Australia’s spy agencies caught collecting COVID-19 app data

Australia’s intelligence agencies have been caught “incidentally” collecting data from the country’s COVIDSafe contact-tracing app during the first six months of its launch, a government watchdog has found.

The report, published Monday by the Australian government’s inspector general for the intelligence community, which oversees the government’s spy and eavesdropping agencies, said the app data was scooped up “in the course of the lawful collection of other data.”

But the watchdog said that there was “no evidence” that any agency “decrypted, accessed or used any COVID app data.”

Incidental collection is a common term used by spies to describe the data that was not deliberately targeted but collected as part of a wider collection effort. This kind of collection isn’t accidental, but more of a consequence of when spy agencies tap into fiber optic cables, for example, which carries an enormous firehose of data. An Australian government spokesperson told one outlet, which first reported the news, that incidental collection can also happen as a result of the “execution of warrants.”

The report did not say when the incidental collection stopped, but noted that the agencies were “taking active steps to ensure compliance” with the law, and that the data would be “deleted as soon as practicable,” without setting a firm date.

For some, fears that a government spy agency could access COVID-19 contact-tracing data was the worst possible outcome.

Since the start of the COVID-19 pandemic, countries — and states in places like the U.S. — have rushed to build contact-tracing apps to help prevent the spread of the virus. But these apps vary wildly in terms of functionality and privacy.

Most have adopted the more privacy-friendly approach of using Bluetooth to trace people with the virus with which you may have come into contact. Many have chosen to implement the Apple-Google system, which hundreds of academics have backed. But others, like Israel and Pakistan, are using more privacy-invasive techniques, like tracking location data, which governments can also use to monitor a person’s whereabouts. In Israel’s case, the tracking was so controversial that the courts shut it down.

Australia’s intelligence watchdog did not say specifically what data was collected by the spy agencies. The app uses Bluetooth and not location data, but the app requires the user to upload some personal information — like their name, age, postal code and phone number — to allow the government’s health department to contact those who may have come into contact with an infected person.

Australia has seen more than 27,800 confirmed coronavirus cases and more than 900 deaths since the start of the pandemic.