Under pressure to control spiralling Covid cases in July 2020, the Victorian government sent contact tracing data to the Australian Criminal Intelligence Commission in the hope a controversial data mining platform might help identify the source of mystery cases.
Data security experts described the move as “dubious” and “outrageous”.
The platform, Palantir, was founded by US tech billionaire Peter Thiel, one of former US president Donald Trump’s biggest donors in 2016. It has previously attracted criticism over its use by the US military, immigration agencies and spy agencies, and its application in predictive policing systems.
A Victoria department of health spokesperson confirmed that in July 2020 the department investigated using the Palantir platform for a new contact tracing tool.
“A sample set of de-identified mobility data was used to investigate whether the program could achieve what was required, with strict conditions in place about its use, accessibility and destruction,” the spokesperson said.
“The department did not proceed with the program and instead developed an in-house tool, which successfully supported contract tracing throughout the pandemic.”
Dr Suelette Dreyfus, a lecturer and digital security expert with the University of Melbourne’s school of computing and information systems, described the data sharing as “outrageous”.
“That the government kept this information from the Australian public says to me that they knew very well what they were doing was extremely dubious,” she said.
“This data was very private data, and people were told to trust the government with it during a pandemic. People were promised the data would be used for one purpose, and the fact that we have had to find out from the media that this data was in fact sent to the criminal intelligence authority is a shock. People deserved to know about that at the time.”
An ACIC spokesperson confirmed the Victorian department of health sought its assistance “to demonstrate our analytical capabilities to analyse Covid-19 clusters”.
“The data met all legal requirements,” she said.
Guardian Australia understands the agreement with ACIC included strict data protection provisions, including that the data be transferred via a secure portal that only limited staff had access to and that no Palantir cloud storage system was used.
It’s understood data was stored in a separate part of the ACIC server for the sole use of the project, but the data remained health department property, and the contract included provision for destruction of the data at the end of the one-month proof of concept. The Palantir software was installed ‘on-premise’ rather than in remote servers.
Dreyfus said she is concerned that even if the mobility data was destroyed at the end of the project, it is unclear whether additional datasets or analysis were generated during the trial, and what became of those.
“Did any derivative works actually end up identifying individual people? We need to know.
“Palantir software being installed on premise may be useful,” Dreyfus said.
“But was it air gapped? If the Palantir software connected to Palantir databases off premise then there may have been some data matching or data analysis that was done and that Palantir may have collected. We’ve received no assurances that any derivative analyses or databases have been destroyed.
“What the Medibank and Optus data breaches teach us is that it is dangerous to allow companies to gather more data than they need and keep it longer than they need because there is a risk that it may get stolen and used for other purposes.”
after newsletter promotion
Vanessa Teague, a cybersecurity expert and an associate professor with the Australian National University’s research school of computer science, said de-identified mobility data is “a totally unacceptable thing to share” with ACIC and Palantir.
“The idea of de-identified data is an oxymoron,” she said.
“You may not be able to re-identify data by looking at individual data points. For example, thousands of other people might have also been at the MCG with you. But if you also went to the pharmacist on a particular day, and then to the beach on the weekends, the likelihood that others went to all those same places at the same times as you is zero.”
Teague gave the example of the Victorian government release of anonymised data from more than 15 million Myki public transport users in 2018, which University of Melbourne researchers were able to re-identify and match to individuals.
Teague said Victorians who provided data for contact tracing purposes, or who checked in to venues, did so on the premise of “a very strong promise from the government that this data was not going to be used for anything other than contact tracing and notifying people who’d been exposed”.
Dr Megan Prictor, a senior lecturer in health, law and emerging technologies with the University of Melbourne’s law school, said legally if the data was appropriately de-identified then the organisations are not subject to state or commonwealth privacy laws.
“The adequacy of the de-identification is impossible to determine … but as the data were not released publicly, and subject to strict controls, it seems to me to present reasonable use in the context of the state of the pandemic in Victoria in 2020,” she said.
Dr James Scheibner, a law lecturer with Flinders University, said if the database was not located in Australia there might be issues around the cross-border transfer of personal or health information.
He said there are strict restrictions on cross-border transfer, and that this requires either the consent of the individuals included in the dataset or the recipient jurisdiction to offer equivalent data protection to Victoria.
“If the ACIC and the department were purely using this dataset for contact tracing, it is likely that the sharing would be lawful under Victorian legislation,” Scheibner said.
“If it were shared for any other purpose, such as law enforcement, the department would need to rely on the alternative grounds to justify the use and disclosure of personal or health information.”
Sven Bluemmel, the Victorian Information Commissioner, told Guardian Australia that his office was not aware of contact tracing mobility data being sent to ACIC.
“There is always a risk that de-identified data may be re-identified – that risk can never be zero,” Bluemmel said.
“This is particularly the case if de-identified data is shared with third parties who have access to other data sets with which to match the de-identified data, to ascertain individuals’ identities.”
“[The Office of the Victorian Information Commissioner] would expect the Department of Health to ensure that any de-identified contact tracing mobility data provided to ACIC would have travelled with strong protections and governance around who could access it, how it could be used, how it would be stored, for how long it would be retained, and restrictions around the on-sharing of the data.”