Police across the country are attempting to access personal data from mandatory COVID-19 check-in apps for reasons other than contact tracing, despite promises that the data would only be used for public health reasons.
Police in Queensland, Western Australia and Victoria have all owned up to trying to access logs of data created by Australians using check-in applications as part of their investigations, and enquiries by Crikey suggest that police in other states could also access this data using a warrant.
Privacy advocates have slammed state governments for lying to Australians about what the data would be used for.
“We were told this data would only be used for contact tracing. Police made that a lie,” Electronic Frontiers Australia’s Justin Warren told Crikey. “People will remember that next time governments want us to give them data about ourselves.”
One of the major tools in fighting the spread of COVID-19 and managing outbreaks has been contact tracing, which has been aided by various tech solutions.
When the federal government first proposed the contact tracing app COVIDSafe (which used Bluetooth to log close contacts), it responded to fears of a mass surveillance state by announcing the data would not be used by police.
But adoption of a QR code check-in system — the widely used, low-tech alternative now mandatory in many places around the country — was left to states to implement. As it turns out, these states did not assume the same protections for their citizens, meaning that data volunteered in the name of public health has been accessed for other reasons.
The Queensland Police Service (QPS) admitted that it had used a search warrant to access data from the Check In Qld app, after first announcing an operation — the recovery of a stolen police pistol and search for a missing taser taken from a hotel room — with these details left out.
“The firearm was subsequently located … The taser is yet to be located and investigations are ongoing,” a spokesperson said. “The [check-in] data was accessed in relation to a group of people reported to be acting suspiciously in the area around the time of this incident.”
QPS has since created a new policy that directs officers not to apply for a search warrant for check-in data “except in extraordinary circumstances”.
In June, the WA government passed a law mandating that data from the SafeWA app can only be used for contact tracing, after the state’s police refused to agree to stop using the data for investigations. Police had previously accessed it twice for potential witnesses of two high-profile criminal cases. (Data shows usage of the app was unaffected the week after news broke of the police accessing it.)
Later, Victorian Police Minister Danny Pearson defended the police’s right to access the Service Victoria app. The state’s health department and Service Victoria had rejected three “formal requests” but indicated they would comply with a court warrant.
Crikey also contacted police and officials in every other state and territory to find out whether police were able to access check-in data, and whether they had.
A Service NSW spokesperson said that check-in data can only be used for contact tracing and is destroyed after 28 days. NSW Police said that it had not accessed the data.
South Australia Police said it had not accessed any data from the mySA GOV app. SA Health did not respond by deadline but the app’s privacy disclaimer says that the check-in information is “used solely by SA Health for contact tracing purposes”.
Tasmania Police said it had not accessed data from the Check in TAS app. When asked whether the state would share check-in data if the court granted a warrant for its use, a Tasmania Department of Health spokesperson told Crikey that they would “comply with our legal obligations”.
Northern Territory Police directed Crikey to The Territory Check In app’s privacy statement, which says the data will only be used for contact tracing, for technical support and given to third parties “as authorised or required by law”. NT Health did not respond by deadline.
The Australian Federal Police did not respond by deadline to questions about whether it had used Check In CBR data. An ACT spokesperson said that data is only used for contact tracing purposes and in response to legal requests.
“Unless required by a court order, we would not use or disclose information for any other purpose,” they said via email.
Warren fears that use of the data for anything other than contact tracing will undermine the effectiveness of the system, harming our ability to fight COVID-19.
“Many people will refuse, which will undermine all kinds of efforts where we as a society need people to tell the truth,” he said.
“We don’t want people with infectious diseases lying to contact tracers or doctors because they’re afraid the police will listen in and come after them. That’ll just make a lot more people sick.”
Warren called on all governments to immediately pass laws banning police from accessing contact-tracing data, and then to consider broader privacy protections to stop this kind of oversight from happening in the future.
He notes that the current review of the Privacy Act is an opportunity to grant these protections.
“It’s the perfect time to act. Pass the [Australian Law Reform Commission’s] recommendation from 2014 for a tort of serious breach of privacy so we can sue companies and governments when they get it really, badly wrong, and no longer [have to be] reliant on regulators that are too poorly funded to safeguard our privacy for us,” he said.
Should the police have access to our check-in data to assist with their investigations? Let us know your thoughts by writing to letters@crikey.com.au, and don’t forget to include your full name if you’d like to be considered for publication.
I must admit when I heard of this,I stopped using the app for a few days…..until I heard the WA parliament had passed a law to specifically stop this happening. Police seem to have no idea about trust, and the public good!
The bustards won’t get anything on me. My old grumpa flip fone won’t do that scanning stuff.
So your more happy to leave your contact information on a clip board for anyone to access, old school isn’t necessarily safer..
Hi! Lesley.
A good point you make, but out here in Wombatville most people know where I live anyway.
I’ve never seen anyone checking that info. as it is written down. I guess that people who don’t want to be found can swap their first and last names (more or less) and change a digit or 2 in their phone number. Easy enough mistakes to make.
Fortunately, old skool is becoming safer than you might imagine.
It’s quite astonishing the number of young(ish) people who cannot read copperplate or even yer akshal running writing.
I’ve never been happier to have a dumb, 3G phone.
Police and others still don’t seem to understand, although the central state gives itself powers (which are increasing), the power is still limited. Securing public cooperation, getting people to trust one another, is still the most important part of having any kind of healthy society (in every meaning of the word).
Not really sure which of your handle’s songs is most appropriate, “Give a Little Whistle”, “Little Wooden Head” but I’ll plump for “When You Wish upon a Star”!
Your discussion of SA omitted that SA Police attempted to access check-in data late last year, and only failed due to the diligence (bravery?) of staff within SA Health who refused the request.
No legislated changes have occurred since to my knowledge, so nothing is preventing SAPOL succeeding next time.
I thought the information privacy principles stopped the use of government data for purposes other than the purpose for which it was collected.
You would think so, but politics and favours are part of this problem, too many people in law enforcement think they’re entitled to access whatever personal details show up in the Health Department data, and help themselves to what they need, this is where the legal framework needed to be put in place before they rolled the QR coding system out ..
I agree that we already have issues with trust between mainly the Federal government and the general public, because well they have lying as a compulsive way of functioning, no wonder the public is refusing to comply, we have governments saying trust us, we have the medical community working extremely hard to get the whole vaccination situation set up running and we now are way behind the rest of the world due to government incompetence and bungling, this is why people are disinclined to believe what is told to them..
ha, ha,ha… ‘scuz me. I have a bridge for sale, cheep-cheep coz you my speshal frend.