.

I’m not arguing against the innovative use of technology in public administration. Far from it in fact. For example, I’d like to see a virtual parliament rather than none at all. It’s just that we seem to have difficulty avoiding problems when we rush things, even for very good reasons.

As it turns out, making the Coronavirus tracing app work will actually be the Government’s big challenge. Apparently the way it’s being configured isn’t compatible with the 40 percent or so of mobile phones using Apple’s iOS operating system. Sadly, this is what happens when politicians rush to adopt technology-based solutions without doing proper due diligence.

One of my first tasks shortly after joining Internet Australia as its inaugural CEO back in 2014 was to front the Parliamentary Joint Committee on Intelligence and Security. The subject at the time was the Telecommunications (Interception and Access) Amendment (Data Retention) Act 2015. With IA’s president and the head of the policy committee sitting beside me I boldly told the committee that the Data Retention Bill was “fundamentally flawed” and had clearly been drafted by lawyers who didn’t understand how the Internet actually works.

The Bill had been developed largely in secret with only limited external industry consultation. While we subsequently secured some significant behind-the-scenes amendments the project went ahead against the advice of countless industry experts.

The history of the data retention scheme provides a spectacular case study in how not to introduce complex legislation. It is a classic example of a badly designed law that had been rushed through the parliament in the belief that urgency was justified and would not impede its efficient implementation.

For starters, nobody thought to ask if anyone had a list of the 250 or more ISP’s whose data was required for the scheme to work. In fact there was, and is, no such list. So its effective legitimate use was always questionable simply because so much data isn’t available to our law enforcement agencies.

In the case of the Coronavirus app there are clearly issues we should be concerned about. If the government proceeds with this initiative it will have to persuade close to a majority of mobile phone users to opt in for it to work. To do this they will need to convince us they can defy recent history and build something that actually works, while also convincing us that it is not a Trogan horse that will be used surreptitiously by government agencies for purposes other than those for which it is intended.

POSTSCRIPT.

1. No wonder people are reluctant to trust governments with their data. Private information from Service NSW has been stolen by overseas hackers.

2. Heard a journalist on ABC TV observe that our phones are already providing information to third parties. There’s a big difference between a bot from a retailer guessing what you might like to buy and law enforcement agencies having access to your every movement. As this article notes, even before the app was ready to be deployed it was revealed police wanted to be able get their hands on our location data.

3. And while the PM appeared on TV assuring us our data will be safely held, how the hell would a politician know whether or not an app was secure? And hosting it with a foreign-owned entity, even if the data centre is physically located here is problematic.

4. As this article states: “Such apps could also be used as a tool for mass surveillance beyond the original purpose of COVID-19 contact tracing”.

5. If a Coronavirus tracing app is such a great idea how come there isn’t a globally available version on the market already? You’d think that any one of numerous big tech companies would have developed one by now!

(Laurie Patton is a former CEO / Executive Director of Internet Australia, the NFP peak body representing the interests of Internet users. He is currently Vice President of TelSoc, however the views expressed here are his own.)