 My name is Professor Settlers. I'm at the ANU. I'm a project lead of the Humanizing Machine Intelligence Project and I'd like to welcome you all and I'd like to start by acknowledging that this is National Sorry Day. A day set aside to recognize the injustices suffered by Aboriginal and Torres Strait Islander people at the hands of white settlers and in particular to recognize the stolen generations. It's also the third anniversary of the Uluru Statement from the heart. I'd like to associate myself and the project that I lead with that movement for justice and reconciliation and I'd like to acknowledge that I'm recording today on Nannual Lands and to pay my respects to their elders past, present and emerging. So I'm joined today by Dr Catherine Kemp, Senior Lecturer at UNSW Law, Associate Professor of NSAT, Give Thinking Cybersecurity and the ANU. Dr Mary Shield, Field Epidemiologist from the ANU School of Population Health and Associate Professor James Wood, an Applied Mathematician from the School of Public Health and Community Medicine at UNSW. They're an inordinately talented bunch with many feathers to their caps but our time is limited so I'll trust you to read up on their profiles listed in the advertisements for this event. So what's going to happen is I'm going to give an introduction and we're then going to go through a series of questions with the panelists and our aim is to get through all of those all of the cover all of the ground within an hour. We're going to be you can put questions in the Q&A as we go along and what we'll do is we'll address them after the hour for those who can stay around. We just didn't think we could get through all the material and then do a separate Q&A. The video of this webinar will be broadcast on the ANU TV YouTube channel as soon as we're able to get it up and that's all. So okay let's start by introducing the webinar. So in the face of the COVID-19 pandemic we know that total elimination of the virus in Australia is most likely impossible and that we can't all remain locked down forever. So there's seemingly no alternative to test, trace, isolate and quarantine and support. So this approach enables us to target quarantine at those most likely to otherwise spread the virus and so keep the total case load manageable. While we wait for a vaccine or else simply learn to live with a new seasonal disease. So contact tracing is a key part of our long-term plan for managing the pandemic that's nothing new. Appointing disease detectives to track the movement of a virus and try to break chains of transmission is public health 101. But this is one of the first pandemics to occur in the era of the smartphone when a large proportion of the population of countries like Australia have a device that they take with them practically everywhere which is capable of both tracking their location and tracking the other devices they come into contact with. Apps like COVIDSafe don't track location. They use Bluetooth to detect when other devices run in the app nearby. They broadcast a unique ID and scan to identify the IDs of other devices while also sharing details about what make and model of phone they're running on. From this data we can estimate how close the phones were and the duration of their contact. Contact traces are particularly interested in people who are close contacts of an infected person i.e. within one and a half meters for 15 minutes or more. So how could this information help contact tracing? So we can now draw a distinction between two different approaches that you might take to using apps to support contact tracing. So let's call the first one app-enhanced traditional contact tracing. So on this approach if a person with the app tests positive they share their data with the health authority allowing contact traces to integrate it into their other research. The contact tracer can use data from their app to help identify possible close contacts who now need to self-quarantine. In cases of community transmission that data can also help identify from whom that person caught the disease and in the aggregate the data can help us to track the epidemiology of the disease. So the second approach which is now enabled by a new update to Apple and Google's operating systems that was rolled out last week is called exposure notification. So on this approach the goal is primarily to empower people with information that they've been exposed to risk but it ensures that neither the health authority nor the apparently at risk person ever knows just which positive test is connected to which contacts. According to the Apple and Google documentation if a user is notified through their app that they've come into contact with an individual who's positive for COVID-19 then the system will share the day the contact occurred, how long it lasted and the Bluetooth signal strength of the contact. No other information about the contact will be shared so in particular there will be no way and explicitly precluded that you should link the person who's been notified of exposure to the particular person who tested positive. So COVID-safe was obviously launched in haste when we didn't know how successful our physical distancing measures would be. Without waiting for the Apple and Google framework some design choices were made that led to some pretty significant functionality, privacy and security vulnerability. Some of those were addressed by very quickly passed legislation a couple of weeks ago and the data that's generated by the app has been called by some the most protected data in the in Australian history. By the way I should point out that as a someone who's emigrated to Australia is now an Australian citizen I keep slipping between saying data and data. Data is the proper way to say it but there you go. So others of the flaws have been addressed in some subsequent updates and if you have the app and you haven't updated it you absolutely should. So still though the Australian open source community believes that there's really no way to close the remaining security holes without rewriting the app to use the new Apple and Google architecture but that wouldn't just be a very significant technical change it would involve different functionality too. However present the app isn't getting a lot of use community transmission remains low and we're able to trace almost all contacts without using app data. As far as we know so far there's only been one contact who's actually been traced through using the app. Now that shouldn't be viewed as a failing of the app it shouldn't be a signal that there's a problem because it's rather a sign that we're doing pretty well with respect to the virus. The purpose of the app is to help should there be a second wave of infections but it does mean that we possibly have time to make a big change if we have to. We're effectively at a turning point we have six million people who've downloaded the app that's a greatest uptake of such an app so far in any country. So will COVID save switch to the new Apple and Google framework and so to the new functionality or will we try and create a workaround and at the end of the day who's going to decide. So those are the questions that we want to ask. I'm going to switch now to sort of unspot like my video if I'm able to figure out how to do that. Okay cancel spot that video and hopefully you're seeing us in gallery view. I'm going to see if I can find let's see we still haven't got Vanessa so I'm just going to look for her. Still not there. Okay so while I'm doing this I'm just going to say I've got Shelly Adamson from the ANU is here with me. Can you find Vanessa's phone number and call her? All right so we're going to try and proceed and if we can't get hold of Vanessa then so be it. So to better understand COVID safe and to answer these questions and more I'm going to call on the panel for their views. One thing I would really appreciate if you are watching this and you notice that the the spotlight isn't following the person who's speaking please flag that in the Q&A because from our side we can't tell at the moment all I can see is that the yellow little yellow highlight is around Catherine. Okay so what I'm going to do is I'm going to ask first about how contact tracing works and what the evidence is in support of using smartphones to help with contact tracing. I'm then going to ask about the privacy risks associated with this kind of surveillance. We'll then shift to looking at how government has sought to mitigate those risks using both law and code before considering the prospects of a shift to Apple and Google's decentralized architecture and what steps will take next and then at 12 o'clock we'll start answering questions from the Q&A. Okay so first off let's get some more detail on how contact tracing works and what the evidence in support of using smartphones to help contact tracing looks like. So here I'm going to start by asking Dr. Mary Shields. So Mary can you tell us a bit more about how traditional contact tracing works? In particular it'd be helpful to hear about the sort of the forward-looking and the backward-looking dimensions of contact tracing and maybe you could tell us a bit how forms of technology are currently being used in order to support contact tracing kind of prior to things like COVID-safe. Thanks Nat. You've nicely summarized what contact tracing is in the introduction so I won't go too much into detail and I'm hoping that a lot of the attendees already understand large elements of contact tracing because of the media discussions in the last few months but essentially the main purpose of how we understand contact tracing is to disrupt transmission which means what we want to do is prevent a person who has the disease to give in to other people also those people who might have been exposed to an infected person don't go and pass it on to other people. That's the main purpose of contact tracing is to disrupt the chains of transmission and so one of the things that when the first step what you do is when a person identifies or is tested positive for a particular disease and this is again to say that this is contact tracing is not a new thing we do it for most infections diseases that can cause outbreaks like measles like tuberculosis and so when a person tests positive for a particular infection they get a call from public health authorities after they've been notified of their test result usually by their general practitioner because they often have a relationship with them and then a health authority or epidemiologist will call them and do a case interview get consent and do a proper assessment of what their situation is but as part of that interview and case investigation they also see consent and ask them for the people they might have come in contact with during the infectious period which is essentially for COVID safe 48 hours before a person develops symptoms so we'll when for example if Alice is sick today or Bob or person A if I call them I'll be like who did you do you remember who you came in contact with what are the places you went to when you got sick and 48 hours before that and based on that information collected from that person the list of contacts is collected and collated and then the contact tracing teams start to contact those contacts to notify them of an exposure and advise them on the need to quarantine the rationale for quarantine but also assess their individual risk now we do this two ways as you've mentioned the backward and the forward the forward one is where essentially a person has been exposed to have been confirmed to be infected and we follow up all their contacts they might have come in contact with in the during their infectious period as I mentioned so that's what's happening with a lot with COVID safe at the moment the backward approach is what we do often for diseases like foodborne diseases where you might see a case of Salmonella pop up in the community and what in that case you'll do is do again a case investigation and try and identify where this particular person may have picked up the disease from so for that you might interrogate them for the places they've been and try to or who they may have been exposed to to identify that link with another person and this technique is mostly useful and most critical for when we start seeing unlinked cases so we would have all heard about the unlinked cases for COVID-19 and luckily we don't have many in Australia we only had a small proportion till date and certain jurisdictions and so we've done really well and one of the key metrics is that if you're all your cases who are appearing are on your list of contacts and that's a really good thing because that means your contact tracing is working effectively and so one of the things that apps like COVID safe or any technological solution what they can do in this particular context is really enhance that way of how human contact tracers do that because we know diseases like COVID-19 are highly contagious and timeliness of contact tracing is really the key how quickly we can identify those contacts and have that conversation with them recommend and advise them to self-quarantine the more chains of transmission we are minimising because we have only about four to five days before that person who's been exposed reaches the other side of their incubation cycle where they might become infectious as well so hopefully that's yeah absolutely and so so one of the big differences between the two approaches I described in fact ultimately really the major difference that we can identify at the functional level as distinct from the sort of the technological distinctions and differences among them is the ability to link someone who's been exposed to risk notified of their exposure to a an actual positive test case so that's something that in the Apple and Google APIs for their approach they say you're explicitly not allowed to do when when I receive a notification that I'm exposed to risk in that situation there's no way of connecting me back to the person who tests positive so can you tell me just just very quickly how useful you think that ability to link the person notified of risk to the positive test how important is that for from the contact tracing perspective yep so when we do normal traditional contact tracing or when as we do routinely for all other diseases a person an individual's identity is never linked a case of identity is never linked to a contact unless the case specifies so so for example if you're a family unit or a husband wife you might know that your partner has contracted the disease but as a general rule we never reveal the identity of the person who's infected so knowing where they may have been exposed is really critical because that helps you build what we call the clusters as you've been hearing and so that again helps you understand how the disease transmission is happening the epidemiology of the disease events like the super spreading events we can only understand those if we can link all these cases contacts to a particular case by what we call the time place person association but not so much as an individual identity but their demographic identity or where they may have been at what time those key elements of information needed fantastic thanks so I'd like to come over to James now so one of the things that we all know and it's lovely to see Vanessa there so Vanessa has joined us now sorry about that so one of the things that we know about this approach is that it's new right so the we've used technology in all sorts of ways in order to support contact tracing in the past but we haven't done anything exactly like these this bluetooth based approach so could you tell us James just a little bit about the research that has been published really that provides the evidence base for taking this approach to using bluetooth to support contact tracing yeah sure thanks Seth I'll do my best so I guess some quick general background models of things like contact tracing interventions have been used for maybe since SARS essentially I mean there was some earlier work but there's been a series of pieces of work done over the time sort of between about 2003 and the early 2010s looking at how contact tracing might work for infections like influenza and what the sort of the important parameters are there and I guess that these kind of highlight two critical factors relating to the pathogen and some implementation factors which are the pathogen the time from exposure to becoming infectious which for flu or COVID is short the fraction of cases that can be detected again that's a problem for flu and COVID because there's a big symptom range and so in many settings few cases are being detected and then there's implementation factors which relate to the behavior of cases and contacts after isolation the fraction of contacts can be traced into later isolation and quarantine and I guess for SARS-CoV-2 it's a little as three days from exposure to infectiousness so you don't have a lot of time which is sort of the the element that the app seeks to address so what they're doing in the Ferretti paper which I think you're sort of talking about which appeared in science sort of in print in in May but I think a month or so beforehand as a as a kind of a preprint they're looking at the ability of the app to instantaneously notify contacts of cases and then what affects that instantaneous or some would have instantaneous notification would have on our ability to preempt transmission okay and in particular this is important for COVID because of pre-symptomatic or early symptomatic transmission so perhaps a lot of the transmission events occur within three or four days only perhaps starting three days after exposure and so timing is really critical there and so they they they look at essentially three key parameters here they look at the the time delay from a case developing symptoms to being tested and they look at then the proportion of all cases and contacts that are either isolated or quarantined and they kind of make this assumption that all symptomatic cases are actually tested okay so whether whether your testing definition is a is a lab test or clinical sort of I've got COVID like symptoms they're assuming that as soon as you decide you want to be so all symptomatic cases are tested and they say they assume that all contacts change their behavior as soon as an exposure notification happens so on that side of things and they also don't really look at practical aspects so they talk in a couple of lines in the discussion about the sort of things which affect this such as for example the fraction of people who have the app on their phones so really your proportion of contacts you can actually detect through this is proportional to the fraction squared has to be on person's phone who's the case as well as the contacts and then it depends on behavior afterwards so there's a few implementation factors that they do not consider and I guess this is kind of a sort of you know it's it's advocating a particular line and trying to try to suggest that there might be potential for a paradigm shift in how we do this but it's early evidence okay and it hasn't been assessed rigorously with other sort of competing models I suppose it's so so just to sort of paraphrase the the basic idea is that of the paper is essentially that it operates instead of manual contact tracing or that the the way in which it proceeds is independent of manual contact tracing that maybe something happens as well and the idea is just that you're notified as soon as somebody who you've been within within a certain distance of your device as and at that point you self quarantine until you get a test so I guess one of the assumptions that they're making then is that it's people are going to take a notification from an app or from a person and they're going to use that as a reason to stay home until they're able to get a test and something that you and I talked about the other day is sort of how long it makes sense how long it would one would be required to stay home under those circumstances so can you just say a little bit about you know how long what sort of what sort of cost you this approach assumes people will be prepared to take on in order to avoid the risk of further spreading the disease so that in the paper itself there's somewhat agnostic about these details I mean they do they do not essentially include these system aspects in their model okay so they talk about it in discussion they suggest that this could be integrated with public health and reporting to it but they don't make any specific choices about that in their in their approach they're suggesting people would be the high-risk contacts would be isolated for 14 days okay and the sense from another study which has been a preprint which has come out based on the UK pandemic experiment where they had about 40 000 sort of people involved is that you'd probably be isolating 30 to 100 people per case okay so when you've got few cases maybe that's not a big issue of course that's 14 days of person time for each so a lot of person time but if you imagine this being applied in sort of a large epidemic with a hundred thousand cases well that's going to affect a very large number of people of course they may be more inclined to because they feel they're more at risk but certainly there's there's significant cost implications for the individuals involved on the other hand if you compare that to a shutdown where people are losing jobs and so on the overall economic impact is probably rather lower but it's more faced by specific individuals yeah okay so so hopefully that gives you some sense of the sort of the two ends of the spectrum here so on the one hand there's an approach that we're trying to integrate the the information you can get from apps into the existing contact tracing processes and on the other hand you've got an approach that sort of tries to automate as much as possible and the rationale for the automation approach is largely down to the fact that COVID-19 is so or SARS-CoV-2 is so quick to be transmitted and it does so before we're able to test people before we're able to before people become symptomatic so that was kind of the motivation I think at the start to set up this alternate approach now so that's looking at this from the perspective of public health like what can you use this information for what are the valuable information flows you know when who do we want to like why how much does it matter that the health authority knows who has been exposed to risk how much does it matter that you as an individual know whether you've been exposed to risk and but obviously that's only one side of the picture here the other side is that all of those information flows carry potential risks with them so it's you know it's the same is always true for any time you get a lot of data together a lot of information together it can be used for good it can also be used for health so I'd like to switch gears now and start to talk a bit about the potential privacy risks that come with an approach like this either approach really and I'd like to shift over to talking to Catherine so Catherine if you wouldn't mind I'm meeting yourself there you go okay so at the moment let's just think about COVIDSafe the app that we currently have now COVIDSafe has a national data store basically every time someone tests positive you have the app and they can consent to have their contacts uploaded it includes a log of all of their contacts so every every Bluetooth connection that they've made with another phone and that is held in the national data store which can subsequently be accessed by health authorities so could you say a little bit about what the privacy risks are that are associated with that national data store of contacts and just sort of imagine it you know suppose we have a second wave think about it sort of six months out from now so you know at the moment there's like five contacts it must be the smallest most protected data set in the world but imagine six months in suppose we do have a significant second wave what would be the privacy risks associated with that national data store yeah so imagining that we do have then a much bigger influx of uses of the COVIDSafe app data and and then this increase in in what's in the central data store by the end of the pandemic you would have a central database it's got a list of all of those app users who've tested positive and along with that lists of their contact logs which would show you over a period of three weeks leading up to their positive test who they've been in contact with who's an app user the duration the date the distance approximately between the two of them and this can be quite revealing if we start to think about that it starts to answer for us why do we care for example if the app collects more data much more data than is actually necessary and why might we care if that data is kept for much longer than is required for contact tracing so firstly we've got the issue of improper access you might have a government employee or anyone else who manages to get into that central data store who can reveal information about you from those contact logs to embarrass you or to endanger you so in real life we've seen the example in another context of a Queensland police constable who hacked into the police system and got the address of a domestic abuse victim and gave that address to her violent former partner on the embarrassment side those contact logs would also show whether for example you've been visiting a particular lawyer or a psychiatrist or HR from a rival firm or a lover who others may not approve of aside from that improper access there's the possibility that down the track the government changes the law about what that data can be used for this mission creep issue and so there it might mean that instead of just being used for contact tracing you could use that data the government could to work out who may have long-term health effects from a COVID-19 infection or who might have been at the scene of the crime or near a person who's suspected of committing a crime who might have been in contact with a journalist at the time of a controversial investigation it could be used if the government's making accusations of other unlawful conduct such as tax evasion or cartel conduct or you could have simply a robo debt style situation where the government gives a list of your contact logs to a journalist if you have been critical of the government so those are the kinds of issues that arise the kind of risks that arise the more data we have and the longer we store it so yeah I think one that's great one other thing that I would add so one other thing I would add is that with these large data sets it's often really hard to predict what they're going to be useful for as well so like we can anticipate a wide range of uses but then the bigger they get the more the sort of unexpected connections might be other kinds of predictions might be made so that's the data store I want to sort of look at a couple of other information flows that might be risky so just one small one and I'd like to sort of bring Vanessa in on this as well in a moment so one small one is so why do you think that it's a good idea to design a system so that someone who's notified of exposure to risk doesn't know who the person was who tested positive like what's the sort of the downside of being able to join those stocks yeah I I think here we've already seen that people can be very vindictive and aggressive even just based on prejudice about who they think is causing infection in our community um and let alone if we had a situation where they might actually know who is causing infection so if that kind of information were available you can mention quite vengeful behavior against the person who is identified as the contact especially if they're already a member of a group who might be targeted on the basis of their race or their religion or their sexual orientation or gender as we saw in Korea for example so and then even more so if that blame could be placed for somebody else's death if the infection actually led to death so we certainly wouldn't want that kind of vindictiveness and and vengeful behavior to be a possibility good so there's good reason to be concerned about a national data store there's good reason also to make sure that someone notified of risk never knows who they were exposed to um so Vanessa if I can bring the next question to you so as well as there being obviously a um national data store um under the covid safe system everybody's phone carries a list of their contacts for the last 21 days everyone who they um who are who they've encountered who has had the covid safe app on their phone can you talk a little bit about what the risks are associated um with that um and what might happen if somebody were to access your phone and were able to um to extract um the contacts from it yes so this is also a good question I think that the questions that Catherine has been raising about the existence of the centralized data store are probably the most important questions and are sort of inherent to the centralized model but another aspect of the centralized model is that even if you haven't tested positive right you're still keeping on your phone this long of um all of the encrypted messages that you've received from everybody else who was running the app within bluetooth range of you and in the centralized model those are ids of other people encrypted with the authority with the key that the authority notes so for example if you were in a situation like the uh Australian federal police raids on the abc in which the um in which the person who was under who was being investigated was compelled to open their phone then there's the potential that those logs could be read uh in a way that is decryptable now it's not supposed to happen and maybe we could go back to Catherine to talk about what the law is preventing that kind of behavior but the fact is that information is there stored on the phone and at least the last time we looked it was not stored encrypted in a way that was in addition to the encryption of the pin in the first place good okay so so that's the risks associated with um sort of someone accessing the data on your phone but the other thing that your app does and that the basic nature of any bluetooth contact tracing app or contact tracing supporting app is that it goes around sort of advertising its presence um now there have been a number of uh vulnerabilities in the implementation of covid safes that have been drawn out um some of these remain under embargo so um we need to be careful not to discuss anything that's confidential um but at the same time it'd be worth to sort of getting a general sense of what kind of risks there are associated in this case ultimately it's um you know the risks that are associated with not working not using a bluetooth protocol that was explicitly designed for the purpose of supporting contact tracing mm-hmm so so far we've been talking about privacy risks against a central authority and the things we've been saying are really inherent to the centralized model and are not going to be easily fixed but now we're switching over to a discussion of privacy against third parties so third parties who don't have the government's decryption key who can't decrypt the individual pings or our logs in our phone but who can do things like put a bluetooth beacon in a shopping center listen out for messages and try and identify whether the same person is coming by people who can do things like read the logs on a person's phone and perhaps detect the phone make and model which are not encrypted so there's a third party risks and most of them could be mitigated but at least at the moment in covid safe they're not well mitigated so one example is that in any of these bluetooth based protocols the random looking pings that you send out are supposed to change frequently and that's meant to stop it being easy to identify when you've been past the same place twice and that's been a thing in bluetooth long long before contact tracing everybody who was using bluetooth was supposed to change their the random numbers that they were presenting to the rest of the world for example this race unfortunately although the Singaporean trace together basis at the open source code changes its random number every 15 minutes the designers of covid safe decided instead to expand that to a two hour window so if for example you have a homes surveillance device like a google mini or whatever in your home and also you go and visit somebody else and also you go to the shopping center then any commercial entity that has bluetooth listening capacity at all three of those places is going to be able to figure out that you were the same person all across those two hours now in addition to that two hours they've also introduced a whole lot of bugs that cause that random looking beacon to not switch over as quickly as it's supposed to and in some cases it doesn't seem to switch over for for a whole day or even long so this introduces the strong possibility for third parties to be able to recognize you again when you come back they can't immediately tell who you are but if they can tell who you are in one of the places you've interacted with them then they can link all your subsequent interactions with their bluetooth begins that they've set up good okay thank you okay so i'm conscious of time so i want to move on to the mitigation so we've talked about you know what the public health benefits are potentially of apps like these and what the evidence base is for them and we've talked about the privacy risks both of the centralized data collection and of the phone and of the apps sort of sitting on the phone so next i'd like to talk about the mitigations for these risks so there's three different categories that i want to focus on one of them is legal so we'll talk with Catherine about that i want to talk also briefly about the operational mitigations after all contact tracing always involves dealing with very sensitive data so there are well established practices for mitigating some of these risks and it would be good also to talk about the technological mitigation as well which will allow us to shift gears and discuss a bit more the apple and google exposure notification api um so starting with you Catherine so the legislation that was passed um on the 14 i think um was passed with support of both part of all major parties um it was um described as some of the strongest legislation to protect data in australia that has ever been passed um you and graham greenlee for unsw have written detailed study of the legislation i'm curious to know if you wouldn't mind just sort of summarizing its basic elements its core elements and saying what you think may have been left out yes and i should go back just for a moment to those um comments that this is the most legally protected data in australia and the best ever and so forth um i think at the outset yeah we shouldn't get too excited about this um australian privacy laws are well behind privacy laws in other jurisdictions which is why the a triple c last year recommended major reforms to our privacy laws and why the law reform commission has twice recommended that we should have a tort of serious invasion of privacy and neither of those recommendations have actually been taken up at this point and it's as a setting for this also important to remember that in australia we don't have a fundamental right to privacy so you won't find that that we can say if the law has changed down the track um take that uh that go to court and challenge that law on a constitutional basis and say this degradation of our privacy was not uh necessary and proportionate um having regard to the other interests so i think that context is necessary at the outset as to the covid safe act which was passed a bit over 10 days ago now there were some key protections built into the act some of those include that there are some good provisions um preventing people from forcing others to download or use the app there are also um a number of restrictions at actually there's a general prohibition against using the covid app data and then just some restricted permissions as to when it can actually be used and disclosed um there are also provisions that allow people to request some of their data to be deleted that's just the registration data and also some sunset provisions so that at the end of the pandemic at least the contact logs themselves will be required to be deleted from that central data store as to what's missing from that framework um as you said graham greenleaf and i have written a much longer paper on this and so the details are there but i'll just name some of the big items um the for starters the law allows the system to collect and store much more data than is necessary for contact tracing and it doesn't uh prevent the health officials from accessing that excess data in addition to that um it allows the contact logs to be kept as i said to the end of the pandemic period and that's much longer than that data is required for contact tracing should have automatic deletion a lot earlier than that um in addition to that we need to tighten up the loopholes that exist in the anti-coercion provisions which we pointed out and already we see some restaurants for example requiring people to disclose whether they've got the app on their phone and they're using it and if they don't requiring them to hand over more contact details and identification before they can get a seat um and so those are some of the issues that we've raised and some of the reasons which i can i should go into a little more about why consent is critical here and voluntariness is critical i think we need to cover that as well yep um okay so i think when we talk about the google and apple protocol will be a good point to do that because that will give us a chance to to do a compare and contrast um mary so with contact tracing as it currently is it's important to sort of acknowledge i think but it you know it involves a form of surveillance and it involves a form of um you know involves acquiring sort of very sensitive details about people can you tell us something a little about um how in the conduct to contact tracing those kinds of sensitivities tend to be handled um how the data that's gathered is protected and how you ensure that it's not used for purposes beyond what it's intended to be used for yeah that's an important question set and as i said i think it's important to remember that contact tracing is not a new theme we've done it for decades and decades and decades it's one of the key most proven um public health effort and outbreak response activity that's been a lot of diseases and so when operationally talking when a contact tracer does do tracing and any public health data that includes the data from contact tracing is managed under what's called the public health act um and each and every state and territory jurisdictions different parts of the world might have their own act they might have variations but really the large governing thing is a lot of it is around um maintaining an individual's privacy and securing the data the data is usually stored in a secure password protected data set and that's more public health perspective but also anyone who's doing that is usually bound by confidentiality so there that would be key part of their responsibility and things that they would do when they um are part of the public health department doing any kind of contact tracing and that's not new and usually you would only do for example contact tracing at a designated facility you wouldn't use your personal phone you wouldn't you'd use your um you know the department of health's phone where um the data can only be used for um someone's contact log can only be used for that purpose as a contact tracing and of course then the data is stored in a sensitive secure password protected um manner which then later might be used for epidemiological analysis and I think that's an important thing to remember that unless we know if for example if thousand people were exposed to a person and only five got sick out of that that's really important information unless we've had your contact data linked to the major the full picture of surveillance data so to speak or the epidemiological data we're not going to understand how the disease transmission is working we're not going to be able to prevent and design policies that and interventions that will prevent the spread of the disease and the outbreak itself so hopefully that briefly answers that question absolutely and I think it brings us to the next point really nicely because you know we we've seen what has been passed as far as legislation goes so we know where we're at with that and we already know what the operational approach is but we still have some choices to make as far as the technology goes so at the moment the head of the DTA said that COVID safe will be switched over to the new Apple and Google exposure notification API at some point now it's worth sort of dwelling a little bit on this there's been a fair amount of detective work involved as to what this would mean because obviously the Apple and Google exposure notification API went live last week the documentation is there and I should say that if you go to at hmi underscore and you after this we'll be sharing all of the all of the resources that we've referred to so that there is documentation describing how the new exposure notification API within that's being offered by Apple and Google will work it's worth saying that this is a pretty unprecedented collaboration between those two companies the distinction between what they're going to offer and what is currently possible within COVID safe has two basic parts one is the technological and the other is the functional the functional one is fairly easy to describe quite quickly as far as I can work out after having delved into this at laborious length over many late nights over the last few weeks the functional difference really comes down to one thing there's an explicit prohibition on linking the person who is notified of exposure to the person who tested positive you can get almost all the same other data from the Apple and Google exposure notification API as you can from the from COVID safe but that bit in particular is prohibited and there's the opportunity to include more stages of specific consent but that on the technical side it's very different so Vanessa that's where I turn to you can you please explain to us as quickly as you can the distinction between a decentralized and centralized architecture for exposure notification yes so this is a really fundamental cryptographic difference that induces two completely different ways in which citizens relate to the central authority so we have cryptography leads fundamental political differences so in the centralized model which is the way that the COVID safe app works is exactly what we've been describing right it matches traditional contact tracing in a complete kind of a way in which when somebody tests positive they upload to a central authority their complete list of everybody in Bluetooth range who's been running the app and then the central authority decrypts all those IDs and contacts those people the decentralized approach is completely different we still start by sending around and looking Bluetooth pings but instead of being encryptions with a key that the central authority knows they're just pseudo randomly generated numbers that nobody can identify and the key difference is that now the computation of whether or not I've been exposed to somebody who tested positive is something that happens on my phone based on information that a person who tested positive shares on a public effectively a public motors board so now I'm checking on my phone whether or not I've been exposed to somebody who tested positive to the virus and I'm getting a notification but then there's no inherent information flow that goes through that central authority and no central database that holds on to that contact graph excellent so now that we're considering making this move yes that would mean there's no central database it would mean that there's no way for a central authority if they have grab your phone to extract data from the from the app itself now those were two of the main privacy risks that we were talking about before and that were intended to be protected by the legislation so one question for you Catherine is do you think that so the first question is if we do make the shift over to the app on Google exposure notification API what proportion of the recently passed legislation will still have any application at all a great deal of that legislation does apply to the the central data store and what can be done with the data that's uploaded to that central data store and so yeah there would be a great deal of it that that would no longer apply some of the things that would apply though are the and these wouldn't directly apply I just mean that they could be recycled in legislation about this approach is the coercion provisions and I think they would be very important on that matter of consent the reason that this is meant to be a voluntary scheme is in part because it is an experiment and we do need to acknowledge that not everybody can be part of this experiment there are many groups that don't have access to their own smartphone or to the network coverage necessary to support the kind of tracing that we're talking about and we shouldn't be making this ever compulsory in either of those kinds of apps so we have Dr Norman Swann who I greatly respect as a medical doctor saying that we should now not allow people on public transport if they don't have the app that would mean of course that if people can't afford a smartphone that they wouldn't be able to use buses and trains so you and what then are they going to park their BMW at Moore Park you've got to recognise that we can't be using this to exclude vulnerable sections of the population so I think those anti-coercion provisions would still be really important excellent and on the decentralized model so one of the things that we had a sort of a late discussion about last night was exactly how they're going to like the role of specific consent so it's worth just sort of drawing that out so with COVID safe at the moment you consent to download the app you put in your information to it you do have to put in some information and then you consent if you get tested positive to upload your contacts and that's the end those are the only roles that consent plays within the new framework API from app and Google they're very explicit about saying that one cannot require any personally identifying information in order for somebody to receive exposure notifications so that's one extra layer of consent you can choose whether or not to put in your user information although it is emerging and this is something that we have yet to fully confirm but we think it's the case that the way the app is going to work is going to allow health authorities to design it so that they are automatically notified that this user of the app has been exposed to risk when that person receives a notification of exposure another way to do it would be to have the app only notified the individual not notify the public health authority and then allow them to sort of choose to contact the contact tracers so that's something that I think is sort of relatively breaking news it comes from sort of looking in detail at the different APIs and we'll sort of see how they flesh out but so it seems pretty clear that as far as security goes as far as some of those privacy risks go it's a lot more secure to have a decentralized architecture what we haven't talked a lot about the particular functionality problems of the current app working in the background on iphone some of those functionality problems were resolved by some early updates those updates introduced new problems basically the phone leads to the app leads to people's bluetooth devices is connecting more frequently there's also a permanent sort of long-term tracking issue that is essentially caused by this functionality problem with respect to the use of bluetooth so from the perspective of privacy functionality as an app and security there's obviously a strong incentive to shift to the apple and google framework api um but i'd like to come back to the public health functionality of this alternative um so one thing i've got two questions here one for james and one for mary um so for james the question is um you know when you base major public policy making on statistical modeling um what's the optimal scenario for using statistical models as evidence for big public policy decisions you and i have talked in the past about how some models sort of evolve with data over time can you say a little bit about that here yeah it's a very challenging sort of question i suppose um we're in a situation where you know we often talk about all models being wrong and some being useful in this case all data is biased and some is useless um so we we have difficulty making decisions based on the data that's been collected for it's getting better but available for sars cove too and we've had to use models to inform policy making because we haven't had anything else what i would say is the the the ecosystem of models used for things like um staying at home or schools closure and so on and even traditional contact tracing um they've been developed over maybe a 15 to 20 year period i suppose and compared with data from other sorts of infectious diseases doesn't make them right and obviously we haven't had prior experience of this virus but it does mean we have some sense of how they perform previously and some of the deficiencies in the in the assumptions have been tested through prior use what i would say with the apps is that we really don't know a number of basic features about these so the the faredi model i think is very useful in terms of saying what the sort of maximal benefit of this might be in a in a challenging situation assuming a number of things are fairly optimal what it doesn't tell us is what the practical impact will be when all the implementation features such as for example the fact that bluetooth measurement may or may not be useful um that the the uptake may or may not be good but the way in which people behave may or may not be what we expect all of those features are unknown at the moment we may have a i think we could make decent guesses about them that in follow-up work that haven't been done in that paper but ideally right we should be assessing these right so we should be running ideally experiments on different approaches to try to test these out in parallel while we're working that's what we're trying to do with everything else so why not for this so that's that's a great point i think so one thing that you mentioned and it's i'm sure everybody watching this already knows this but it's worth just reminding everybody that bluetooth signal attenuation is a very weak proxy for proximity it's depends on how you're holding the phone at the time it can only measure when it's being scanned so you could be next to somebody when they're measuring it go away and then come back and you can be next to them again um it's it's a fairly weak piece of evidence for the things that matter and so mario i'd like to um before i just sort of wrap things up try and wrap things up within the hour and then go on to q and a i'd like to just sort of really get a sense of the value of the information that we're not going to be able to have from the app on google api so let's just be clear james's last point there was that we don't really know which of these methods is going to work it would be good to be able to try different things out and test them and see and what's fairly clear from the way the apple and google framework api is right now is that they've placed privacy really at the very center of it and they are explicitly at present prohibiting the association of the person who is notified of exposure with the person who tests positive one thing we might want to do instead is you might want to run both approaches in different countries where the conditions suit and where the local sort of values kind of fit those two those different trade-offs and see which one works but in the absence of the ability to do that it'd be useful to sort of draw on your experience mario um in the work of contact tracing just to see how how useful you think this information will be if we don't have that link between the person notified of exposure and the person who was tested positive except yeah and i think i guess one of the most important points that i want to make is that contact tracing is only as good as how engaged the community is so if an individual doesn't feel empowered it's not going to work because really we're relying on them quarantining themselves because they've been exposed and that's probably one of the most important thing is to have that community engagement and one of the other things that contact tracers the human contact tracers do is this whole element of personalized interviewing process so when a health authority calls you you go through a conversation the rationale now an automated ping through an app may work for some people to quarantine but a vast majority of people may not understand despite all the media talk and when things go back to normal that why they should quarantine and assessing personal risk so if you're a sole parent you know what do you do how do you quarantine who do you get that information so a lot of the time it's also about providing that reassurance assessing individual risk of that individual person to enable them to have take on the quarantining the two week period that they need to spend at home or if somebody lives in a big house house with lots of people but lots of shared facilities those are important things that contact tracing involves and so really it's about providing and then sometimes you might have to provide some psychosocial support some people may freak out because you know they may not understand what it means to be a contact of the case and so those are critical elements that are part of the public health response and I think any solution any technological solution really needs to encompass both of those that the community needs to be engaged the individual needs to be empowered and that information is useful there's no point of collecting data by whatever tools you are if it's not useful for understanding for breaking chains of transmission and understanding the epidemiology of the disease so if we can't say the five people who've been infected were five out of five versus five out of thousand then that really data doesn't help understand the future of the disease and then to be able to plan for when we have an increase of resurgence in cases we really need to be able to understand what the drivers of transmission might be which knowing the number of people exposed has become really important so the data has to really be useful a for engaging the community but b also for the public health response and I think from a field epi and a public health perspective I think those would be the main things and technology can only enhance the human side of things I think that would be that's really well put okay so I think we're going to we'll end the the the one hour of the of the webinar here I don't think there's any need nothing that that summed up well I think we've got a really good overview what I'm going to do now is I'm going to pull up the Q&A which is probably going to involve me doing this sort of gormless face as I look into the try and read it for a minute and I'll sort of start trying to address questions people who have done Q and have done the questions with their name I will I will mention the name but otherwise if you've done anonymous then okay so by the way I did try I did intend for this to be a a gallery view I've noticed when you don't do it gallery view it's just unreliable whether it goes through that one okay okay so I guess one one big question that would apply Catherine that would be a good question for you to field so can you tell us how secure the national data store is against being used for the used by in particular the intelligence community like what kinds of protections are put in place to prevent access um from the intelligence community um to that data this question comes from Mark Eileen yet at present um the approach taken under the act is that you have as I mentioned earlier that general prohibition that this app data can't be used at all it can't be used or disclosed or collected at all and then there are exceptions to that for the specific uses such as contact tracing or working out whether somebody has breached a provision of the act or just some very limited reporting of de-identified data of the total number of registrations um and the act also states that it overrides any existing laws and so it would only be the case that if a law is subsequently passed that specifically refers to this new part of the privacy act and states that it overrides this part of the privacy act that it could then um apply and say give powers to the intelligence community or to anyone within government to access the app data for another purpose um that's possible of course as I mentioned earlier it is possible to have that mission creep and to have decisions made later about um uses that the government would like to to make of the app data um but at the moment the a clear intention is that this is part of the privacy act and the protections um that it enshrines would override any other laws that we give um the intelligence community or any other law enforcement access to the data okay that's helpful thank you um so there's another question here that I love um which I want to address to Vanessa um so so those of us who have been following this closely when Randall Brugo Bruto um said that the uh covid safe would be shifted over to the um to the new apple google framework I think there was a collective uh dropping of jaws um following this um so Vanessa one question here is um so would changing covid safe to the new framework change what devices or versions can run yet could both versions of the protocol be used I'd like you to use that as a sort of a a prompt to talk about some of the if you like the transition costs associated with the apparently intended move over to the new framework yeah wow so first of all let me say a strongly suspect that he just didn't think that through right that actually that wasn't a clearly thought out expressed intention to make a major and fundamental change to the app I'm guessing right because I don't actually know anymore about what he was thinking than anybody else my guess just based on the off the cuff way that he said it was that he didn't have any understanding of what a profound and complete reorganization of the system that represented but if we were to assume that he didn't know what he meant and we were to try to think about how that might work um so just just Taylor from the Guardian asked me about this and I said well I think it'd probably be a bit of a mess and it would take at least a few weeks of running both things in parallel looking through the fine print of the AP lives with Seth yesterday evening we saw that one of the things that the Google Apple APIs will prevent is simultaneous use of ordinary Bluetooth by the same app so in fact it's not going to be possible to run both versions under the hood for three or four weeks or whatever as a transition there's there's going to be some much more complicated transition involving you effectively everybody doing one thing and everybody beginning to do the new thing for a while and eventually removing the old thing they do not interoperate in any in any way at all they're really just too completely inconsistent systems yep so pretty big transaction cost so James just one thing um okay so I think the we covered the uh the sort of the square of the fraction um someone's asked whether all panel members are using the app it's a good example of the sort of the reason why there's the anti-coercion measures within the law so I won't ask anybody that okay so so here's an interesting here's an interesting point so this is a question that's been raised by William Blair which I'd love to talk to so William says that the Apple Google framework can't link back to the infected person but the infected person passes up his or her series of IDs to some central database that other participants can download surely that provides a link yes so this is a very interesting point so Vanessa maybe you and me can talk about this one because we've been trying to figure this out right so this comes back to that question of whether you can design the app in such a way that when a person is notified of they're being exposed to risk the health authority is notified that that person has been exposed in discussions with people from Apple and Google it seems that this is certainly the intention um that it can be done without explicit without specific consent if you have provided your user ID then when the app notifies you that you've been exposed to risk the health authority is able to access that information very vague ambiguous in the api one of the interesting challenges that then raises is the possibility of what's called a timing attack essentially once the person is authorized to upload there so the person who's tested positive is authorized to upload their their keys to the central database if at that moment all the all the everyone's app was checking the device kind of live and if you sort of you put up that person's test that person's test and then you waited for an hour and then everybody who was notified of exposure that automatically notified the health authority then they would obviously be able to link the person who has been tested positive with the person who has been notified of risk even though the app itself doesn't generate it doesn't make that information explicit um so that is um is explicitly prohibited within the apis both in the android and google it says explicitly you're not allowed to use this data to link two people but at the moment um because of this ambiguity as to whether they're going to allow health authorities to know whether the person's been notified without specific consent it's not clear that this isn't a vulnerability although we do know that the plan as far as I can I know I think the plan is that the apps should sort of pull the central server once a day rather than kind of live throughout the day so if you have loads and loads of cases um then it would you wouldn't be able to assert if like 300 cases have gone up on tuesday and then all of their contacts um aren't notified on the same day then you wouldn't be able to link them in a very efficient way um but in the sort of situation like where australia is with the with the virus where you might have one new case or in a particular area um if the um health authority does know um that someone's been notified of risk then they will be able to make that link um Vanessa what what light can you shed on this um yes so there's a couple of slightly different questions here I'm just reading the fine printer of William Blair's question one question is does the individual find out who uh exposed them and then the second question is does that information get conveyed to the central health authorities either that this new person has been notified of exposure or that they were exposed by a particular other person okay so William Blair has asked you know shortly this basic idea of publishing the list of um pings from an infected person and then downloading them onto your phone and checking when you were um checking whether or not you saw one of them inherently provides that link and the answer is yes in the vanilla version of how this decentralized protocol would work you would automatically get the link between you and the id of the person who had exposed you because you're doing that test on your own phone now the google apple api puts a great amount of effort into obscuring that information and not not making it available and that's a deliberate privacy choice that's not an inherent difficulty with the structure of the information flow in fact it would happen automatically if you didn't do something careful to stop the uh person being able to immediate the app from being immediately able to make that link so they've specifically decided not to say oh actually on monday afternoon at 3 30 you were exposed by id number 57 which has subsequently tested positive they easily could they chose not to yeah good and um so that's the where we're getting a lot of this information from by the way is um so we'll share these documents on the hmi twitter feed um so apple basically has a um well apple and google they both have more or less the same there's some interesting differences if you sort of dig into them um but they have uh framework apis uh application programming interfaces which describe what um the sort of the the terms the concepts the the the architecture will be of these apps and what information therefore they can provide and so the the interesting bits come in what's called an exposure info which tells you what what information about the exposure the app can reveal can access and as finesse was saying it's only the day it's um increments of time between five minutes and 30 minutes and it won't tell you longer than 30 minutes but it will tell you as low as five minutes so that's an interesting um one of the sort of touch points with um with cover safe has been that it shares all contacts not just those are 15 minutes on one and a one and a half meters um so we'll share five minutes up to 30 minutes um but it won't share the person you were exposed to and it won't share the precise time um and as finesse was saying absolutely could right so the interesting thing here is um on the one hand there's a this sort of this technological choice about kind of how to design the system in order to minimize risk but on the other hand there's also a big public public health privacy choice about you know what information you want to go where um and fundamentally I think one of the things that people should realize is that you can replicate all of the functionality of either system well of the centralized system in the decentralized system you can't do the same but um but um that uh so the question about what functionality you want um isn't one that is predetermined by whether or not you join the Apple or Google framework except for the fact that Apple and Google have decided that it's right so um it's not a technical obstacle okay let me um so a lot of people have been talking about and so Mary this will be a question for you um so a lot of people have been um uh questioning the messaging that's been coming out of government about COVIDSafe there's no doubt that it has been presented in some fairly um I guess confusing ways for people who might not be especially tech savvy as to what it achieves in particular um there was a sort of now I think notorious comparison between COVIDSafe and sunscreen um and slip-slap slop and all that um so it'd be um useful to talk to say Meru um you know what what do you think about the sort of perhaps confusing messaging around the protect the kind of protection that COVIDSafe can give um it's worth to sort of reinforcing um you know your your view on the on the sort of protection that using COVIDSafe provides us as a society um as distinct from the protection it provides us as individuals from using the app specifically thanks that um I won't endorse or dis endorse the messaging around that I think the important thing is that risk communication is an important thing and you can probably engage a lot of risk communication experts on talking about what's the right language but I think one of the things um to understand with this particular app as we discussed earlier on is that timeliness of the ability to get contact information at speed and be able to notify them with speed and so and again in public health and contact tracing it's often not about an individual it's about a population so we're trying to achieve population level impact really quickly and I think the idea of an app and I've said this before I don't think it can replace um the manual contact tracing or the human based contact tracing that we already do for whether it's COVID-19 or for other diseases it can probably be used to enhance and improve our efficiency reduce the workload on contact tracers etc but I think what it really does is that if we were to go back to normal life and I'm sure James can comment more on that fact that we think that an average in normal life a person would come in contact with 10 people now if you look at that over five days that's 50 people if you live in a busy city and commute for an hour it provides that ability to rapidly notify or collect that information on contacts now traditionally what you will do is say for example measles which we know is a more infectious disease than COVID-19 is but what we have for measles is vaccines so we don't realize the impact measles without vaccine could have and how extremely at um fast contact tracing you would have to do and we do that anyway like every time there is an imported case of measles in Australia public health units work incredibly hard to contact trace every single person they may have come and contacted and often you'll see public notices and media statements saying a person who's an infected with measles pass through this this this area they may have with it at this shopping center or this particular nightclub because it's all about notifying and then you rely on people contacting you so it's all about I guess the timeliness and so that's probably the idea behind it I think the messaging needs to be more clear and that needs to be articulated to people what are the benefits and then it has to be an optional thing I think voluntary consent processes or at the end of the day it's about an individual choice whether they want the app or not but I think it contributes or may be able to contribute to words um making our contact tracing more efficient but until we evaluate it we're not going to know and I think that's a challenge with a new disease and a new pandemic is that a lot of things are in emergency response we often are going with the flow or on the fly because we don't know we it's yeah it's the best evidence you have to find the best solution yeah I think that I think that's important you know I think some of the criticism of the slip slap slot messaging was it was a little bit sort of overly literal you know because the idea is like if everybody has the has the app and if it is able to assist with contact tracing then it might mean that somebody who will emerge as being um as having a having tested positive um will stay home we wouldn't otherwise stay home so that might mean that it breaks the chain of transmission so it can play a protective role now Catherine I've seen your but I've got a I've got a question that I'd like to address to you then you could maybe merge your what you want to say now with with this with this other question so one of the things that we haven't talked about and this is coming from a question from Jeffrey Huntley one of the things we haven't talked about is you know we've looked very narrowly at the covid safe and the the apple google kind of framework for how to sort of use apps to support contact tracing there's obviously a wide range of other alternative measures that could be used you could be using gps rather than only bluetooth you could also be using bluetooth to monitor people's social distancing right so one of the things that they wanted to do with the nhsx app um was to be able to give people a nudge as to whether they were doing a good job of staying one and a half meters away from people um so I wonder if you could as well as addressing the previous question sort of talk a little bit about um you know what you think whether you think that there needs to be specific protections against you against um using the app to kind of monitor behavior as distinct from purely for the purposes of contact tracing yes um just to start with the the previous point first I I do take a different view um to you um to some extent because I think when you stand back and and think what did what did uh the prime minister really mean when he was um giving the sunscreen message yes you could see it from a community perspective and and understand that literally this is not going to protect you from a virus and yet I think that sense of uh comfort that seeps through with that messaging and as you'll see on some of the sites that advocate people downloading the app that there are messages that once we reach 40 percent um you know until we reach 40 percent we won't be able to put an end to um these job losses and um the the economic crisis and so forth and and quite clearly even once we do reach 40 percent that won't all stop and so I think it's that general sense of being able to relax if you've done these things um that is is still troublesome and that we should avoid that kind of messaging as to using the app data for other things such as working out whether somebody is staying in quarantine or whether they're getting close enough too close to other people that would certainly be ruled out at the moment because it's not one of the permitted uses that's an exception to the general prohibition um and would clearly be much more intrusive than what's permitted at the moment and I think in that respect um the government must realize that there is a big trust issue here it has a trust problem and last time the federal privacy commissioner conducted a national survey about people's levels of trust in organizations managing their personal data back in 2017 and they asked about different kinds of organizations and when it came to government departments only 58 percent of Australians said that they thought that government departments were trustworthy in dealing with their personal data um and so that is going to have a big effect on the extent to which people both use the technology and um don't try and evade anything that's forced upon them um which may mean that the government needs to shift course somewhat to gain that trust by having a more decentralized model or restraining extra uses of data. Thanks for that so I'd like to address the next question this is sort of inspired by a question from Matuza Kasizadev to James so so one one of the things that people have been one of one of the the first responses of a lot of people who have been commenting on these different apps has been to sort of cry uh solutionism right we've got um there's a there's a problem and there's an app for that right um so I'm curious to know from your perspective do you think that investment in and sort of the um the efforts around COVID safe have come at the expense of other aspects of our public health response I know that you're you're you're closely involved in some aspects of that from your perspective do you think that it's been a process that yeah that has been sort of suitably complementary to a kind of whole spectrum public health response or do you think that it's been used as a way of avoiding doing other things and I'd like to address this also to Meru in a moment. So I don't really think so I think the public discourse would suggest that COVID safe is very important and you know it might replace other functionality but as people sort of note with 40 coverage you may be catching 16 of contacts and then what happens that's nowhere near enough to sort of bring an r0 of 2 down to 1 which is the sort of level of effect you need so I think that's well known in the people advising and I my view is that the state health department so simply seeing this is potentially something that adds an extra layer that may catch a few more contacts particularly in situations where it's difficult to trace them such as public transport malls and so on I really don't think that there's a sense that that this will replace any of their activities in part because the way in which contact tracing done it you try to be exhaustive with this you really want to capture every case because if you miss them you may find this bubbles up somewhere else so it's really a bit of a different sort of mindset so I sort of see it as something that's potentially an added extra it will probably help help a bit I worry a little bit about the implementation of the decentralized model if the way in which you think through support for that is not done well and that it might actually impede some of the public health activities potentially but at present I just see it as a small additional benefit a bit like closing schools so Mary in your answer would you mind just saying a little bit about how you think we're doing with respect to contact tracing at the moment like what's our what is our level of capacity well proportioned to the task I think that's an important question and I might be biased because I do have a lot of friends and colleagues who are really good at tracing so I think and but I think the numbers in Australia speak themselves if we hadn't done good contact tracing each one of those cases would have gone and given us more and more cases and populated new infections so I think our numbers where we are now speaks for itself that contact tracing has done well I think initial numbers and I think looking at the original data as well there was about 8 to 10 percent that remained unlinked cases at the start when before and that was purely more I think before we introduced the compulsory quarantined for incoming travellers because most of our cases luckily were from incoming infections so it was easy to contain and suppress the outbreak relatively easier and the public health authorities had worked out but if they hadn't done the contact tracing I think that could have really led to several seeding events as we've seen in other parts of the world and I 100% agree with James that I think talking to colleagues, friends, me who is a field epidemiologist and often would do this this would only be seen as an additional benefit that might help that timeliness aspect and be able to identify those extra contacts and people might be surprised that actually contact cases work incredibly hard to identify each and every contact and be able to make that contact just because you also have somebody's phone number doesn't mean that you'll be able to reach that person a lot of parts of the world people can't do phone contact tracings in parts of Africa Asia Pacific you'd go and do person to person in face physical contact tracing and that sometimes includes going into remote villages and so in and Ebola is a classic example where we see very high mortality and you want to be able to identify each and every contact of the person and be able to backward trace as well and people any unlinked case epidemiologists contact traces work incredibly hard to identify those links and be able to then link those clusters we say and ring fence essentially around and each and every case because it's all about then stopping and propagating minimizing the propagation of the outbreak so I think and I think the fear would from the decentralized model to me personally would be that ability to make that human to human contact with an individual be able to assess that personal risk and provide that reassurance that you're okay just because you've been exposed doesn't mean that hundred percent you're going to become infected and what to do when you are if you do develop symptoms where do you go for testing rather than a person being radically trying to look for that information when they receive an automated text message saying you need to quarantine pieces um you've been exposed the initiation is coming from a trained health person who has the ability to give that reassurance that messaging what to do how to manage your risks what happens and those are important elements um off the whole public health response aspect it's not just about a number of contacts it's about so I do believe that the implementation of the of these apps will I think it's very likely that it will enable health authorities to initiate contact and they'll find a workaround for the timing attacks I think and I think that that certainly has been my impression of the debate as a whole that you know there has been a very broad recognition that this is in no way a replacement for human contact tracing I think that that recognition is very different in a country like Australia where they sort of presently touch with manageable caseload and very strong public health infrastructure than it is in the UK where they've got sort of you know amateur contact tracers like the sort of the contact tracing capacity isn't set up yet and where and in countries like the US where public health infrastructure is um relatively feeble now I think I should probably let you go in a moment but there's one I do want to get through a couple more questions um and there's a really really salient one here uh from Alwen Chu at the ANU who's done some wonderful research on the covid safe app um so Alwen asks um are there any regulations governing the use of data collected by third party bluetooth monitors um in relation to contact tracing so that they may pick up from for example the covid safe app so in the ACT there are close to 100 bluetooth traffic monitors that collect MAC addresses of bluetooth devices for traffic studies and management that could potentially be used to track movements of a contact tracing app user we know as well that supermarkets for example have a bunch of bluetooth beacons sat around them in order to detect um where you are what what you're standing in front of there's some really interesting research about the prospects for doing really really micro location targeted ads like you're in front of the serial aisle you're in front of the serial looking at me like you're looking at the you know the white new cocoa pops or the old cocoa pops and it says you know get 50 off the white cocoa pops while you're standing there so the the use of the of bluetooth for antec has been around for a while covid safe and all other such apps are going to be going around basically saying hi i'm here i'm here i'm here i'm here i'm here uh it's everything around them um catherine what do we know about the regulation that exists to um prevent basically antec companies from harvesting bluetooth data that they may be able to make it like infinitely more valuable by effectively cracking covid safe this is highly topical because the atricle c is currently undertaking its ad tech inquiry which may tangentially look into the privacy aspects and and particularly the the privacy protections for consumers um and and look into those aspects as a function of competition within those markets as well um the the short answer is that um at the moment a lot of these firms are claiming that tracking people in in that way um and tracking people in a number of other ways um when they're operating online or or using a digital device is not actually subject to our privacy laws because they say this is not personal information in the sense that it's not attached to your name or your mobile number or your email address and therefore we're just dealing with non-personal data and that is not covered by our privacy act um i think that is in many many cases and including in the ad techs context highly disingenuous and i think the firms involved know that they are um attempting to identify as they put it the person behind the device and to create this 360 degree view of the person behind the device and that there are a number of ways of doing that through identifiers that may not call me Catherine Kent but know that i am the individual that uses this phone and this laptop and that comes back to this house every day and so forth and so at the moment i think that is a real gap in the enforcement of our privacy laws or if not that then our privacy laws need amending because it is something that firms are increasingly doing to try and and track individuals even when we try and avoid all of that kind of tracking this is this is a wonderful wonderful occasion when i can refer to the day-ray day-dicto distinction in in the philosophy which is precisely precisely focuses on that question of you know the person who is who does all the things that Catherine Kent does even if you don't know the name it would be remiss not to mention at this point that every time and this i mean we now we had we had got up to 270 odd participants we're now down to the hardcore of 130 odd left i imagine that everybody who remains on this webinar has read Vanessa's work in connection to de-identification and it's just really really important that you know this is this is one of the ways in which the you know the legislation that we operate under and the privacy principles that we operate under works on the assumption of the sort of the possibility of usefully anonymizing data in a way that actually protects people and what Vanessa has shown in many cases drawing sort of in a local application of research that was also done in the US on things like the Netflix movie data set is that with just a couple of points of contact two or three in most cases you're able to re-identify people Vanessa would you like to um to bang the drum for people you can only say de-identified like this yeah yeah exactly that's exactly right and that is the short summary you can only say do identify in scare quotes because if you have any kind of detailed information about anybody whether it's their medical record whether it's their list of contacts over two weeks whether it's a few physical positions that you found them then it's overwhelmingly likely that you're going to be able to figure out who it was so I haven't read the new protective legislation over the COVID safe app data Catherine but maybe you can tell me my understanding was there's a quite poorly defined kind of open option to use it for use de-identified data for research and it seems to me overwhelmingly likely that the list of people's contacts particularly if it comes with timing information and how many people you were close to it in point in time and how long you were close to them and so forth is highly likely to be identifiable even if it has the name stripped off so I'm concerned that that is one of the loopholes in the protections of this data I can I can answer that question yes please that was earlier on that was one of the issues that there was a more open-ended reference to de-identified data falling outside of the definition of COVID app data not so in the final legislation in the final legislation there was quite a restricted permitted purpose of de-identified data for the purposes of creating a total number of registration registrations and reporting on that and that that was the only type of de-identified data that was excluded from the definition of COVID app data they need to go one step further and recognise in the deletion section that the exemption that they give to de-identified data is also restricted to that narrow purpose which they haven't done yet but at least that's a lot of progress from the initial position which you're referring to of just this more nebulous exemption of de-identified data which nobody would be able to feel comfortable with so that's actually I mean that actually does give credence to the idea that this is the most protected data I mean there may end up being no data data data there may end up being no data at all because we're going to switch to the Google and Apple protocol but the fact that that's the first time that is actually being legislated and it's been acknowledged in legislation that de-identification doesn't just mean that the other protections don't apply that actually is pretty significant that could have a continuing value as a precedent so I'd like to finish with a question from Damien Clifford so Damien's question is essentially that he points out that in Europe when you're thinking about using personal data that can't say it consistently I just there's just a random number operator in my brain that decides whether I'm going to say data or data next time so in Europe when you're deciding whether to use personal data you can appeal to an individual consent legitimation or you can appeal to a public interest legitimation and I think that if you look at the sort of the recent work over the last 10-15 years on how to sort of I guess update privacy thinking in the light of big data there's been a really almost I would say now universal move away from the sort of the the privacy self-management model the idea that notice and consent is sufficient anybody who clicked through on any number of cookie notifications without reading at all and who just is sick of the whole thing by now would recognize this also you know with something like covid safe the the risks many of the risks are not necessarily individual risks they're sort of collective risks many of the benefits are obviously collective benefits it's a collective action problem you know you you need everybody to do it but you personally you're going to be made better off if everybody else has the app and you don't then you get all the benefits but you don't get the you don't get any of the costs so that's the the definition of a collective action problem so Damien's question then is are we are we making a message a discussion around consent generally in the context of covid safe by suggesting that large-scale public uses of data can never be legitimized by consent as opposed to as opposed to thinking about the public interest generally okay so mary has to go because she's got another call to go on to thank you very much mary thanks very much everyone it was great to have you okay so for the rest of you so do you when you're thinking about this what prominence do you think should be given to individual consent versus the public interest and maybe you could each use this as an opportunity to just sort of give your closing thoughts so kathleen would you mind starting um yes i think here there's a fundamental difference between our approach to privacy law in australia and the approach in jurisdictions like the eu where there is the recognition of legitimate interest as an alternative basis to consent as a justification for dealing with somebody's personal data and it's not a justification that can translate easily to australia for this reason in the eu where you can say that i don't have this person's consent but i'm relying on the legitimate interest justification you then have to go through the process of balancing the legitimate interest against that person's fundamental right to privacy as i was speaking about earlier and and then working out that that question of the necessity and the proportionality and so forth we don't have a fundamental right to privacy in australia where we could um then create a similar legal test to that which exists in the eu at the moment there is no um way that we could directly adopt the same kind of justification so in australia there tends to be more reliance on consent and yet currently under our privacy laws that consent can even be implied consent it's just that you have a privacy policy and therefore it's implied that somebody's agreed to that so really in a lot of ways australia's privacy law has got to catch up and if we want to be able to look at those alternative justifications it would require major changes to to our framework for privacy data privacy regulation um we're not close to that yet uh my my final thoughts would be um when we're talking about that possibility of the gapl approach there's clearly there's some problems with us allowing uh these companies with their private economic power to determine the standards for us um when these are clearly not elected bodies and at the same time we have the problem that the australian government can't be held to the to account and in the same way as in other countries if they subsequently pass a law that degrades our privacy in a way that's not reasonable not necessary and proportionate having regard to our fundamental right to privacy because we don't have that same fundamental right to privacy as other jurisdictions so the government may need to move um further in the direction of google and apple that's very that's great thank you james do you have any last thoughts um it's i'm trying to try to summarize my thoughts i mean around the the the privacy expert i mean i guess you've got this sort of public health imperative versus individual kind of rights situation and and i think it's hard to say what that is at the moment in in a sense in australia now we have very few cases and we don't actually feel particularly at risk of um the covid expansion right now so i think in a sense that you could argue it's it's time to be kind of cautious also that the the data from the app will actually be of very little use right now in terms of uh we've got so few cases we we learn about so that to me the value in the data isn't really about um from from a public health point of view isn't really about the individual aspects of it it's more the statistical properties of aggregation of this that could be useful and in terms of advancing our understanding of control and also the transmission and i guess controls the thing that you could say is a public health imperative the the transmission stuff's probably more fun for us modelers but may actually not necessarily advance our public health measures so much so um i mean i i have no expertise in terms of the sort of the decisions about apple the apple and so on have made i mean it to me it seems a little um prissy of them to determine these sorts of um technologies when they are collecting lots of data on us through other mechanisms and seem quite happy to use that for commercial purposes um but i recognize that in some ways there's differences in terms of how we view it as individual choices um so i suppose i'm a little bit on the fence i know people have been asking about covid safe i have no problem saying i've downloaded covid safe i've got on my phone my problem is i tend to my phone tends to run out of charge and i sort of leave it in my car and all these sorts of things so i'm a bad implementer of of a technology so i think i think there's lots of problems with assuming that that that apps are going to be a quick technological fix they're not they're nowhere near as good as something like a vaccine which you can kind of go to the doctor once get immunized and you're protected right the app is like so much less useful than something like that yeah i agree i mean i think one of the things that's really striking me about this so one so one on the one hand there's the fact that ultimately the decision as to what approach we're going to take to weighing public health and privacy has been taken by detectives at google and apple who aren't accountable to us through any kind of democratic process they've done so in a way that i think has been genuinely um kind of well intentioned and they've tried to sort of follow them all reasons for a good part i generally believe that there is the people who have arranged this um this collaborative collaboration did so for the right motivations i also think the one thing that we haven't mentioned that's really important is that they are sort of um it's to some degree required to sort of apply a lowest common denominator to what they apply because ultimately if they wanted to give a sort of an exemption because they trusted australia with more data um then how would they prevent a country that they didn't have so much confidence invest in their and institutions um and you know up the scale to those countries that can be even better trusted with public data than australia which is obviously many um so i think one of the challenges they face is that they wanted to roll out something that would be um kind of work for everybody um and uh and avoid them having to kind of pick champions um that just to me again illustrates the fact that um you know that that things needn't be that case we could have a great deal more kind of national sovereignty over our technological infrastructure um it's something that is perfectly achievable it's again an indicator of the political side of this the other dimension i think is um it's super interesting to me that we just can't know a bunch of this stuff and there's information that we can't have but that the tech companies can have um in regard to this um and i think that that sort of inequality in information is itself as important as inequality in power um but for the last words um i'd like to go to venessa venessa what are your um your concluding thoughts there's so much to answer in the last few minutes um first of all i don't think our government is doing a great job of democratic or privacy respecting processes here so we haven't had it's all very well i sort of agree in principle that it's not nice for tech companies to be making these decisions on the other hand the citizenry hasn't had a good chance to make decisions about this we haven't had coherent messaging about what the app is doing we haven't had a genuine debate about whether we should switch to a decentralized model we haven't even had basic accurate communication about what data the app collects and uploads for example the reason that a lot of Australians think that it only retains contacts of more than 15 minutes and one and a half and less than one and a half meters is because that's what it says in the FAQ on the app but it's completely untrue it logs everything so although i sort of agree that it doesn't feel nice to have the tech companies protecting the citizens from data invasion by our own government and that's all back to front and wrong on the other hand i don't think that allowing the elected authority to grab whatever data they like is necessarily a good idea i'd be much happier with that if we had a much more robust democratic process here and much more coherent messaging we don't even know what's in the encrypted pings the covid safe encourages us to send out constantly right we don't have we know what they are in singapore we know what they are in the uk in Australia we haven't got a clue so i think in the discussion between our centralized and our decentralized model what we have is one of these absolutely fundamental political questions about not about public health versus individual privacy but about centralized authority versus individual agency so i've heard meru it's sad that um it's it's sad that meru isn't here anymore but she spoke up i think very articulately and very confidently for the opportunities associated with a benevolent trustworthy well functioning and trusted central authority and if that was exactly what we had then that would be great but at least some number of Australians including me experienced the downside of central information aggregation the decentralized model emphasizes the risk in the case that that authority might be incompetent that their server might go down that they might leak the data that they might post it on the web in do i don't have hard form without realizing how easily identifiable it is the decentralized model emphasizes individual agency against the risk that the central authority malfunctions so this fundamental political question is not going to go away and we're not going to get a quick answer this afternoon and i think that's what we've got i mean i think the the ideal would be if you could have the decentralized architecture that was then sharing the data solely with the health authority and that that could then be protected from the um so the state and territory health authorities and then that could be protected from the federal government entirely i think that's probably where i would land as a as a preferred model i know that's not probably where you would land either i'd land with opting individual sharing yeah yeah um okay look so i don't have to do that thing at the end of the zoom call where you awkwardly try and figure out how to end it on the screen um which we've all been doing a hundred times over the last um last few months thank you all so much yeah i know but that's the word either click and then the click that's shally telling me how to do it um so um thank you all so much that was really interesting um so for those of you who are still on we're going to put up some resources on the the hmi um twitter feed we'll link to the video as soon as it goes out thank you to shally adamsen for organizing this and to lisa crocker from the academy of science um thank you to the academy of science for their co-sponsorship and they're um helping with the publicity um that's all we have thanks very much everybody um it was great talking to you and let's see what happens next thanks for having us