« NIST White Paper - Mitigating the Risk of Software Vulnerabilities by Adopting a Secure Software Development Framework (SSDF) | Main | イスラエル政府が水道施設へのサイバー攻撃を受けて、水道施設、エネルギー業界に警告を 発出していますね。 »

2020.04.27

オーストラリアではCOVIDsafeというコンタクト・トレーシング・アプリがダウンロードできるようになっているようです!!(が登録はまだできない?)

こんにちは、丸山満彦です。

オーストラリアのCOVIDsafeというアプリがダウンロード可能となったようですが、登録ができないと記事に書かれていますね。アプリ自体はシンガポールのTraceTogetherをベースにしているようですね。。。

Australia Govenment Department of Health

COVIDSafe app
The COVIDSafe app speeds up contacting people exposed to coronavirus (COVID-19). This helps us support and protect you, your friends and family.

・2020.04.25 COVIDSafe app FAQs - [PDF] [Word]

・2020.04.26 COVIDSafe Privacy Policy

・2020.04.25 Privacy Impact Assessment Report - [PDF

評価項目

01. APP 01 - 個人情報のオープンで透明性のある管理
02. APP 02 - 匿名性と仮名性
03. APP 03 - 勧誘された個人情報の収集
04. APP 04 - 迷惑な個人情報の取り扱い
05. APP 05 - 個人情報の収集の通知
06. APP 06 - 個人情報の使用または開示
07. APP 07 - ダイレクトマーケティング
08. APP 08 - 個人情報の国境を越えた開示
09. APP 09 - 政府関連の識別子の採用、使用または開示
10. APP 10 - 個人情報の質
11. APP 11 - 個人情報のセキュリティ
12. APP 12 - 個人情報へのアクセス
13. APP 13 - 個人情報の訂正

推奨事項

01 PIA レポートとアプリのソースコードを公開する
02 今後のアプリ変更点
03 適切な法的枠組み
04 ユーザに表示されるアプリ画面
05 年齢の収集を明確にする
06 利用者の同意
07 アプリのプライバシーポリシー
08 情報へのアクセスと訂正を依頼するためのアプリ上のフォーム
09 一般の方や潜在的な利用者に向けたコミュニケーション資料
10 全国COVIDSafeデータストアにおける登録情報へのアクセス及びその利用に関する保健機関による更なる保証 
11 トレーニングやスクリプトの開発
12 州および準州の保健当局との契約またはその他の取り決め
13 ユーザーが偽名で登録できることを通知する
14 セキュリティ対策
15 1983年公文書館法の適用
16 AWSとの段取りの確認
17 ICT 契約および取り決めが適切に文書化され、適切な契約またはその他の保護が含まれていることの確認
18 デジタルハンドシェイクの数
19 児童利用者の同意手続き 

 


 

 

ZDnet
・2020.04.26 06:55 GMT COVIDSafe: Australia's new trace tracking app is now live, but registration isn't by

The app, which has been described as a 'digital handshake' by the Australian government, is not letting users register.

 

The Guardian
・2020.04.27 05:00 BMT Covidsafe app: how to download Australia's coronavirus contact tracing app and how it works by

 

<2020.04.28 11:35追記>

Forbes
・2020.04.27 This Is The Contact Tracing Worry Even Apple And Google Can’t Resolve by Zak Doffman

2500万人の国の60%利用が必要とすると1500万人が少なくともダウンロードする必要がありますよね。ダウンロードした人のうち、75%の人が使うとすると2000万人がダウンロードする必要があるということに。。。つまり、国民の80%。日本の人口が1億2000万人とすると、約1億人がダウンロードする必要があるわけですが。。。6割がダウンロードするとしても7200万ダウンロードです。。。

-----

“Well done, Australia,” the country’s prime minister tweeted early on April 27. “We’ve just passed 2 million downloads for COVIDSafe.” The Bluetooth contract-tracing app had gone live the evening before—the first million installs had been recorded within just five hours, the second million a few hours later. The issue, though, is that Australia—a country of some 25 million people—needs between 10 and 15 million of them to to install COVIDSafe, to use it, and to keep using it.

-----

 

-----

Contents

Part A EXECUTIVE SUMMARY
1. Introduction
2. This PIA process
3. Summary of findings
4. Recommendations

Part B METHODOLOGY AND ASSUMPTIONS
5. Our methodology
6. Assumptions and qualifications

Part C PROJECT DESCRIPTION AND INFORMATION FLOWS
7. Why is the App being developed?
8. How will the App work?
9. Analysis of personal information, sensitive information and health information
10. Analysis of collections of personal information
11. Information flows

Part D APP COMPLIANCE
1. APP 1 – open and transparent management of personal information
2. APP 2 – anonymity and pseudonymity
3. APP 3 – collection of solicited personal information
4. APP 4 – dealing with unsolicited personal information
5. APP 5 – notification of the collection of personal information
6. APP 6 – use or disclosure of personal information
7. APP 7 – direct marketing
8. APP 8 – cross-border disclosure of personal information
9. APP 9 – adoption, use or disclosure of government related identifiers
10. APP 10 – quality of personal information
11. APP 11 – security of personal information
12. APP 12 – access to personal information
13. APP 13 – correction of personal information

Part E GLOSSARY
Attachment 1 Diagram of information flows

-----

Part A エグゼクティブ・サマリー
1. 序章
2. PIAプロセス
3. 総合所見
4. 推奨事項

Part B 方法論と推測
5. 方法論
6. 前提条件と資格

Part C プロジェクトの概要と情報の流れ
7. なぜアプリを開発しているのか?
8. アプリはどのように動作するのか?
9. 個人情報、機密情報、健康情報の分析
10. 個人情報の収集状況の分析
11. 情報の流れ

Part D APPの適合性
1. APP 1 - 個人情報のオープンで透明性のある管理
2. APP 2 - 匿名性と仮名性
3. APP 3 - 勧誘された個人情報の収集
4. APP 4 - 迷惑な個人情報の取り扱い
5. APP 5 - 個人情報の収集の通知
6. APP 6 - 個人情報の使用または開示
7. APP 7 - ダイレクトマーケティング
8. APP 8 - 個人情報の国境を越えた開示
9. APP 9 - 政府関連の識別子の採用、使用または開示
10. APP 10 - 個人情報の質
11. APP 11 - 個人情報のセキュリティ
12. APP 12 - 個人情報へのアクセス
13. APP 13 - 個人情報の訂正

パートE グロッサリー
別紙1 情報の流れの図

-----

Recommendationsが19もあります。。。

 

Recommendation 1 Make PIA report and App source code publicly available

To increase public trust and confidence in the App, we recommend that Health consider publishing this PIA report. Health could also consider making the source code for the App publicly available, to allow for independent analysis and consideration.

Recommendation 2 Future changes to the App

We have undertaken our analysis on the basis of the development of the App as at the time of this report. As the design of the App evolves, or if there are likely to involve changes to any of the information flows discussed in this PIA report, we recommend that Health continue to carefully consider privacy impacts of those changes, including through a supplementary PIA process to update or supplement this report as required by the APP Code.

This will also enhance protections against the risk of “function creep”, where information which is collected for one purpose starts to be used for another purpose which was not originally anticipated.

Recommendation 3 Appropriate legislative framework

We recommend that Health continue to consider and investigate the legislative options in relation to the collection, use, disclosure, and deletion, of personal information in connection with the App (including the appropriate restrictions to be placed on Commonwealth departments and agencies, and States and Territories (which includes the relevant health authorities, Public Health Officials, and Contact Tracers) or any other relevant entities).

This may include consulting with the AGD, OAIC and other stakeholders to determine whether it would be appropriate to consult with the States and Territories about whether the relevant State and Territory health authorities should be prescribed as organisations for the purposes of the Privacy Act.

We also recommend that Health continue to seek advice, including through consultation with AGD, the OAIC and the AHRC as appropriate, as to whether there are additional legislative or other measures that could be put in place to protect rights of individuals who decide not to use the App (for example, circumstances in which a particular individual does feel pressured to download the App (e.g. a supermarket insisting on customers showing that they are using the App before being permitted to enter the store; or an employer insisting that their employees demonstrate that they are using the App before being permitted to start or continue work) may constitute a breach of human rights).

We understand that work has already commenced on a legislative framework, which has been undertaken in parallel with our PIA process, with the intent of strengthening privacy protections for Users. While this framework has not been finalised as at the date of this PIA, we understand that there is an intention to make it clear that data collected through the App will only be used for purposes associated with contact tracing or administering the App. We recommend that this work continue, and be finalised before release of the App.

Recommendation 4 App screens displayed to the User

We recommend that Health ensure that the sequencing of screens displayed to the User when registering to use the App, and when they are asked for consideration to upload their Digital Handshake information, is such that the User is provided with information about the handling of their personal information before they are asked to provide consent.

We also recommend that Health consider whether information should be included on the App about what to do if a User feels they have been pressured into using the App (e.g. it could be included in the App Privacy Policy), unless a legislative framework is introduced to address this risk.

Recommendation 5 Clarify collection of age

We recommend that Health consider undertaking further consultation as required about whether it should change the proposed design of the App so that only an age range of the User is collected through the App. If there is no clear medical reason for collecting the precise age, using an age range would enhance compliance with APP 3, and have the additional benefits of being consistent with the data minimisation principle, and further reduce risks of more precise personal information being disclosed if there was to be a data breach.

Recommendation 6 Consent from Users

We recommend that Health ensure that the App seeks consent from Users at two different points – an initial notice which is provided to individuals before they agree to their Registration Information being uploaded to the National COVIDSafe Data Store, and a further notice which is provided before they agree to upload the Digital Handshake information on their device to the National COVIDSafe Data Store.

We recommend that the wording for the collection and consent notices displayed on the App be carefully considered to ensure that Users, including Child Users, will understand what they are being asked to consent to, and how their information will be collected, used, disclosed, and deleted. We developed some draft wording for these notices, in conjunction with the Australian Government Solicitor. We recommend this wording be used as the basis for notices included in the App, subject to further refinement as the design of the App is finalised.

We also recommend that Health consider whether it is necessary to impose a time limit on the initial consent obtained in connection with the Registration Information (for example, 6 or 12 months), and ensure that the functionality of the App will require a further consent notice to be displayed to the User after this time period, which must be accepted to allow further use of the App.

Recommendation 7 App Privacy Policy

We recommend that Health ensure that a specific privacy policy for the App is developed and clearly available to Users of the App.

We developed some draft wording for the App Privacy Policy, in conjunction with the Australian Government Solicitor. We recommend this wording be used as the basis for the App Privacy Policy, subject to further refinement as the design of the App is finalised.

The App Privacy Policy could also be displayed on Health’s website.

Recommendation 8 Form on the App to request access and correction of information

We recommend that Health consider whether processes could, unless access and correction is otherwise covered by a legislative framework for the App, be adopted to make it easier for Users to make requests to access and/or correct their personal information held in the National COVIDSafe Data Store (e.g. an e-form accessible from the App).

Recommendation 9 Communication materials for the public and potential Users

We recommend that Health develop and publish a range of communication materials so that the general public, and potential Users, are provided with as broad a range of information about the App and the National COVIDSafe Data Store as possible. Such information could include:

  • answers to frequently asked questions;
  • summary information about this PIA report;
  • information about the voluntary nature of the App, and that no-one should pressure an individual to download or use the App; and
  • information about any legislative framework which is put in place to govern the operation of the App.

This would assist in building community understanding and acceptance for the App, particularly if such material explains why the App has been developed, its function and purposes, how it works (including where information will be stored), what it collects, what information will be used by States and Territories, how the information can be deleted or will be retained, and the App’s security features. It will also be important to emphasise the voluntary nature of the App, with the consent requirements, and the User’s ability to not proceed at any stage or to delete the App.

Recommendation 10 Further assurances by Health about access to and use of the Registration Information in the National COVIDSafe Data Store

To further alleviate potential community concerns associated with the use of the App, we recommend that (unless a suitable legislative framework is put in place) Health consider taking additional steps to alleviate concerns that the Registration Information will be used in ways other than those contemplated in this PIA report. This could include taking steps, including:

  • to ensure that it will not be possible to generate Unique ID Reports which use the Registration Information of Users to identify individual Users who are using the App (and/or individual Users who have downloaded but are not using the App);
  • to ensure that it will not be possible, either for the Australian Government or State and Territory governments (through their Public Health Officials or Contact Tracers), to access Registration Information of a User before they have tested positive for COVID-19, or have been identified as a Contact User for someone who has tested positive; and
  • making public commitments that Registration Information will not be used in these ways (e.g. as part of a publishing a frequently asked questions document on its website when implementing Recommendation 9), and the voluntary nature of the App, and about the security protections that have been put in place in relation to the App and the National COVIDSafe Data Store (without providing information that would pose an additional security risk).

Recommendation 11 Development of training and/or scripts

We recommend that Health consider developing training and/or scripts for Public Health Officials and Contact Tracers in connection with the App.

Such a script could include guidance about:

  • how to ask Positive Users to use their mobile phone number in the App to send them an SMS message to upload their data, which clearly asks for permission to enter their mobile phone number into the National COVIDSafe Data Store in order to generate and send the SMS message to the Positive User; and
  • how Public Health Officials and Contact Tracers should deal with Child Users, including those who need to be contacted as a result of an upload of Digital Handshakes from a Positive User (e.g. to ensure they speak to the Child User’s parent/guardian, before proceeding further with the contact tracing procedures).

Further, training could include providing:

  • guidance to Contact Tracers of the limitations of the quality of the information in the National COVIDSafe Data Store when undertaking contact tracing procedures; and
  • appropriate security training (including privacy briefings) before Public Health Officials and Contact Tracers are granted access to the National COVIDSafe Data Store.

Recommendation 12 Contractual or other arrangements with State and Territory public health authorities

Whilst Health will not have effective control over the information once it has been disclosed to Contact Tracers, we recommend that Health ensure that it has contractual or other administrative arrangements in place with the State and Territory public health authorities responsible for contact tracing.

These arrangements should contain terms and conditions for access to, and use and disclosure of information obtained from, the National COVIDSafe Data Store, including to require that State and Territory public health authorities:

  • only access, use and disclose personal information for the purposes contemplated in this PIA;
  • ensure that agreed processes (including any developed “scripts”) are used by Public Health Officials and Contact Tracers when contacting Positive Users and Contact Users; and
  • ensure appropriate security arrangements are in place for any personal information obtained from the National COVIDSafe Data Store which is held by the Public Health Officials or Contact Tracers, that such information is deleted, de-identified or not further used after the time of the decommissioning of the National COVIDSafe Data Store, and that it may not be transferred, stored or accessed from outside of Australia.

Such obligations would need to be consistent with any legislative framework that is put in place in respect of the App.

Further, we recommend that each time a Contact Tracer accesses the National COVIDSafe Data Store, they be required to agree to terms and conditions of use, which clearly set out the limited ways in which Contact Tracers are permitted to use, access and disclose information stored on the National COVIDSafe Data Store.

Ideally, State and Territory public health authorities should also be required to comply with the Privacy Act as if they were an APP entity. Such arrangements would assist in providing Users with additional privacy protections, including to ensure that all Users are afforded the same protections across all jurisdictions.

Recommendation 13 Notify Users they can register with a pseudonym

We recommend that Health clearly and expressly notifies Users, before registering for use of the App, that they may, when providing their Registration Information, use a pseudonym (for example, a note under the name field could be included to clarify that the User can give a “fake name”). Further, we recommend that Health, in its notices provided to Users when seeking consent, and/or in the App Privacy Policy, should indicate that Users may use a pseudonym.

Recommendation 14 Security arrangements

We recommend that Health, if it has not already done so, seek independent assurance from security experts (including as appropriate, the Australian Signals Directorate and the Australian Cybersecurity Centre), to provide additional testing and assurance that the security arrangements for the App and the National COVIDSafe Data Store, and the use of information in it, are appropriate. We also recommend that this assurance be made publicly available (without providing any information that would pose an additional security risk).

Further, we recommend that Health undertake appropriate planning, and ensure that appropriate arrangements are in place, so that steps can be taken immediately to minimise the effect of any data breach, and an efficient and effective investigation process is undertaken as soon as possible. We note that this may involve ensuring that appropriate contractual (or administrative) provisions are included in the AWS Contract, the memorandum of understanding (MOU) arrangements with DTA and the contractual or other arrangements with the State and Territory agencies.

We also recommend that Health consider whether:

  • Bluetooth technology is the most appropriate available technology to use for the App; and
  • there are additional technological solutions or strategies that could be used to avoid the need to advise Users to have the App unlocked on their device.

Recommendation 15 Application of the Archives Act 1983 (Cth)

Unless it will be otherwise dealt with by a legislative framework, we recommend that Health promptly, and before the finalisation of the App Privacy Policy and the notices that will be provided to Users when seeking consent (see Recommendation 6 and Recommendation 7), seek advice (including consultation with the National Archives of Australia as appropriate):

  • as to whether the personal information in the National COVIDSafe Data Store will be subject to the Archives Act;
  • if so, whether the records will be able to be deleted or de-identified after the personal information in the National COVIDSafe Data Store is no longer required (for example, it may be necessary to determine whether a records disposal authority should be obtained in advance of the release of the App, or other legislative action taken, to enable deletion or de-identification of the personal information as required); and
  • whether retention of the records is required by any other law or legal requirement (e.g. if a complaint or legal action was brought by a User after decommissioning of the National COVIDSafe Data Store).

Recommendation 16 Confirmation of arrangements with AWS

We recommend that Health take steps to investigate and confirm the arrangements in relation to the role of AWS. This could be through Health undertaking a review of the AWS Contract, or ensuring that relevant provisions are included in appropriate arrangements between DTA and Health (such as an MOU or other suitable administrative arrangements) We recommend that Health investigate the nature of the services being undertaken by AWS (i.e. limited to infrastructure support services and not data analysis services) and that the AWS Contract contains:

  • detailed functional and non-functional requirements for the App and the National COVIDSafe Data Store infrastructure;
  • detailed security requirements about the storage of information in the App and on the National COVIDSafe Data Store infrastructure, including encryption requirements, and obligations on AWS in relation to security, confidentiality and privacy requirements;
  • detailed support requirements, which limit access to the National COVIDSafe Data Store to AWS’ authorised support personnel who need that access for the purposes of providing the contracted support;
  • in accordance with provisions which are commonly found in contracts for provision of cloud-based infrastructure, requirements under which:

o AWS is not responsible for the management of data content stored in the National COVIDSafe Data Store;

o the Commonwealth of Australia (acting through DTA) is given the necessary rights and powers to control access to, change, or retrieve, the information in the National COVIDSafe Data Store, so as to reflect that the Commonwealth and not AWS has effective control of the information, and how it is handled by AWS; and

o AWS will allow the Commonwealth to remove data content stored in the National COVIDSafe Data Store after the end of the AWS Contract, after which time it will be deleted if not removed;

  • detailed subcontractor requirements, such that AWS is required to ensure that any obligations imposed upon AWS are also imposed upon any of AWS’ subcontractors and/or its service providers;
  • detailed access to information requirements, so that if a User is entitled to request access to, or correction of, their personal information and Health needs to ask DTA to obtain the information (through AWS) from the National COVIDSafe Data Store, AWS must provide the required information to DTA (which will, if Recommendation 17 is implemented, be required to be provided to Health); and
  • detailed requirements, so that no information from the National COVIDSafe Data Store is:

o taken outside Australia, or accessed from or stored outside of Australia, without the prior written consent of Health; or

o transferred outside of the National COVIDSafe Data Store (e.g. to other parts of the AWS’ infrastructure environment).

Recommendation 17 Ensure ICT contracts and arrangements are properly documented, and contain appropriate contractual or other protections

Our analysis has been conducted on the basis that both Health and DTA intend that DTA will provide the infrastructure on which the collected information will be stored as a service provider to Health, and that Health will be the data custodian of the collected information. Accordingly, we recommend that appropriate MOU or other arrangements are documented between DTA and Health which, amongst other things:

  • establish Health as the data custodian of the information collected using the App;
  • clarify that the relevant infrastructure will be provided as a service by DTA to Health;
  • confirm that the AWS Contract contains the matters specified in Recommendation 16;
  • clarify DTA’s role in providing the relevant infrastructure (through its contractor AWS) as a service by DTA to Health1;
  • provide Health with the rights of access to and control of the stored information on the DTA infrastructure;
  • place appropriate limits on DTA’s access to and use of the stored information;
  • impose appropriate security requirements;
  • sets out the processes for Health to request, and receive, information from DTA (and AWS) if a User requests access to, or correction of, their personal information held in the National COVIDSafe Data Store; and
  • ensure the DTA’s subcontractors are required to comply with the above requirements.

We also recommend that Health ensure that all contractual arrangements with relevant ICT and other service providers, who may have access to collected personal information in order to provide services under that contract, include suitable privacy requirements, and appropriate security clauses that require protection of the information from misuse, interference and loss, and from unauthorised access, modification or disclosure.

1 An alternative might be for Health to administer the AWS Contract on behalf of the Commonwealth instead of DTA (with appropriate arrangements made for payments to AWS under the Contract), but given DTA’s integral role in developing and supporting the App and National COVIDSafe Data Store, this may not be practical.

Recommendation 18 Number of Digital Handshakes

We recommend that:

  • Health investigate whether it is technologically possible to only record Digital Handshakes if they meet risk parameters, set on the basis of medical advice about the risks of exposure to COVID-19 (i.e. so that the minimum amount of information required for contact tracing is collected from Users); or
  • if this is not possible, whether it is technologically possible to only upload Digital Handshakes if they meet those risk parameters; or
  • if this is not possible, whether it is technologically possible for the National COVIDSafe Data Store to, once Digital Handshakes are uploaded, automatically delete (or de-identify if deletion is not possible) any Digital Handshakes that do not meet those risk parameters; or
  • if this is not possible, access to the Digital Handshakes stored in the National COVIDSafe Data Store be limited to those Digital Handshakes which meet those risk parameters.

Recommendation 19 Consent process for Child Users We recommend that Health further consider the processes in the App if a User is a Child User. For example, Health should consider whether there could be a more robust process to ensure that informed consent is obtained from an adult responsible for the Child User. For example, a “verified consent” process would assist in strengthening the likelihood that an adult responsible for the Child User has provided their consent. The Child User could also be presented with an option to click if they do not have their parent/guardian’s consent, which results in a message to then uninstall the App.

 

|

« NIST White Paper - Mitigating the Risk of Software Vulnerabilities by Adopting a Secure Software Development Framework (SSDF) | Main | イスラエル政府が水道施設へのサイバー攻撃を受けて、水道施設、エネルギー業界に警告を 発出していますね。 »

Comments

Post a comment



(Not displayed with comment.)


Comments are moderated, and will not appear on this weblog until the author has approved them.



« NIST White Paper - Mitigating the Risk of Software Vulnerabilities by Adopting a Secure Software Development Framework (SSDF) | Main | イスラエル政府が水道施設へのサイバー攻撃を受けて、水道施設、エネルギー業界に警告を 発出していますね。 »