Opinion and Commentary

Police use of QR data reinforces privacy concerns

The use of a legal loophole to seize QR data highlights the security and trust issues of a key public health tool requiring individuals to sign in, argues Morry Bailes.

Police use of QR data reinforces privacy concerns

How many times have you heard executive gvernment tell us, as it introduces a particular security measure or limits a particular freedom, that it is only for one purpose?

That data collected will only be used by a single government agency and not others? That if our personal details are surrendered there exists iron-clad guarantees around its use? And above all – as we make sacrifices that invade privacy, that erode our freedoms as citizens, and allow the monitoring of our daily movements – how many times has the justification been given that it is all for the greater good?

So it was that Western Australian Premier Mark McGowan and Health Minister Roger Cook told the Western Australian people that their QR code system, a system similar to that operating in South Australia and other states of Australia, would be encrypted, stored in a secure way, and most importantly would only ever be accessible for the sole purpose of Covid contact tracing, available only to contact tracers for that purpose. Because that is what they said.

But it wasn’t, was it? Grand words by Ministers of the Crown are meaningless without adequate safeguards in law. In evidence of the fact that many state parliamentarians often lack an understanding of the very legislation they pass, Western Australia Police noticed that there were insufficient safeguards to prevent it seeking to seize evidence in a current murder investigation.

That is exactly what they did, and were unapologetic. And why would you apologise, if naive or neglectful parliamentarians enact law for one purpose but leave the gate open, in this case, for evidence to be collected for another; a criminal investigation.

What is wrong with what occurred in WA? Plenty, actually.

First, what confidence does the public now have that as we enter our personal identifying information into the various QR systems around Australia, it will actually be respected and protected? Following the WA ‘balls up’, each jurisdiction was quick to say that there had been no such use of QR personal data in their state. However in the main, that was the extent of the response; that their QR data had not and would be used for another purpose.

Some responses from the states were by Commissioners of Police and some by Ministers of the Crown. However the mere fact that QR data hasn’t been used for another purpose, and that there is no present intention to use the data for another purpose, doesn’t mean it couldn’t happen.

What if the public pressure to use QR data was too great, say in the event of a terrorism threat or attack? What if police don’t even know it is being used, such as the data being accessed by another agency such as a standing commission against corruption for instance?

In Victoria, the state government admitted that QR data can be accessed for other purposes, but only after application to the courts. Involving the courts is a step up from where WA was, but it will still have the effect of meaning that circumstances exist in which the courts may allow QR data to be used for a purpose other than contact tracing. That can surely only erode public confidence in the system.

Grand words by Ministers of the Crown are meaningless without adequate safeguards in law.

So I return to the question: why should the public have confidence in a QR system if it can or may be able to be used for another purpose than just contact tracing? Any seed of doubt in the propriety of QR systems will result in some people attempting to avoid using it, although we are told we are compelled to or receive an on-the-spot fine. In a digression, it would be interesting to see a challenge to such a fine, just to ensure police actually have the power to fine us for non-compliance.

What is more, in two states, Western Australia and Queensland, QR data collected is stored by foreign entities, namely Amazon Web Services and Microsoft Azure Cloud. Both those entities are subject to Australian law but also foreign law. What if the FBI for example sought to access Australian QR information in a U.S. court? Is it really as protected as we are assured it is?

If the confidence of the public is undermined, a system can never ultimately work. Following the WA debacle there must be considerable doubt about the integrity of these QR systems and their consistency.

Second, the idea that we can be cajoled by assurances from our governments to surrender personal information only to discover they are wrong and our private data can in fact be accessed for other purposes, in the case of WA by a law enforcement agency, is to put it mildly an affront to the concept of our rights of privacy. To put it more bluntly, Western Australians were fooled into giving up private information to one agency of government only to discover it could be accessed by another.

In WA there was immediate emergency legislation passed to try to paper over the cracks. But wait, it still gives its citizens private data to a foreign multinational data corporation subject, in addition to our law, that of another foreign nation or nations. So much for notions of privacy and living in a democratic country that seems for all money to have disappearing democratic ideals. Is the only assurance that the data is encrypted, and Australians hold the keys?

Third, is the question of the legality of police seizing data in this way and its admissibility in a court of law. Evidence collected can lead to other evidence being collected. Such is the nature of police investigations; one piece of information may lead to another. What then of the derivative use of the QR evidence collected if it leads police to obtain further evidence that but for the QR data seized they would not otherwise have found? There are some potentially significant legal questions around the admissibility of that type of evidence, but that may be for a court to decide on some future day.

What then is the answer before we find another QR system has been compromised and confidence is eroded further? It is the same answer to a great many matters that come before our courts for interpretation and decision; have clear and enforceable law.

What we are told by Ministers, Commissioners of Police and members of executive government about the sanctity of the QR system is all talk if it is not backed by clear law. In NSW that state has tried as best it can to enshrine safeguards in legislation, as has the Commonwealth. So not all states and jurisdictions are in the same boat. However that gives rise to a further consideration.

Depending upon which state or Territory you travel to and which QR system you use in Australia, the law applying to the QR system will be different, the entity that stores the QR data and where it is stored will be different, who holds the decryption keys will be different, and how that data can be used and who may access it may be different. As we attempt to open up our great southern land, the need for consistent, clear and uniform law across all Australian jurisdictions has never been more needed.

As to handing over your citizens data to a foreign, cloud-based multinational corporation and thinking it all smells of roses, forget it. There can be little doubt that on an application to a foreign court that corporation could be ordered to cough QR data up. Law enforcement in the U.S. for instance can be quite relentless in the pursuit of evidence if it is in their national interest or that of its citizens.

So to Australian leaders, here are the questions we need answering, and here is what we don’t want to hear.

Don’t tell us you have no intention to use QR data for another purpose. Those are just words. Tell us instead what our legislation says, or if you’ve mucked it up, what words you will you use to amend it. Tell us where our data is stored and with whom. If there is a third party ICT provider involved, tell us what law the data storage company is subject to. Tell us who holds the keys that unlock the encryption on our personal and private data. Don’t tell us to use a system that you can’t guarantee is 100 per cent safe. And forgive us our doubts because they happen to be warranted after all.

The ultimate question to every government in Australia is that if you are to compel us to hand over private information, what absolute guarantees can you really give that it can only be used for one purpose and one purpose only – that of Covid contact tracing? Because to channel The Who, many Australians right now are thinking, ‘Won’t Get Fooled Again’.

These are serious questions and Australians need answers with absolute certainty. And saying it’s for the greater good won’t cut it. We are private citizens with private rights, so after the WA spectacle, governments will have to convince all 25 million of us, and without delay.

Morry Bailes is Senior Business Advisor to Tindall Gask Bentley Lawyers, past president of the Law Council of Australia and a past president of the Law Society of South Australia

Originally published InDaily 24/06/2021