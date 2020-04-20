The federal government's soon to-be-released coronavirus tracing app has sparked concerns about digital privacy. Here's what we know about how it will work.

The government will launch a voluntary phone app in the next fortnight that will help to track down people who have been in contact with someone carrying COVID-19.

It's part of the government's attempts to improve contact tracing, a key tool used by health authorities to monitor and slow the spread of infection in the community.

At a press conference last week, Prime Minister Scott Morrison said ramped-up tracing is one of three outcomes the government wants to see before considering relaxing social distancing rules.

Currently, contact tracing is conducted by teams of doctors, nurses and state health officials who work to retrace the movements of COVID-19 patients and identify their sources of infection.

Government Minister Stuart Robert said the app will speed up that process "from days to minutes".

"Right now, if you get coronavirus, a lot of very hardworking state officials try and work out who you’ve been in contact with," Robert told The ABC on Monday.

"This app simply digitises that process and speeds it up."

While Robert said the release of the app is "imminent" and contingent on upcoming National Cabinet meetings, a lot of the details are still unknown.

He said the government will release a privacy impact assessment along with the app's source code -- which experts can use to understand its security and privacy implications -- but did not indicate when.

In the meantime, here is what we know -- and what experts say we still need to find out before Aussies download it themselves.

Will The App Be Mandatory?

After conflicting reports and community and political backlash at the notion, Scott Morrison clarified over the weekend that downloading the app will not be compulsory.

Nationals MPs Barnaby Joyce and Llew O'Brien both said they'd refuse to download it, citing privacy concerns, which Morrison moved to allay -- appealing for Australians' "co-operation and support" in using the app to help safeguard community health.

How Will It Work?

As mentioned, we are yet to see the details, but experts understand it will be modelled on an app that was first developed in Singapore last month.

'TraceTogether' has since attracted interest from more than 50 governments across the world.

That app works by using Bluetooth technology, not GPS, to record contact with other people.

Engineering and Information Sciences Professor Katina Michael said when two users who have downloaded the app, and have Bluetooth enabled on their phone, come into close physical proximity -- a few metres -- for a certain length of time, their phones will send one another a "random identifier" that is encrypted on each handset and stored for 21 days.

Simply put, the app saves a list of IDs corresponding to other phones a person has been close to, according to Dr Lewis Mitchell, an expert in Applied Mathematics.

"The contacts are stored as lists of random letters and numbers, not as names or phone numbers," Mitchell said.

Michael said the app then "automates" contact tracing through contact identification, contact listing and follow-up.

"Once someone is confirmed of having COVID-19, their handset is interrogated for the stored physical social network, and corresponding records are decrypted, and individuals on the list notified," Michael said.

What Happens To My Data?

Mitchell said the data stays on a user's phone unless they're diagnosed with COVID-19 or are a close contact of someone who has the virus.

"In that case, and in that case only, your name, age, phone number, and postcode, will be shared with state health authorities, who will call you for a contact tracing interview," Mitchell said.

"Otherwise, your information stays on your phone, and is never shared with anyone."

But Michael said once voluntarily accessed, the data will need to be at least temporarily stored on a third party database.

"Whether that is the health organisation or another government agency, it is not known," Michael said.

On Monday, Robert reiterated the data is "only used for health".

"The data is securely on the app; it only goes to state health officials if you test positive for the virus. No Commonwealth agency sees the data, it’s only used for health and it’s only used to protect you," he said.

So, What Are The Risks?

Several experts have expressed concerns around the online security and privacy of both infected and uninfected users.

Professor Dali Kaarfar, from the Cyber Security Hub at Macquarie University, said while the technology being used to build the app might provide privacy from other users, it does not offer privacy from the central authority collecting and processing the data.

He said even those potentially uninfected users "are no longer in control of their privacy".

"This brings some serious issues with regards to consent and transparency of use of information stored on the local devices and pushed to the server," Kaarfar said.

But Michael said while a person's privacy is "in practice" encroached, this is done "willingly" and is "deemed proportional given the pandemic crisis".

"What the government is trying to achieve in essence is a COVID-19 response app; but we need to be cognisant that privacy, security, trust and safety are embedded into the functional design," Michael said, adding the consult process has been "lacking".

Rachael Falk is the CEO of the Cyber Security Cooperative Research Centre (CRC) which has been working with the government to review the app. The centre is partly funded by the Commonwealth.

Falk said the centre has begun "scrutinising" the app's source code and that it already passes "early tests" of security and privacy.

But she said more time is needed before the CRC gives the app a final thumbs up.

"We will advise the government whether and how the app can be improved to guard the safety of Australians who use it," Falk said.

How Useful Will It Be?

This depend on how many Australians download the app. The government claims it needs at least 40 per cent of the population to sign up, and is encouraging all Aussies to do so.

But experts have reiterated the app does not reduce transmission of the virus, and cannot replace manual tracing.

Even Jason Bay, the product lead on TraceTogether, claims the app '"is not a coronavirus panacea".

"If you ask me whether any Bluetooth contact tracing system deployed or under development, anywhere in the world, is ready to replace manual contact tracing, I will say without qualification that the answer is, No," he wrote in a blog post.

"Not now and, even with the benefit of AI/ML and -- God forbid -- blockchain (throw whatever buzzword you want), not for the foreseeable future."

"There are critical factors that a purely automated system will not have access to. You cannot "big data" your way out of a "no data" situation. Period."