Note: Where available, the PDF/Word icon below is provided to view the complete and fully formatted document
 Download Current HansardDownload Current Hansard    View Or Save XMLView/Save XML

Previous Fragment    Next Fragment
Wednesday, 13 May 2020
Page: 2220

Senator ROBERTS (Queensland) (11:04): As a servant to the people of Queensland and Australia, I have pleasure in saying that One Nation will be supporting the Privacy Amendment (Public Health Contact Information) Bill 2020. That doesn't mean that I will be downloading the app, as I'll explain. But, firstly, I would like to compliment the Attorney-General for the work that went into this bill. When Minister Hunt's regulations came out to accompany the app launch, my office had a number of reservations about the level of security provided on the data. This bill was needed to clear up those issues, and it has done so. I will mention these things in passing, for the benefit of our constituents, and then I will move on to the security risks that the app itself still represents.

I did have a concern that the government was giving bad players an opportunity to access data on the server without detection. There are two aspects to this. There is the app itself and then there is the uploading of data to the server and the storing and the use of that data. So I did have a concern that the government was giving bad players an opportunity to access data on the server without detection. The decision to ask the Office of the National Data Commissioner to overview data storage and access is a wise choice that addresses this concern. We are pleased with that.

I was also worried about Amazon having access to both the client file, which is needed to identify app users, and the data file for COVID-positive users. This in effect gave Amazon access to significant personal information of app users. Let me explain a bit more. The separation now of the key file and the data file itself, under the supervision of the commissioner, is the best way of making sure Amazon and the government keep each other honest. Well done. In other words, we've got Amazon storing the data and the government having the keys. Both are needed. It can't be separate. Not one party can have control.

There is one issue here to do with the cryptography on the unique user IDs. The open-source app that the COVIDSafe app took as a starting point only requires 32-bit encryption. I had hoped the app developers would have taken that up to 128-bit and would ask the commissioner to consider that.

Let me turn to a number of security issues in the app itself that need to be addressed. My office has put out a detailed sheet on this, so let me quickly mention them here and move on. First, the user ID can stick in the phone case, causing a phone to broadcast multiple different user IDs over extended periods of time, which increases the chances of a phone being tracked. Second, the COVIDSafe app overrides phone security settings to use the same handshake address for a phone over the life of the app, instead of changing every few minutes. This is a major security issue in the app. Third, the COVIDSafe app stores the make and model of the other phones it has matched in plain text, where it can be easily read. This approach is not necessary, since this data could easily be tracked when the app is registered, instead of storing it in the phone.

Fourth, if someone has named their phone—such as, in my case, Malcolm's iPhone—under some circumstances, this real name is what the other phone stores. App users who have named their phone with their real name may be exposing themselves to danger. This results from the app using different ways of broadcasting data to maximise the chance of a match. This tells us that the developers have taken a deliberate decision to compromise safety to achieve the most number of matches.

Fifth, data stored to the cloud is not deleted. If a cloud service is used to back up or sync a phone, the COVIDSafe app contact log gets backed up to the cloud. This can be viewed by anyone with a sign-in without the phone user's knowledge. I acknowledge that this bill makes the behaviour illegal, but not storing some of the data in plain English would have been a far better choice.

Sixth, an app running in the background will not match with another app running in the background on an iPhone. Seventh, the app does not meet the government's own standard for app accessibility, WCAG 2.0 A. It fails accessibility tests on font size and field width. Aren't people with a disability the first people that need to get this app? So that was sloppy.

Eighth, errors that were detected early in the release of the app have still not been fixed. Registration fails over wi-fi, which is used in poor reception areas. Bluetooth conflicts with external devices. Power management on an iPhone interferes with the app. Three per cent of older phones cannot use the app. An alert message advising users that they have tested positive for COVID was being accidentally triggered. This was fixed by deleting the message. So, currently, the app can't be used to alert users when they actually do test positive.

I must, however, compliment the government for this sudden concern about security. Where was the concern about people's privacy in this government's capture and use of the metadata of every Australian? This government is storing texts, telephone call details, social media posts, websites visited and website comments for every Australian. At Senate estimates, we discovered that, in 2019, there were 297,000 accesses of the metadata records of everyday Australians by 22 different government agencies. How many of these accesses were accompanied by a warrant? None; not one warrant. I understand this government feels the need to get this app in wide use and is prepared to write good data protection rules to achieve that. So I would ask the government to show it really cares about the privacy of everyday Australians by revisiting the wider issue of government use of private data, because the government's track record on security is poor.

As I've explained, the shortfalls initially in our assessment of the app were to do with data storage and access of that. That has now been resolved, or will be resolved once this privacy bill passes. However, the reverse is the case for the app. We were originally happy with the app, and we now see a number of flaws in it around security issues with regard to people being able to track the phone owner, the phone user, and that is not acceptable.

I also want to make a comment about the blackmail that is being used by the government to push this app. Minister Hunt said, 'You want to go to the footy? Download the app.' We have just heard Senator Bragg saying, 'This is our ticket to freedom.' No, it's not. There are far more effective tickets to freedom. The Australian people have already shown a highly responsible approach to managing this COVID virus. We need to stop the blackmail, stop the control that is pushed over us, and we need to get back to the freedoms that are inherent in being everyday Australians. Part of our birthright, part of the citizenry that we have, is that we are entitled to rights and freedoms. When we have permission from a government to do something that is not a freedom. That is the reverse, because it is being withheld until the permission is granted. We need to rely upon the trustworthiness, the competence and the sense of responsibility of everyday Australians right around the country.

Let me summarise by saying that this bill is necessary, and that is why One Nation will be supporting it. It is welcome. Secondly, the app is not up to scratch, and that's why I won't be downloading it. Thirdly, we need to get back to freedom properly.