COVIDSafe – Safety and Tracing – is it possible to have both?

It's too soon to provide a view of the COVIDSafe app via a formal assessment, but the D-HEAL team has some initial thoughts to share.

Written by Associate Professor Paul Cooper and Dieu Nguyen

The Australian Government has released the COVIDSafe contact tracing mobile phone app and is asking the Australian public to download and install it as part of the pathway to reopening core parts of society sooner rather than later.

The Institute for Health Transformation D-HEAL team at Deakin University blogged recently about our work on a framework for evaluation of mobile phone apps.  Although it’s too soon to provide a view of the COVIDSafe app via a formal assessment, the team has some initial thoughts to share.

“A key question for us is whether we are keeping with the medical principle of ‘first do no harm’ as a primary aspect,” says Institute Director Professor Anna Peeters. “Our D-HEAL team considers that harm may ensue if people feel their privacy has not been protected, or that their daily life is impacted negatively by the app, for example, or if they become anxious or concerned.”

Other industry commentators and universities have begun to examine the privacy aspects of the app in depth, so this blog will concentrate on the areas in which the D-HEAL team can add further value to the conversation. 

Our last blog post summarised our initial assessment of 116 COVID apps we had identified by 23 April. This list included three contact tracing apps from overseas for which adequate data were available to run our assessment framework: Aarogya Setu from India, Stop COVID from Georgia, and Trace COVID from the United Arab Emirates. We briefly compared COVIDSafe with these three tracing apps, and found it to be significantly stronger in the domains of Ethics and Privacy, Interoperability, User Experience and Functionality. 

Deakin Health Economics researcher Dieu Nguyen says, “While we are looking forward to comparing COVIDSafe with a wider range of tracer apps from around the world, our preliminary assessment of this convenience sample suggests COVIDSafe compares very favourably with other contact tracing apps in the market.” 

D-HEAL member Associate Professor Paul Cooper, a Fellow of the Australasian Institute of Digital Health (AIDH), worked with a small team of industry colleagues and AIDH members to prepare a draft list of nine guiding principles which have gone to members for consultation. A/Prof Cooper provided these draft principles to the D-HEAL team for consideration as to how the COVIDSafe app stacks up.  Team leader A/Prof Martin Hensher explains that it does pretty well overall, but there are some areas the team would like to see rapidly addressed:

1. Communication transparency – OK. While there has been good specific, purposeful communication with the public, with full disclosure about what the app is for, there has not been a full publicly available description of how it works and how it is designed. Nor is it clear as yet how it will be governed (e.g. to prevent further changes which might potentially erode some privacy aspects). A/Prof Hensher says, “There needs to be clearer governance with independent auditing.”

2. Safe user-friendly design – OK. The D-HEAL team notes that the design is easy enough to use, but since it is not clear how it was designed, the team were not able to assess how well safety-by-design concepts were used to ensure it is inherently robust, safe and secure. The team notes that an independent body determining design integrity, safety and usability to be fit-for-purpose is required for long-term public trust to be maintained. In addition, A/Prof Cooper notes, “The app should have been designed for multi-lingual support, which we hope will soon be rectified. Some cities, such as Melbourne, are highly diverse and it is less than ideal to only have an English language version.” The D-HEAL team also notes that another aspect of concern is that some older phones drain battery more rapidly with Bluetooth turned on (which is required for the app to work) and this may create “flat battery anxiety” for people who are already stressed with COVID worry. The team notes that this issue may apply more for older versions of phones which use earlier Bluetooth standards.

3. Minimum data collection and specific scope – OK. There have been statements that data collected is to be the absolute minimum required for effective COVID-19 contact tracing, and that scope creep beyond the emergency needs of the COVID-19 pandemic response will be unlawful. However, that legislation has not yet been enacted and concerns have been raised about whether the data held in the Australian instance of the Amazon Web Services cloud could still be legally accessed from within the USA by US law enforcement agencies. The Government has promised to close any loophole it finds remains after using the Biosecurity Act as a base, but again this requires legislation.

4. Data security – INDICATIVE EXCELLENT. The Government has stated that data will be stored and shared on secure servers located in Australia that meet the standards set by the Australian Signals Directorate. The data is encrypted on each device and is claimed to not be accessible other than through the authorised pathway of user consent to have the data uploaded to the secure data store. D-HEAL is pleased that pseudonyms can be used and that data is claimed to be deleted on a rolling 21 days basis. It should be noted that the team is not able to assess the data security aspects without access to the system design, so currently relies on the Government’s statements.

5. Opt-in and end date – GOOD. The D-HEAL team is pleased to note that use of the app is optional and that it prompts frequently for on-going permissions for use and upload. “An end date has not been set, but the user is in control of deleting the app so this shouldn’t be a concern,” notes A/Prof Hensher.

6. User control – VERY GOOD. The user has a high degree of visibility of the app being run and can delete it, and the data stored, at any time. “The user cannot view details of what data has been recorded, which would have provided more transparency,” notes A/Prof Cooper.

7. Anonymity assuranceINDICATIVE EXCELLENT. It has been stated (but the D-HEAL team cannot currently verify) that state of the art de-identification and encryption technologies were used to ensure current and on-going privacy and confidentiality of user details.

8. Usage rights – INDICATIVE EXCELLENT. Subject to legislation, the Commonwealth has made it clear that COVIDSafe contact tracing data are accessible only by State and Territory Health Departments. No other agency or third party may have access to this data. As noted, though, this legislation has not yet been passed.

9. Legal protectionINDICATIVE EXCELLENT. There have been positive statements about legislated penalties and fines for any breach of the privacy guidelines, through data misuse or unauthorised access, modification or impairment. Again, this remains subject to the final legislation.

The COVIDSafe app is only one part of the contact tracing process, and it would be foolish for any of us to think that by mere mass usage of the app we will not have to worry about COVID-19. A great discussion of the complexities of contact tracing can be found here

The virus will be with us for a while yet, but for now, subject to the some of the issues we, and the AIDH have raised, we think COVIDSafe is an app that can help Australians, and whose likely benefits outweigh any possible harms.