Australia’s Government and Its Digital Leash: Surveillance, TraceTogether, and Data Privacy Concerns

By Ava McKinneyOnline Safety

Australia’s Government and Its Digital Leash

Background: The Five Eyes Alliance

The “Five Eyes” alliance originated from an intelligence-sharing pact during the Cold War, known as the UKUSA Agreement. Initially, it was an agreement between the United States and the United Kingdom to exchange intelligence, primarily to decode Soviet and Russian communications. By the late 1950s, Canada, Australia, and New Zealand had joined, forming the Five Eyes alliance as we know it today. Over time, intelligence sharing among these five English-speaking countries only grew stronger, expanding into monitoring online activities.

For many years, this agreement was a closely guarded secret. Its existence became public knowledge only in 2003, and the full extent of its operations was revealed in 2013 when Edward Snowden leaked documents he obtained while working as an NSA contractor. These documents exposed large-scale government surveillance of citizens’ online activities and showed that the international intelligence-sharing network was even broader than previously thought.

What the Government Came Up With

The government of Western Australia granted itself the authority to install surveillance devices in people’s homes or require individuals to wear them, to ensure that those who needed to be isolated during the coronavirus crisis would not interact with the local population.

Mark McGowan, the governor of Western Australia, stated that these measures would apply to those ordered to self-isolate but who failed to comply with authorities. The law enabling this regime was passed on March 31, 2020, after very brief debate. It’s called the Emergency Management Amendment (COVID-19 Response) Act 2020. The law outlines the surveillance regime and gives the Emergency Coordinator the power to mandate the use of monitoring devices.

If the Emergency Coordinator makes such a decision, they have the authority to:

  • Require a person to wear a government-approved electronic device.
  • Require the installation of government-approved surveillance equipment at the person’s residence, or, if they have no fixed address, at any other location specified by an official.
  • Issue any other orders necessary for proper monitoring of the individual.

Attempts to damage, disable, or interfere with these government-issued devices, or refusal to comply with authorized officials, can result in up to one year in prison or a fine of 12,000 Australian dollars (about 7,400 US dollars).

Journalists from various outlets have asked the Western Australian government for details about the devices to be used, but have not received any answers.

How the TraceTogether App Works

Instead of reinventing the wheel, Australia adopted Singapore’s TraceTogether app, which uses Bluetooth to log contact with other people. The Australian government liked Singapore’s solution, and Singapore kindly shared the source code. However, Australia decided to modify it further.

Bluetooth Improvements

Like the original TraceTogether, the Australian contact tracing app uses Bluetooth to detect when two people with the app installed are within 1.5 meters of each other for 15 minutes or more. The app does this by exchanging encrypted unique identifiers, which are stored on the user’s device for 21 days.

The Australian government calculated that for the app to be effective, 40% of the population would need to install it. Multiple government representatives assured the public that the government would not collect citizens’ information, would not have access to the data, and that no one would be tracking them. They also promised that the data would never leave the user’s phone. But, as usual, things didn’t go as planned…

Data Storage with Amazon

Tech companies raised concerns when it was revealed that the Australian government had signed a data storage contract with Amazon. Journalists discovered that this was a limited tender, conducted only by invitation from the Department of Home Affairs, which is primarily responsible for border protection and national security.

Partnering with Amazon could also mean that Australian data might be accessed by US law enforcement under the 2018 CLOUD Act, which allows US authorities to obtain information held by US-registered companies, regardless of where the data is stored.

And the “cherry on top”: the government plans to store the decryption keys in the same cloud as the data itself. 🤦🏻‍♂️

Database key management will be handled through Amazon Web Services’ Key Management System (KMS).

Leave a Reply