ITP Techblog

Brought to you by IT Professionals NZ
Menu
« Back to Security & Privacy

Law change being considered over Covid tracing privacy

Peter Griffin, Contributor. 09 February 2021, 9:39 am

The decentralised nature of the NZ Covid Tracer app has largely soothed fears that the government is amassing data on every Kiwi who uses it to scan into a restaurant or business.

But the legal status of the apps isn't as protective as the technical method used in the app to allow the anonymous exchange of data which is then used to track people down if they have entered a location where a Covid case has been confirmed.

That's why Covid-19 Response minister Chris Hipkins has asked his officials for advice on a potential law change that would specify exactly what data collected from the app could be used for. 

Other countries have already raised the ire of privacy advocates for using tracing data for purposes other than fighting Covid-19. In January, Singapore revealed that its TraceTogether app, which is used by around 80 per cent of the population there to check into businesses and their work premises, could also be used in the course of criminal investigations.

That was despite an earlier pledge to citizens that data from the app would only ever be used if someone tested positive for Covid-19 and it was needed to trace close contacts. Early in the New Year, the Singapore Government updated the privacy statement for TraceTogether to clarify that "the Criminal Procedure Code applies to all data under Singapore's jurisdiction" - including data generated by the app.

The Singapore situation

Singapore's foreign affairs minister, Vivian Balakrishnan, also revealed that the TraceTogether app data had been used in at least one criminal investigation - a murder case.

In November, Australia's inspector general for the intelligence community, revealed that data from the country's COVIDSafe app was being gathered "in the course of the lawful collection of other data".

Spy agencies with a warrant to use software tools to hack into the phones of targets could collect everything on the phone - potentially including data held within the app, which includes some personal details about the phone's owner. 

But that is considered to be "incidental" collection of data under Australian law, which is allowed as long as the data is not used. There's no evidence to suggest Australian spy agencies have been using tracing app data in their investigations.

But the cases have sparked Privacy Commissioner John Edwards and Dr Andrew Chen, a researcher at University of Auckland-based Koi Tū: The Centre for Informed Futures, to press the government to rethink how the law applies specifically to Covid tracing efforts.

Chen told the Herald that while the NZ Covid Tracer app was well-designed with encrypted data and a decentralised design where the data stayed on the phone, there was no guarantee that new apps and services would have as robust privacy protections.

"We know that, last year, there were companies that collected personal information from contact tracing and then used it for marketing purposes," he said.

"So it would actually be good to have some rules in place that specifically state data that is collected for the purposes of the Covid-19 pandemic should only be used to respond to it." 

Protections "not complete"

In response to a letter from Chen, Hipkins outlined why he thought the risk of our security and law enforcement agencies using Covid tracing data was low and the threshold for access to it very high. The New Zealand Police told Chen there were no cases of NZ Covid Tracer app data being accessed by the force. 

Still, Hipkins has asked for advice on a law amendment, acknowledging that existing privacy protections "were not complete".

Most countries have managed to dampen down concerns over privacy by adopting the decentralised model for tracing data collection, which is also central to the Bluetooth tracing system developed by Google and Apple.

The UK Government ran into trouble with its initial tracing app, which had a centralised data collection model. By August it had revamped the app to answer privacy concerns and to give users more control over their own data.


Comments

You must be logged in in order to post comments. Log In


Web Development by The Logic Studio