Data collected to promote public health must never be surrendered to police

Column Five years ago I visited Shanghai, to see what the future might look like. I came back wondering how the rest of us had missed QR codes.

In Shanghai every billboard, poster, and newspaper advertisement bore QR codes, all linking off to their respective web sites. It felt simultaneously old-fashioned (QR codes had been around for years, but never taken off anywhere else) and startlingly new — a QR code makes an excellent partner to a smartphone’s camera. I returned home to Australia and a life without QR codes, where we relied on humans typing away at tiny glass keyboards to enter data.

COVID-19 changed all of that.

Well into the second year of the COVID-19 pandemic, here in Australia we’ve become used to scanning a QR code almost every time we enter a local café, grocery store, or university classroom. Point the app at the QR code, and you’re in.

Or, rather, point the right app. Each of Australia’s states has its own check-in app and, as restrictions lifted and I began to travel, my smartphone grew a bit congested with all of them.

Each app demanded a fair bit of personal data (name, address, phone number) in the service of public health. If I had been exposed to someone infectious with COVID-19, public health officials would soon know how to find me and notify me that I must isolate, to reduce the potential for further spread of infection.

It all seems like a very good idea, and appears to work far better than the invisible-and-always-active Bluetooth proximity detection touted by Apple and Google during the pandemic’s earliest days. (The Australian Government tried a variation not based on the Apple/Google technology.) Although theoretically ideal, especially from a privacy perspective, that technology never really did the job — resulting in only a very few detections in Australia. We’ve fallen back to a human-centred approach, requiring people to check in as they move through the world — creating a breadcrumb trail that contact tracers can access, should they have the need.

• The best time to plant a tree is 20 years ago. The best time to build a semiconductor foundry is 5 years ago
• Blessed are the cryptographers, labelling them criminal enablers is just foolish
• Harassers and bullies succeed in tech because silence is encouraged
• A Code War has replaced The Cold War. And right now we’re losing it

That we track ourselves willingly shows us just how far our feelings about privacy have been transformed by the pandemic. Something that not long ago would have been considered government overreach and an intrusion into our lives — inspiring a fair bit of public debate last year — has become normalised and accepted as part of the price of safety in uncertain times. Yet within that agreement between ourselves and the state lay another bargain — unspoken, but acknowledged — that the data collected could only be used to protect public health.

Meanwhile, the treasure trove of individual tracking data (matched only by all the data hoovered up by every Android device everywhere in the world) grew and grew and grew until it became an absolutely irresistible honeypot. Not for hackers, as you might expect — but for police.

In the last month we’ve seen legislators in Western Australia suddenly find the need to pass laws to restrict police access to QR code data — because WA Police did access the data in order to help them solve a murder. A week later, we learned that police in another Australian State, Victoria, had tried to access QR code data three times in December 2020. In that case, the police were refused access by state government departments. But at present no laws protect Victorians against such an abuse of their freely offered tracking data — just in case.

In Singapore, the government reminded citizens that while it had said data from its contact-tracing apps would only be used for health purposes, other laws overrode that statement.

Singaporean culture permitted that reversal. But in other nations, if people know that their data can be used against them they will not freely offer it up.

Only where that data comes with the absolute assurance of safety will people feel secure enough to provide it. Yes, the police have their own priorities around public safety, but in any contest between policing power and public health, the police must never — under any circumstances — get a look in. It would not take much of an abuse to cause the public to lose faith in the current regime of QR code check-in apps completely. Once that trust collapses, the job for contact tracers becomes infinitely more difficult, while the threat to public health grows exponentially.

We need to draw the line. Every government, everywhere, that offers a check-in app must agree — in law — that our freely provided data can only be used for public health. No exceptions. Without that legislation in place, abuses will occur, leading the public to grow increasingly uncomfortable — and non-compliant. That could quickly land us in a very dark place: the very opposite of the safety and security for which we all have worked so hard. ®