Home quarantine apps spark privacy fears over facial recognition and geolocation technology
Apps used to ensure overseas arrivals are complying with home quarantine requirements as part of Australia’s opening up need stronger privacy protections, technology and human rights groups have told state and federal health ministers.
As Australia starts opening up to the rest of the world again, states are moving to adopt home quarantine as a less expensive alternative to the hotel quarantine system.
South Australia is the only jurisdiction actively trialling home quarantining technology using a government-built app called Home Quarantine SA. The app randomly alerts users to verify their location and send a selfie back to authorities within 15 minutes to prove they are at the home they have registered to quarantine at.
As of Wednesday, 141 people had completed the SA trial, with 171 enrolled. Six had pulled out of the trial – two of whom withdrew due to issues using the app. SA Health said so far there had been 100% compliance with the testing schedule and symptom checking.
The Human Rights Law Centre and Digital Rights Watch have written to the health ministers in each state and territory, as well as the federal health minister, Greg Hunt, expressing concern about the use of facial recognition technology and location information without stronger privacy protections in place.
The groups say using facial recognition technology is “an extreme measure” given human rights organisations globally, including the Australian Human Rights Commission, have called for a moratorium on its use without a strong regulatory framework in place, due to concerns such as racial bias.
“We are concerned that a significant proportion of users of such home quarantine apps may face unreasonable technical barriers to effectively use the tool through no fault of their own,” the letter states. “It is unacceptable to subject individuals to the consequences of not meeting requirements to ‘check in’ if they are unable to do so as a result of the technology exhibiting racial bias.”
The letter also raises concern that although the data is encrypted on submission and stored on an Australian server, information will not be destroyed until “the conclusion of the Covid-19 pandemic unless required for enforcement purposes for any alleged breach of a direction by you under the Emergency Management Act 2004.”
The groups argue there is no reason for the data to be retained longer than the home quarantine period, and it is unknown when the pandemic will be over. There is also concern law enforcement agencies may try to access the data for the investigation of unrelated crimes, similar to attempts to access QR code check-in data.
“Without robust and specific protections in place, the information collected by home quarantine apps may later be used for secondary purposes unrelated to public health,” the letter states. “This risks undermining support and compliance, and ultimately compromising the public health response.”
A spokesperson for the South Australian Department of the Premier and Cabinet said the app “collects and uses the minimum amount of personally identifiable information” to enable compliance with the home quarantine requirements.
“The Home Quarantine SA app facial verification technology can be used by people of any age, ethnicity, gender or cognitive ability,” the spokesperson said.
Although the Covidsafe contact tracing app largely proved unhelpful in detecting close contacts during outbreaks in Australia, the groups said the extensive privacy legislation passed to support the app – including limiting access to the data by law enforcement – was something the states should adopt for home quarantine apps.
“The information collected by the home quarantine app, as well as that collected via QR ‘check ins’, is no less sensitive to that which was to be collected by the Covidsafe app,” the Digital Rights Watch program lead, Samantha Floreani, said.
The Human Rights Law Centre senior lawyer Kieran Pender said one measure that should be considered is for all biometric and location verification to be done on the phone itself, rather than being transferred to a government server.
“That would be a more secure approach that would still permit the necessary verification to take place,” he said.
A spokesperson for the federal health minister directed questions about privacy requirements for the apps to the attorney general, Michaelia Cash. A spokesperson for Cash said the home quarantine arrangements were a matter for the states that managed them.
On Tuesday, the South Australian auditor general revealed in a report on the state’s QR code app that the SA Department of the Premier and Cabinet, which is responsible for the app, had retained check-in data beyond the 28 days the government had said the records would be retained.
The records were retained as part of the department’s regular department-wide back-up of data, and DPC advised the auditor general the backups had controls to prevent unauthorised restoration, and if the data was restored, it would automatically delete being over 28 days old.