Why our privacy experts downloaded COVIDSafe the day it came out

Daltrey’s Managing Director, Blair Crawford, on the things you should ask yourself before downloading any application.

Since the Australian government launched the COVIDSafe app in a bid to automate coronavirus contact tracing, the identity and privacy teams here at Daltrey have been inundated with questions from clients, partners, friends and family. What personal data is being collected? Who can access the data? Should I be worried about who is holding the data? Should I be worried about privacy implications? And, of course, should I download it?

For me, the answer to this last question was yes, and I’ve downloaded COVIDSafe. However, that doesn’t mean I didn’t ask myself a few important questions first.

Too often we are passive about a) what information we are giving up in return for receiving a service and; b) what the intent of the data collection is when we sign up for that service in the first place. You only need look at FaceApp, the app that takes your photo and “ages” it using AI, which went viral despite serious privacy concerns.

Facebook is another classic example. The intent of collecting personal data is so Facebook can send users targeted marketing ads, for commercial gain. In return for providing this data, the user receives the promise of a great social networking experience and other integrated services like Facebook marketplace.

However, intent needs to be assessed continuously and in doing so, we should ask ourselves: is it reasonable for me to provide this data in exchange for the services I receive; or in other words, do I get enough value from this company in exchange for the information I provide to them? This can be fluid – the more data I give you, the more value you need to give me.

Personalised ads is one thing and perhaps Facebook users would say the value they receive from the service justifies the use of their data to send them targeted ads. But what if the intent changes? Or if we find out that we don’t really understand the intent at all? What if our data starts to be used to change the outcome of government elections through hyper-personalised propaganda, or to inform insurance companies of our personal habits so that they can price our health policies accordingly? Perceived value may diminish exponentially at this point.

With COVIDsafe, I’m generally satisfied with the intent as best as I can assess it. That is to say that I believe the app, as it is, is designed to contribute to efforts that will see us return to societal and economic normality. In return for that, I allow the app to deploy contact tracing technology on my phone. For the moment. It’s important to continually assess if there’s any ‘scope creep’ related to privacy, data sharing, data sovereignty, location tracking, and breath of information request. Do we have the right to be forgotten after this is all said and done? We should.  

It’s tempting to see this as an opportunity to get ideological around privacy advocacy. COVIDSafe aside, I think it’s more useful to look at the debate it has fostered as a fantastic opportunity to encourage everyone to assess their approach to personal data security in general. From there we can collectively assess the state of our data exposure – and our vulnerability to exploitation.