COVIDSafe and lessons from the Access Card


Marie Johnson
Contributor

The ANU Cyber Institute is providing independent thought leadership and commentary on government overreach and methods regarding large scale data collection and the implications for democracy and civil society.

Similarly, Salinger Privacy recently published a detailed and I believe balanced analysis of the pros and cons of the COVIDSafe app.

I would encourage people to read the Salinger Privacy analysis and the ANU Cyber Institute commentary before deciding whether or not to download the app, or to delete it – which might not be so simple.

The focus by many in the tech world and government is on the app – not the complex human, physical and social context in which it operates.

Marie Johnson
Marie Johnson: Important lessons from the Access Card era

There is no apparent Concept of Operations for the COVIDSafe app. In my opinion, this is a greater deficit than the ‘technical’ design or the robustness of the source code.

The Concept of Operations (ConOps) approach can be tailored for many purposes and is an approach variously used in the military and in complex systems environments – ‘systems’ being used in the broad sense of the word.

ConOps describes critical aspects such as purpose, mission, objectives, the broader environment and a comprehensive perspective of the human element (demographic, other attributes).

ConOps was used extensively during Access Card and there is much to be learned and applied in the case of the COVIDSafe app.

A clear understanding of purpose is fundamental: at present, the purpose of the COVIDSafe app is not clear. Before people get overly excited about this statement, there needs to be an understanding of the options – form follows function.

The failure by the Government to implement a privacy preserving alternative model, known as the DP-3T protocol – without at least considering it and explaining design decisions, suggests there is a particular and different intended purpose to the COVIDSafe model.

The COVIDSafe model involves a central data store as part of its operations.

In the Access Card example, it was argued that the purpose was clear. But the proposed function would have other effects.

The Access Card system central database was a problematic construct, especially when detailed policy and operational work was done on what was called “the card-in-use”. But at least civil society had the opportunity to formally challenge and interrogate policy, legislation and design.

The lack of an apparent approach to ConOps in the case of the COVIDSafe app goes to the heart of governance and authority. This population wide app was released untested onto the population and without the rigour of a peer review process, let alone an engagement with civil society.

The rushed implementation of this app will harm people. Robodebt harmed people. This app does not operate “neutrally”. Central to the governance and concept of operations, is an independent ethics oversight that should have veto over design.

The problem with a lack of clarity about purpose is that it is incredibly difficult if not impossible for function to be defined and for function creep to be controlled. Also, without a clear statement of purpose, it is also very difficult if not impossible to safely draft legislation.

Legislation can always be changed and repealed, interpreted and subject to ministerial discretion. The Access Card draft legislation had embedded in the legislation statements about what the Access Card was not – that is, it is not an identity card.

But the intended operations of the Access Card effectively made it an identity card by default.

The draft Access Card legislation also had the design, architecture and data elements described in detail in an effort to assuage concerns about function creep and privacy.

The arguments from civil society was that this could not provide any assurance or controls over the actions of a current or future government, or the actions of a “bad” government.

Legislation cannot overcome flawed design or lack of clarity about purpose – this is why governance and engagement with civil society is critical and why informed choice is central to trust.

Similarly, an end-date strategy does not provide definitive assurance as to future or on-going use. End-dates can always be extended, and are.

Certainly during the Access Card program, there were plans to change the end date of Medicare cards to streamline the phasing-in of the Access Card, as this would replace Medicare cards.

What is the governance for determining what functionality, data, meta-data is actually covered by end-date strategy – and what survives?

Other questions which go to the heart of Concept of Operations include: How is the app updated and what is the governance for this? Progressive iterative updates can lead to function creep, progressively changing the purpose of the app. What is the governance to ensure traceability and transparency to original purpose? What is the control framework for policy changes?

Given the lack of clarity about the functioning of the COVIDSafe app on the iPhone, what are the assurances that the operations of the app won’t breach the terms and conditions of my banking app? Who provides these assurances?

During the Access Card program there was extensive engagement with the financial services sector, including operators of point-of-sale (POS) terminals.

This was critical, because the Access Card was to operate nationally across the POS network and there needed to be assurance regarding security and interoperability, given these systems and networks involve messaging and data exchange.

What is the COVIDSafe concept of operations for the protection of minors and vulnerable people? There would be people under the age of 18 years able to download and register? If so, what is the consent process? How are alerts appropriately communicated to minors and vulnerable people? How are minors / vulnerable people actually protected against scams and abuse?

Whilst there are motherhood statements made regarding UX, there is an absence of Human Rights design. This is not just about a pretty interface. The purpose, design and Concept of Operations of this system must enshrine Human Rights, inclusive of the UN Convention on the Rights of Persons with Disability (UNCRPD), the protection of vulnerable people, minors, and people who are illiterate.

Human Rights design is essential to facilitate choice, the concept of informed consent and human agency. All people must be given real choice to make decisions independently.

During the Access Card program, there was extensive work done on the ‘card-in-use’ across the Australian population, and in particular, in relation to minors, vulnerable people, and complex domestic situations.

In addition, there was the Access Card Consumer and Privacy Task Force, an independent group led by Professor Alan Fells which independently commissioned and examined in detail “consumer” and “privacy” issues across Australian civil society.

Will employers start requiring staff to have the app, as part of their Occupational Health and Safety arrangements?

These complex real-world scenarios need to be planned for and incorporated into the Concept of Operations.

One of the unintended consequences we are now seeing, is a narrative regarding the ‘common good’, that sacrifices need to be made. I find this a disturbing narrative. What sacrifices and by whom? Legislation of a flawed design after the fact provides no protection.

There is a duty of care in a democracy for vulnerable people to be supported to make informed decisions: this is not the same thing as a ‘Team Australia’ marketing campaign championed by influential vested interests.

And in a vibrant democracy, differing views and debate enrich and protect society. This changed the policy regarding Australia’s participation in the Vietnam War. And resulted in the Access Card program being terminated.

Historically, the advocacy of Australian civil society – everyday people, not the technology glitterati – resulted in the establishment of the National Disability Insurance Scheme.

These “extraordinary times” is not a license to discard rigour in order to move quickly. Ethics and Human Rights cannot be after thoughts or ignored. We wouldn’t discard rigour in the development of a vaccine, notwithstanding the urgency.

COVIDSafe is more than just another app – it changes the relationship between the citizen and the state. There is an imperative to engage deeply and inclusively with civil society about options necessary to build trust and resilience for the long term.

Marie Johnson was the Chief Technology Architect of the Health and Human Services Access Card program; formerly Microsoft World Wide Executive Director Public Services and eGovernment; and former Head of the NDIS Technology Authority. Marie is an inaugural member of the ANU Cyber Institute Advisory Board.

Do you know more? Contact James Riley via Email.

Leave a Comment