Police across the country are attempting to access personal data from mandatory COVID-19 check-in apps for reasons other than contact tracing, despite promises that the data would only be used for public health reasons.
Police in Queensland, Western Australia and Victoria have all owned up to trying to access logs of data created by Australians using check-in applications as part of their investigations, and enquiries by Crikey suggest that police in other states could also access this data using a warrant.
Privacy advocates have slammed state governments for lying to Australians about what the data would be used for.
“We were told this data would only be used for contact tracing. Police made that a lie,” Electronic Frontiers Australia’s Justin Warren told Crikey. “People will remember that next time governments want us to give them data about ourselves.”
One of the major tools in fighting the spread of COVID-19 and managing outbreaks has been contact tracing, which has been aided by various tech solutions.
When the federal government first proposed the contact tracing app COVIDSafe (which used Bluetooth to log close contacts), it responded to fears of a mass surveillance state by announcing the data would not be used by police.
But adoption of a QR code check-in system — the widely used, low-tech alternative now mandatory in many places around the country — was left to states to implement. As it turns out, these states did not assume the same protections for their citizens, meaning that data volunteered in the name of public health has been accessed for other reasons.
The Queensland Police Service (QPS) admitted that it had used a search warrant to access data from the Check In Qld app, after first announcing an operation — the recovery of a stolen police pistol and search for a missing taser taken from a hotel room — with these details left out.
“The firearm was subsequently located … The taser is yet to be located and investigations are ongoing,” a spokesperson said. “The [check-in] data was accessed in relation to a group of people reported to be acting suspiciously in the area around the time of this incident.”
QPS has since created a new policy that directs officers not to apply for a search warrant for check-in data “except in extraordinary circumstances”.
In June, the WA government passed a law mandating that data from the SafeWA app can only be used for contact tracing, after the state’s police refused to agree to stop using the data for investigations. Police had previously accessed it twice for potential witnesses of two high-profile criminal cases. (Data shows usage of the app was unaffected the week after news broke of the police accessing it.)
Later, Victorian Police Minister Danny Pearson defended the police’s right to access the Service Victoria app. The state’s health department and Service Victoria had rejected three “formal requests” but indicated they would comply with a court warrant.
Crikey also contacted police and officials in every other state and territory to find out whether police were able to access check-in data, and whether they had.
A Service NSW spokesperson said that check-in data can only be used for contact tracing and is destroyed after 28 days. NSW Police said that it had not accessed the data.
South Australia Police said it had not accessed any data from the mySA GOV app. SA Health did not respond by deadline but the app’s privacy disclaimer says that the check-in information is “used solely by SA Health for contact tracing purposes”.
Tasmania Police said it had not accessed data from the Check in TAS app. When asked whether the state would share check-in data if the court granted a warrant for its use, a Tasmania Department of Health spokesperson told Crikey that they would “comply with our legal obligations”.
Northern Territory Police directed Crikey to The Territory Check In app’s privacy statement, which says the data will only be used for contact tracing, for technical support and given to third parties “as authorised or required by law”. NT Health did not respond by deadline.
The Australian Federal Police did not respond by deadline to questions about whether it had used Check In CBR data. An ACT spokesperson said that data is only used for contact tracing purposes and in response to legal requests.
“Unless required by a court order, we would not use or disclose information for any other purpose,” they said via email.
Warren fears that use of the data for anything other than contact tracing will undermine the effectiveness of the system, harming our ability to fight COVID-19.
“Many people will refuse, which will undermine all kinds of efforts where we as a society need people to tell the truth,” he said.
“We don’t want people with infectious diseases lying to contact tracers or doctors because they’re afraid the police will listen in and come after them. That’ll just make a lot more people sick.”
Warren called on all governments to immediately pass laws banning police from accessing contact-tracing data, and then to consider broader privacy protections to stop this kind of oversight from happening in the future.
He notes that the current review of the Privacy Act is an opportunity to grant these protections.
“It’s the perfect time to act. Pass the [Australian Law Reform Commission’s] recommendation from 2014 for a tort of serious breach of privacy so we can sue companies and governments when they get it really, badly wrong, and no longer [have to be] reliant on regulators that are too poorly funded to safeguard our privacy for us,” he said.